Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
13240
Total
877
Critical
3855
High
4195
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40027 | HIGH | 7.3 | ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from … | Apr 08, 2026 |
| CVE-2026-40026 | MEDIUM | 4.4 | The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields … | Apr 08, 2026 |
| CVE-2026-40025 | MEDIUM | 4.4 | The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without … | Apr 08, 2026 |
| CVE-2026-40024 | HIGH | 7.1 | The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended … | Apr 08, 2026 |
| CVE-2026-39901 | MEDIUM | 5.7 | monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete … | Apr 08, 2026 |
| CVE-2026-5805 | HIGH | 7.3 | A weakness has been identified in code-projects Easy Blog Site up to 1.0. The impacted element is an unknown function of the file /users/contact_us.php. Executing … | Apr 08, 2026 |
| CVE-2026-5803 | MEDIUM | 6.3 | A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the … | Apr 08, 2026 |
| CVE-2026-5451 | MEDIUM | 6.4 | The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-track' shortcode in all versions up to, and including, … | Apr 08, 2026 |
| CVE-2026-5436 | HIGH | 8.1 | The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to … | Apr 08, 2026 |
| CVE-2026-39892 | UNKNOWN | — | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed … | Apr 08, 2026 |
| CVE-2026-39891 | HIGH | 8.8 | PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user … | Apr 08, 2026 |
| CVE-2026-39890 | CRITICAL | 9.8 | PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such … | Apr 08, 2026 |
| CVE-2026-39889 | HIGH | 7.5 | PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() … | Apr 08, 2026 |
| CVE-2026-39888 | CRITICAL | 9.9 | PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a … | Apr 08, 2026 |
| CVE-2026-39885 | HIGH | 7.5 | FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI … | Apr 08, 2026 |
| CVE-2026-39883 | UNKNOWN | — | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path … | Apr 08, 2026 |
| CVE-2026-39882 | MEDIUM | 5.3 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer … | Apr 08, 2026 |
| CVE-2026-39881 | MEDIUM | 5.0 | Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server … | Apr 08, 2026 |
| CVE-2026-39860 | CRITICAL | 9.0 | Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable … | Apr 08, 2026 |
| CVE-2026-39844 | MEDIUM | 5.9 | NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization … | Apr 08, 2026 |
| CVE-2026-39429 | HIGH | 8.2 | kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly … | Apr 08, 2026 |
| CVE-2026-39416 | UNKNOWN | — | AIL framework is an open-source platform to collect, crawl, process and analyse unstructured data. Prior to 6.8, a stored cross-site scripting (XSS) vulnerability was identified … | Apr 08, 2026 |
| CVE-2026-39415 | UNKNOWN | — | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe … | Apr 08, 2026 |
| CVE-2026-39414 | UNKNOWN | — | MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files … | Apr 08, 2026 |
| CVE-2026-5802 | HIGH | 7.3 | A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument … | Apr 08, 2026 |