Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
13273
Total
879
Critical
3861
High
4208
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-35608 | UNKNOWN | — | QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files … | Apr 07, 2026 |
| CVE-2026-35607 | HIGH | 8.1 | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in … | Apr 07, 2026 |
| CVE-2026-35606 | UNKNOWN | — | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in … | Apr 07, 2026 |
| CVE-2026-35605 | UNKNOWN | — | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches() function … | Apr 07, 2026 |
| CVE-2026-35604 | UNKNOWN | — | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin … | Apr 07, 2026 |
| CVE-2026-35592 | MEDIUM | 5.3 | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal … | Apr 07, 2026 |
| CVE-2026-35586 | MEDIUM | 6.8 | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert … | Apr 07, 2026 |
| CVE-2026-35585 | UNKNOWN | — | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook … | Apr 07, 2026 |
| CVE-2026-35584 | UNKNOWN | — | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication … | Apr 07, 2026 |
| CVE-2026-35583 | MEDIUM | 5.3 | Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked … | Apr 07, 2026 |
| CVE-2026-35581 | HIGH | 7.2 | Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the … | Apr 07, 2026 |
| CVE-2026-35580 | CRITICAL | 9.1 | Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated … | Apr 07, 2026 |
| CVE-2026-35578 | UNKNOWN | — | ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, … | Apr 07, 2026 |
| CVE-2026-35574 | HIGH | 7.3 | ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding … | Apr 07, 2026 |
| CVE-2026-35523 | HIGH | 7.5 | Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The … | Apr 07, 2026 |
| CVE-2026-32588 | UNKNOWN | — | Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to … | Apr 07, 2026 |
| CVE-2026-27315 | UNKNOWN | — | Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file … | Apr 07, 2026 |
| CVE-2026-27314 | HIGH | 8.8 | Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity … | Apr 07, 2026 |
| CVE-2026-23696 | CRITICAL | 9.9 | Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject … | Apr 07, 2026 |
| CVE-2026-22683 | HIGH | 8.8 | Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions … | Apr 07, 2026 |
| CVE-2025-70844 | UNKNOWN | — | yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, … | Apr 07, 2026 |
| CVE-2025-14944 | MEDIUM | 5.3 | The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing … | Apr 07, 2026 |
| CVE-2025-14821 | HIGH | 7.8 | A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, … | Apr 07, 2026 |
| CVE-2024-36058 | UNKNOWN | — | The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in … | Apr 07, 2026 |
| CVE-2026-5745 | MEDIUM | 5.5 | A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a … | Apr 07, 2026 |