Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
13326
Total
883
Critical
3881
High
4214
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2025-14821 | HIGH | 7.8 | A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, … | Apr 07, 2026 |
| CVE-2024-36058 | UNKNOWN | — | The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in … | Apr 07, 2026 |
| CVE-2026-5745 | MEDIUM | 5.5 | A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a … | Apr 07, 2026 |
| CVE-2026-5359 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … | Apr 07, 2026 |
| CVE-2026-4931 | UNKNOWN | — | Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost. | Apr 07, 2026 |
| CVE-2026-35571 | MEDIUM | 4.8 | Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme … | Apr 07, 2026 |
| CVE-2026-35567 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without proper integer … | Apr 07, 2026 |
| CVE-2026-35566 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39319. Reason: This candidate is a duplicate of CVE-2026-39319. Notes: All CVE users … | Apr 07, 2026 |
| CVE-2026-35534 | HIGH | 7.6 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as … | Apr 07, 2026 |
| CVE-2026-35526 | HIGH | 7.5 | Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols … | Apr 07, 2026 |
| CVE-2026-35521 | HIGH | 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a … | Apr 07, 2026 |
| CVE-2026-35520 | HIGH | 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a … | Apr 07, 2026 |
| CVE-2026-35519 | HIGH | 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a … | Apr 07, 2026 |
| CVE-2026-35518 | HIGH | 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a … | Apr 07, 2026 |
| CVE-2026-35517 | HIGH | 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a … | Apr 07, 2026 |
| CVE-2026-35516 | MEDIUM | 5.0 | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can … | Apr 07, 2026 |
| CVE-2026-35515 | UNKNOWN | — | Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output … | Apr 07, 2026 |
| CVE-2026-35492 | MEDIUM | 6.5 | Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with … | Apr 07, 2026 |
| CVE-2026-35491 | MEDIUM | 6.1 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password … | Apr 07, 2026 |
| CVE-2026-35490 | CRITICAL | 9.8 | changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of … | Apr 07, 2026 |
| CVE-2026-35489 | HIGH | 7.3 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit … | Apr 07, 2026 |
| CVE-2026-35488 | HIGH | 8.1 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative … | Apr 07, 2026 |
| CVE-2026-35487 | MEDIUM | 5.3 | text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_prompt() allows reading any .txt … | Apr 07, 2026 |
| CVE-2026-35486 | HIGH | 7.5 | text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get() … | Apr 07, 2026 |
| CVE-2026-33816 | UNKNOWN | — | Memory-safety vulnerability in github.com/jackc/pgx/v5. | Apr 07, 2026 |