Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
13326
Total
883
Critical
3881
High
4214
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-35472 | UNKNOWN | — | WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, … | Apr 06, 2026 |
| CVE-2026-35399 | UNKNOWN | — | WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup … | Apr 06, 2026 |
| CVE-2026-35398 | UNKNOWN | — | WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, … | Apr 06, 2026 |
| CVE-2026-35396 | UNKNOWN | — | WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, … | Apr 06, 2026 |
| CVE-2026-35395 | HIGH | 8.8 | WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The … | Apr 06, 2026 |
| CVE-2026-35394 | HIGH | 8.3 | Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's … | Apr 06, 2026 |
| CVE-2026-35393 | CRITICAL | 9.8 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3. | Apr 06, 2026 |
| CVE-2026-35392 | CRITICAL | 9.8 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3. | Apr 06, 2026 |
| CVE-2026-35391 | UNKNOWN | — | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of … | Apr 06, 2026 |
| CVE-2026-35390 | UNKNOWN | — | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the … | Apr 06, 2026 |
| CVE-2026-35389 | UNKNOWN | — | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: … | Apr 06, 2026 |
| CVE-2026-35213 | UNKNOWN | — | @hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header … | Apr 06, 2026 |
| CVE-2026-35208 | UNKNOWN | — | lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” … | Apr 06, 2026 |
| CVE-2026-34972 | MEDIUM | 5.0 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls … | Apr 06, 2026 |
| CVE-2025-54601 | HIGH | 7.0 | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor amd Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, … | Apr 06, 2026 |
| CVE-2026-5682 | LOW | 3.7 | A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of … | Apr 06, 2026 |
| CVE-2026-5681 | MEDIUM | 6.3 | A flaw has been found in itsourcecode sanitize or validate this input 1.0. This impacts an unknown function of the file /borrowedequip.php of the component … | Apr 06, 2026 |
| CVE-2026-5679 | MEDIUM | 5.5 | A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the … | Apr 06, 2026 |
| CVE-2026-35459 | UNKNOWN | — | pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix … | Apr 06, 2026 |
| CVE-2026-35203 | HIGH | 7.5 | ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits … | Apr 06, 2026 |
| CVE-2026-35201 | MEDIUM | 5.9 | Discount is an implementation of John Gruber's Markdown markup language in C. From 1.3.1.1 to before 2.2.7.4, a signed length truncation bug causes an out-of-bounds … | Apr 06, 2026 |
| CVE-2026-35200 | UNKNOWN | — | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file … | Apr 06, 2026 |
| CVE-2026-35199 | MEDIUM | 6.1 | SymCrypt is the core cryptographic function library currently used by Windows. From 103.5.0 to before 103.11.0, The SymCryptXmssSign function passes a 64-bit leaf count value … | Apr 06, 2026 |
| CVE-2026-35197 | MEDIUM | 6.6 | dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. … | Apr 06, 2026 |
| CVE-2026-35187 | HIGH | 7.7 | pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side … | Apr 06, 2026 |