Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
13551
Total
895
Critical
3928
High
4272
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-26135 | CRITICAL | 9.6 | Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network. | Apr 03, 2026 |
| CVE-2022-4986 | HIGH | 7.5 | Hirschmann EagleSDV version 05.4.01 prior to 05.4.02 contains a denial-of-service vulnerability that causes the device to crash during session establishment when using TLS 1.0 or … | Apr 02, 2026 |
| CVE-2026-35467 | HIGH | 7.5 | The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of … | Apr 02, 2026 |
| CVE-2026-35466 | MEDIUM | 6.1 | XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services | Apr 02, 2026 |
| CVE-2026-30252 | MEDIUM | 6.1 | Multiple reflected cross-site scripting (XSS) vulnerabilities in the login.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the … | Apr 02, 2026 |
| CVE-2026-30251 | MEDIUM | 6.1 | A reflected cross-site scripting (XSS) vulnerability in the login_newpwd.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the … | Apr 02, 2026 |
| CVE-2025-15620 | HIGH | 8.6 | HiOS Switch Platform versions 09.1.00 prior to 09.4.05 and 10.3.01 contains a denial-of-service vulnerability in the web interface that allows remote attackers to reboot the … | Apr 02, 2026 |
| CVE-2024-14033 | HIGH | 7.5 | Hirschmann Industrial IT products (BAT-R, BAT-F, BAT450-F, BAT867-R, BAT867-F, WLC, BAT Controller Virtual) contain a heap overflow vulnerability in the HiLCOS web interface that allows … | Apr 02, 2026 |
| CVE-2026-5420 | LOW | 2.5 | A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file … | Apr 02, 2026 |
| CVE-2026-35383 | MEDIUM | 6.5 | Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to … | Apr 02, 2026 |
| CVE-2026-35053 | UNKNOWN | — | OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) … | Apr 02, 2026 |
| CVE-2026-34932 | UNKNOWN | — | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue … | Apr 02, 2026 |
| CVE-2026-34931 | UNKNOWN | — | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these … | Apr 02, 2026 |
| CVE-2026-34848 | MEDIUM | 5.4 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via … | Apr 02, 2026 |
| CVE-2026-34847 | MEDIUM | 4.7 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter … | Apr 02, 2026 |
| CVE-2026-34840 | HIGH | 8.1 | OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() … | Apr 02, 2026 |
| CVE-2026-34838 | CRITICAL | 9.9 | Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to … | Apr 02, 2026 |
| CVE-2026-34834 | UNKNOWN | — | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no … | Apr 02, 2026 |
| CVE-2026-34833 | UNKNOWN | — | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password … | Apr 02, 2026 |
| CVE-2026-34832 | MEDIUM | 6.5 | Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that … | Apr 02, 2026 |
| CVE-2026-34825 | UNKNOWN | — | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw … | Apr 02, 2026 |
| CVE-2026-34762 | LOW | 2.7 | Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, the PUT /api/v1/subscriber/{imsi} API accepts an IMSI identifier from both the … | Apr 02, 2026 |
| CVE-2026-34761 | MEDIUM | 5.8 | Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, Ella Core panics when processing a NGAP handover failure message. An … | Apr 02, 2026 |
| CVE-2026-34760 | MEDIUM | 5.9 | vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for … | Apr 02, 2026 |
| CVE-2024-14034 | CRITICAL | 9.8 | Hirschmann HiEOS devices versions prior to 01.1.00 contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative … | Apr 02, 2026 |