Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
13594
Total
907
Critical
3956
High
4292
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-34801 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dhcp/fixed_leases/. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34800 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the NAME parameter to /cgi-bin/uplinkeditor.cgi. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34799 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dnsmasq/hosts/. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34798 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/routing.cgi. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34797 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_smtp.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34796 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_openvpn.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34795 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_log.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34794 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34793 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_firewall.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34792 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_clamav.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34791 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_proxy.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34790 | HIGH | 7.1 | Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via directory traversal in the remove ARCHIVE parameter to /cgi-bin/backup.cgi. The remove … | Apr 02, 2026 |
| CVE-2026-34729 | MEDIUM | 6.1 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes(). This issue … | Apr 02, 2026 |
| CVE-2026-34728 | HIGH | 8.7 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove … | Apr 02, 2026 |
| CVE-2026-33641 | HIGH | 7.8 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed … | Apr 02, 2026 |
| CVE-2026-33544 | HIGH | 7.7 | Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens … | Apr 02, 2026 |
| CVE-2026-33533 | UNKNOWN | — | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: … | Apr 02, 2026 |
| CVE-2026-32871 | UNKNOWN | — | FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients … | Apr 02, 2026 |
| CVE-2026-32629 | UNKNOWN | — | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that … | Apr 02, 2026 |
| CVE-2026-31937 | HIGH | 7.5 | Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue … | Apr 02, 2026 |
| CVE-2026-31935 | HIGH | 7.5 | Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory … | Apr 02, 2026 |
| CVE-2026-31934 | HIGH | 7.5 | Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, there is a quadratic complexity issue when searching for … | Apr 02, 2026 |
| CVE-2026-5338 | MEDIUM | 4.7 | A security vulnerability has been detected in Tenda G103 1.0.0.5. The affected element is the function action_set_system_settings of the file system.lua of the component Setting … | Apr 02, 2026 |
| CVE-2026-5334 | HIGH | 7.3 | A weakness has been identified in itsourcecode Online Enrollment System 1.0. Impacted is an unknown function of the file /enrollment/index.php?view=edit&id=3 of the component Parameter Handler. … | Apr 02, 2026 |
| CVE-2026-5333 | HIGH | 7.3 | A security flaw has been discovered in DefaultFuction Content-Management-System 1.0. This issue affects some unknown processing of the file /admin/tools.php. The manipulation of the argument … | Apr 02, 2026 |