Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
14261
Total
958
Critical
4182
High
4527
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-30530 | CRITICAL | 9.8 | A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_customer action). The application fails to properly … | Mar 27, 2026 |
| CVE-2026-30529 | HIGH | 8.8 | A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_user action). The application fails to properly … | Mar 27, 2026 |
| CVE-2026-30527 | UNKNOWN | — | A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application … | Mar 27, 2026 |
| CVE-2026-30302 | CRITICAL | 10.0 | The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use … | Mar 27, 2026 |
| CVE-2023-7340 | LOW | 3.5 | Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers to cause memory corruption and malformed heap data by sending specially crafted input. Attackers can … | Mar 27, 2026 |
| CVE-2026-5027 | HIGH | 8.8 | The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on … | Mar 27, 2026 |
| CVE-2026-5026 | UNKNOWN | — | The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an attacker can … | Mar 27, 2026 |
| CVE-2026-5025 | MEDIUM | 6.5 | The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic … | Mar 27, 2026 |
| CVE-2026-5022 | UNKNOWN | — | The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or … | Mar 27, 2026 |
| CVE-2026-5010 | UNKNOWN | — | A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by … | Mar 27, 2026 |
| CVE-2026-4984 | HIGH | 8.2 | The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP … | Mar 27, 2026 |
| CVE-2026-4980 | MEDIUM | 6.3 | A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a … | Mar 27, 2026 |
| CVE-2026-4957 | LOW | 2.7 | A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key … | Mar 27, 2026 |
| CVE-2026-4956 | HIGH | 7.3 | A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected element is an unknown function of the file /DevicePrint.do?Action=ReadTask of the component … | Mar 27, 2026 |
| CVE-2026-4955 | HIGH | 7.3 | A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument … | Mar 27, 2026 |
| CVE-2026-4954 | MEDIUM | 6.3 | A security vulnerability has been detected in mingSoft MCMS up to 5.5.0. Impacted is the function list of the file net/mingsoft/cms/action/web/ContentAction.java of the component Web … | Mar 27, 2026 |
| CVE-2026-4953 | HIGH | 7.3 | A weakness has been identified in mingSoft MCMS up to 5.5.0. This issue affects the function catchImage of the file net/mingsoft/cms/action/BaseAction.java of the component Editor … | Mar 27, 2026 |
| CVE-2026-33766 | UNKNOWN | — | WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against private/reserved IP ranges before fetching, but … | Mar 27, 2026 |
| CVE-2026-33764 | MEDIUM | 4.3 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using … | Mar 27, 2026 |
| CVE-2026-33763 | MEDIUM | 5.3 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify … | Mar 27, 2026 |
| CVE-2026-33761 | MEDIUM | 5.3 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication … | Mar 27, 2026 |
| CVE-2026-33759 | MEDIUM | 5.3 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any … | Mar 27, 2026 |
| CVE-2026-33758 | UNKNOWN | — | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role … | Mar 27, 2026 |
| CVE-2026-33757 | CRITICAL | 9.6 | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC … | Mar 27, 2026 |
| CVE-2026-33755 | HIGH | 8.8 | Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP … | Mar 27, 2026 |