CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2018-25316	Tenda W308R v2 V5.07.48 Cookie Session Weakness DNS Change	29.04.2026	9.3
CVE-2018-25317	Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change	29.04.2026	9.3
CVE-2018-25318	Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change	29.04.2026	9.3
CVE-2026-30893	Wazuh cluster sync path traversal in decompress_files() enables arbitrary file write and code execution from authenticated cluster peer	29.04.2026	9
CVE-2026-26015	Unauthenticated RCE in DocsGPT MCP STDIO Configuration	29.04.2026	10
CVE-2026-41940	cPanel and WHM Authentication Bypass via Login Flow	30.04.2026	9.3
CVE-2026-5166	Path Traversal in TUBITAK BILGEM's Pardus Software Center	29.04.2026	9.6
CVE-2026-3325	SQL injection in MegaCMS by CRM Sistemas de Fidelización	29.04.2026	10
CVE-2026-41446	WattBox 800 & 820 Series < 2.10.0.0 RCE via Diagnostic Endpoints	29.04.2026	9.2
CVE-2026-24178		29.04.2026	9.8
CVE-2026-3893	Carlson Software VASCO-B GNSS Receiver Missing Authentication for Critical Function	29.04.2026	9.4
CVE-2026-41386	OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes	29.04.2026	9.1
CVE-2026-27760	OpenCATS PHP Code Injection via installer AJAX endpoint	28.04.2026	9.2
CVE-2026-5779	Multiple vulnerabilities in MphRx's Minerva	28.04.2026	9.4
CVE-2026-7241	Totolink A8000RU CGI cstecgi.cgi setWiFiBasicCfg os command injection	29.04.2026	9.3
CVE-2026-7242	Totolink A8000RU CGI cstecgi.cgi setOpenVpnClientCfg os command injection	28.04.2026	9.3
CVE-2026-7243	Totolink A8000RU CGI cstecgi.cgi setRadvdCfg os command injection	28.04.2026	9.3
CVE-2026-7244	Totolink A8000RU CGI cstecgi.cgi setWiFiEasyGuestCfg os command injection	28.04.2026	9.3
CVE-2026-7248	D-Link DI-8100 CGI Endpoint tgfile.htm tgfile_htm buffer overflow	29.04.2026	9.3
CVE-2026-7240	Totolink A8000RU CGI cstecgi.cgi setVpnAccountCfg os command injection	29.04.2026	9.3
CVE-2026-32644	Milesight Cameras Use of Hard-coded Cryptographic Key	28.04.2026	9.2
CVE-2026-7202	Totolink A8000RU CGI cstecgi.cgi setWiFiWpsStart os command injection	29.04.2026	9.3
CVE-2026-7203	Totolink A8000RU CGI cstecgi.cgi setUrlFilterRules os command injection	29.04.2026	9.3
CVE-2026-7204	Totolink A8000RU CGI cstecgi.cgi setPptpServerCfg os command injection	28.04.2026	9.3
CVE-2026-40976		29.04.2026	9.1
CVE-2026-7156	Totolink A8000RU CGI cstecgi.cgi CsteSystem os command injection	28.04.2026	9.3
CVE-2026-7154	Totolink A8000RU CGI cstecgi.cgi setAdvancedInfoShow os command injection	28.04.2026	9.3
CVE-2026-7155	Totolink A8000RU CGI cstecgi.cgi setLoginPasswordCfg os command injection	28.04.2026	9.3
CVE-2026-7152	Totolink A8000RU CGI cstecgi.cgi setTelnetCfg os command injection	28.04.2026	9.3
CVE-2026-7153	Totolink A8000RU CGI cstecgi.cgi setMiniuiHomeInfoShow os command injection	28.04.2026	9.3
CVE-2026-7139	Totolink A8000RU CGI cstecgi.cgi setWiFiAclRules os command injection	29.04.2026	9.3
CVE-2026-7140	Totolink A8000RU CGI cstecgi.cgi CsteSystem os command injection	27.04.2026	9.3
CVE-2026-7136	Totolink A8000RU CGI cstecgi.cgi setDmzCfg os command injection	27.04.2026	9.3
CVE-2026-7137	Totolink A8000RU CGI cstecgi.cgi setStorageCfg os command injection	27.04.2026	9.3
CVE-2026-7138	Totolink A8000RU CGI cstecgi.cgi setNtpCfg os command injection	27.04.2026	9.3
CVE-2026-41462	ProjeQtor < 12.4.4 Unauthenticated SQL Injection via Login	27.04.2026	9.3
CVE-2026-7123	Totolink A8000RU CGI cstecgi.cgi setIptvCfg os command injection	27.04.2026	9.3
CVE-2026-7124	Totolink A8000RU CGI cstecgi.cgi setIpv6LanCfg os command injection	27.04.2026	9.3
CVE-2026-7125	Totolink A8000RU CGI cstecgi.cgi setWiFiEasyCfg os command injection	27.04.2026	9.3
CVE-2026-7121	Totolink A8000RU CGI cstecgi.cgi setWizardCfg os command injection	27.04.2026	9.3
CVE-2026-7122	Totolink A8000RU CGI cstecgi.cgi setUPnPCfg os command injection	29.04.2026	9.3
CVE-2026-22336	WordPress Directorist Booking plugin < 3.0.2 - SQL Injection vulnerability	28.04.2026	9.3
CVE-2026-22337	WordPress Directorist Social Login plugin < 2.1.4 - Privilege Escalation vulnerability	28.04.2026	9.8
CVE-2026-41409	Apache MINA: CWE-502 Deserialization of Untrusted Data	27.04.2026	9.8
CVE-2026-41635	Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE	28.04.2026	9.8
CVE-2026-42363	GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability	27.04.2026	9.3
CVE-2026-7037	Totolink A8000RU CGI cstecgi.cgi setVpnPassCfg os command injection	27.04.2026	9.3
CVE-2026-31682	bridge: br_nd_send: linearize skb before parsing ND options	27.04.2026	9.1
CVE-2026-31685	netfilter: ip6t_eui64: reject invalid MAC header for all packets	27.04.2026	9.4
CVE-2026-6951		25.04.2026	9.2
CVE-2026-41248	Official Clerk JavaScript SDKs: Middleware-based route protection bypass	27.04.2026	9.1
CVE-2026-41478	Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)	27.04.2026	10
CVE-2026-41428	Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints	24.04.2026	9.1
CVE-2026-41327	Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field	24.04.2026	9.1
CVE-2026-41492	Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars in Dgraph	24.04.2026	9.8
CVE-2026-41328	Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field	24.04.2026	9.1
CVE-2026-6911	Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel	24.04.2026	9.3
CVE-2026-39920	BridgeHead FileStore < 24A Apache Axis2 Default Credentials RCE	24.04.2026	9.3
CVE-2026-31536	smb: server: let send_done handle a completion without IB_SEND_SIGNALED	27.04.2026	9.8
CVE-2026-31589	mm: call ->free_folio() directly in folio_unmap_invalidate()	27.04.2026	9.8
CVE-2026-31607	usbip: validate number_of_packets in usbip_pack_ret_submit()	27.04.2026	9.8
CVE-2026-31608	smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()	27.04.2026	9.8
CVE-2026-31609	smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush()	27.04.2026	9.8
CVE-2026-31633	rxrpc: Fix integer overflow in rxgk_verify_response()	27.04.2026	9.8
CVE-2026-31636	rxrpc: fix RESPONSE authenticator parser OOB read	27.04.2026	9.1
CVE-2026-31637	rxrpc: reject undecryptable rxkad response tickets	27.04.2026	9.8
CVE-2026-31649	net: stmmac: fix integer underflow in chain mode	27.04.2026	9.8
CVE-2026-31657	batman-adv: hold claim backbone gateways by reference	27.04.2026	9.8
CVE-2026-31659	batman-adv: reject oversized global TT response buffers	27.04.2026	9.8
CVE-2026-31668	seg6: separate dst_cache for input and output paths in seg6 lwtunnel	27.04.2026	9.8
CVE-2026-31669	mptcp: fix slab-use-after-free in __inet_lookup_established	27.04.2026	9.8
CVE-2026-25660	Authentication bypass for certain API calls	24.04.2026	9.3
CVE-2026-21515	Azure IoT Central Elevation of Privilege Vulnerability	28.04.2026	9.9
CVE-2026-1950	No checking of the length of the buffer with the file name in AS320T	24.04.2026	9.8
CVE-2026-1951	No checking of the length of the buffer with the directory name in AS320T	24.04.2026	9.8
CVE-2026-1952	Denial of service via the undocumented subfunction in AS320T	24.04.2026	9.8
CVE-2026-1949	Incorrect calculation of buffer size on the stack in AS320T	24.04.2026	9.8
CVE-2026-25775	SenseLive X3050 Missing authentication for critical function	24.04.2026	9.3
CVE-2026-27843	SenseLive X3050 Missing authentication for critical function	24.04.2026	9.2
CVE-2026-35503	SenseLive X3050 Use of Hard-coded Credentials	24.04.2026	9.3
CVE-2026-39462	SenseLive X3050 Insufficiently Protected Credentials	24.04.2026	9.3
CVE-2026-40620	SenseLive X3050 Missing authentication for critical function	24.04.2026	9.3
CVE-2026-40630	SenseLive X3050 Authentication bypass using an alternate path or channel	24.04.2026	9.3
CVE-2026-24303	Microsoft Partner Center Elevation of Privilege Vulnerability	28.04.2026	9.6
CVE-2026-32210	Microsoft Dynamics 365 (online) Spoofing Vulnerability	28.04.2026	9.3
CVE-2026-33102	Microsoft 365 Copilot Elevation of Privilege Vulnerability	28.04.2026	9.3
CVE-2026-33819	Microsoft Bing Remote Code Execution Vulnerability	28.04.2026	10
CVE-2026-35431	Microsoft Entra ID Entitlement Management Spoofing Vulnerability	28.04.2026	10
CVE-2026-26210	KTransformers Unsafe Deserialization RCE via balance_serve	24.04.2026	9.3
CVE-2026-41274	Flowise: Cypher Injection in GraphCypherQAChain	24.04.2026	9.3
CVE-2026-6942	radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass	29.04.2026	9.3
CVE-2026-25874	LeRobot Unsafe Deserialization Remote Code Execution via gRPC	24.04.2026	9.3
CVE-2026-41264	Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability	24.04.2026	9.2
CVE-2026-41265	Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability	23.04.2026	9.2
CVE-2026-41137	Flowise: Code Injection in CSVAgent leads to Authenticated RCE	23.04.2026	9.4
CVE-2026-6074	Path traversal: '.../...//' in Intrado 911 Emergency Gateway (EGW)	23.04.2026	9.3
CVE-2026-31533	net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption	27.04.2026	9.8
CVE-2025-62373	Pipecat vulnerable to Remote Code Execution by Pickle Deserialization via LivekitFrameSerializer	23.04.2026	9.8
CVE-2026-23751	Kofax Capture 6.0.0.0 Unauthenticated File Read/Write & SMB Coercion via .NET Remoting	25.04.2026	9.3
CVE-2026-40470	Hackage package and doc upload stored XSS vulnerability	23.04.2026	9.9
CVE-2026-40471	Hackage CSRF vulnerability	23.04.2026	9.6
CVE-2026-40472	Hackage package metadata stored XSS vulnerability	23.04.2026	9.9
CVE-2026-41460	SocialEngine <= 7.8.0 SQL Injection via activity/index/get-memberall	29.04.2026	9.3
CVE-2026-39440	WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability	23.04.2026	9.9

Latest Updates

CVE	Title	Updated	Score
CVE-2026-7164	pf can overflow the stack parsing crafted SCTP packets	30.04.2026
CVE-2024-39847	Arbitrary File Read and Server Side Request Forgery via XML External Entities in 4D Server SOAP	30.04.2026
CVE-2026-42511	Remote code execution via malicious DHCP options	30.04.2026
CVE-2026-42798		30.04.2026	4
CVE-2026-7270	Local privilege escalation via execve()	30.04.2026
CVE-2026-41226		30.04.2026
CVE-2026-5299	Uncontrolled Recursion in Wireshark	30.04.2026	5.5
CVE-2026-5401	Uncontrolled Recursion in Wireshark	30.04.2026	5.5
CVE-2026-5402	Heap-based Buffer Overflow in Wireshark	30.04.2026	8.8
CVE-2026-5406	Uncontrolled Recursion in Wireshark	30.04.2026	5.5
CVE-2026-5407	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-5408	Uncontrolled Recursion in Wireshark	30.04.2026	5.5
CVE-2026-5409	Uncontrolled Recursion in Wireshark	30.04.2026	5.5
CVE-2026-5653	Heap-based Buffer Overflow in Wireshark	30.04.2026	5.5
CVE-2026-5654	Stack-based Buffer Overflow in Wireshark	30.04.2026	5.5
CVE-2026-5655	Use After Free in Wireshark	30.04.2026	5.5
CVE-2026-5657	Double Free in Wireshark	30.04.2026	5.5
CVE-2026-6519	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-6520	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-6521	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-6522	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-6523	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-6524	Access of Uninitialized Pointer in Wireshark	30.04.2026	5.5
CVE-2026-6526	NULL Pointer Dereference in Wireshark	30.04.2026	5.5
CVE-2026-6527	Uncontrolled Recursion in Wireshark	30.04.2026	5.5
CVE-2026-6528	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-6529	Heap-based Buffer Overflow in Wireshark	30.04.2026	5.5
CVE-2026-6530	Heap-based Buffer Overflow in Wireshark	30.04.2026	5.5
CVE-2026-6531	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-6532	Buffer Over-read in Wireshark	30.04.2026	5.5
CVE-2026-6533	Improperly Controlled Sequential Memory Allocation in Wireshark	30.04.2026	5.5
CVE-2026-6534	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-6535	Improperly Controlled Sequential Memory Allocation in Wireshark	30.04.2026	5.5
CVE-2026-6536	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-6537	Stack-based Buffer Overflow in Wireshark	30.04.2026	5.5
CVE-2026-6538	Stack-based Buffer Overflow in Wireshark	30.04.2026	5.5
CVE-2026-6867	Improperly Controlled Sequential Memory Allocation in Wireshark	30.04.2026	5.5
CVE-2026-6869	Improperly Controlled Sequential Memory Allocation in Wireshark	30.04.2026	5.5
CVE-2026-6870	Access of Uninitialized Pointer in Wireshark	30.04.2026	5.5
CVE-2025-13030		30.04.2026	7.1
CVE-2026-6868	Stack-based Buffer Overflow in Wireshark	30.04.2026	5.5
CVE-2026-7375	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	30.04.2026	5.5
CVE-2026-7376	NULL Pointer Dereference in Wireshark	30.04.2026	5.5
CVE-2026-7378	Heap-based Buffer Overflow in Wireshark	30.04.2026	5.5
CVE-2026-7379	Missing Release of Memory after Effective Lifetime in Wireshark	30.04.2026	5.5
CVE-2026-7470	Tenda 4G300 SafeMacFilter sub_427C3C stack-based overflow	30.04.2026
CVE-2026-7469	Tenda 4G300 DelFil sub_425A28 command injection	30.04.2026
CVE-2026-7447	SourceCodester Pet Grooming Management Software update_customer.php sql injection	30.04.2026
CVE-2026-7468	1024-lab smart-admin Demo Site index.html access control	30.04.2026
CVE-2026-7445	ZachHandley ZMCPTools MCP Log Resource ResourceManager.ts path traversal	29.04.2026
CVE-2026-7446	VetCoders mcp-server-semgrep MCP index.ts create_rule os command injection	30.04.2026
CVE-2026-7443	BurtTheCoder mcp-dnstwist MCP index.ts fuzz_domain os command injection	29.04.2026
CVE-2026-6221		29.04.2026
CVE-2026-7381	Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting	29.04.2026
CVE-2026-7419	UTT HiPER 1250GW formTaskEdit_ap strcpy buffer overflow	29.04.2026
CVE-2026-7420	UTT HiPER 1250GW ConfigAdvideo strcpy buffer overflow	29.04.2026
CVE-2026-7417	Algovate xhs-mcp MCP mcp.server.ts xhs_publish_content server-side request forgery	29.04.2026
CVE-2026-7418	UTT HiPER 1250GW NTP strcpy buffer overflow	29.04.2026
CVE-2026-7416	PolarVista xcode-mcp-server MCP index.ts run_tests os command injection	29.04.2026
CVE-2026-7409	SourceCodester Pizzafy Ecommerce System ajax.php save_user sql injection	29.04.2026
CVE-2026-7410	SourceCodester Pizzafy Ecommerce System ajax.php add_to_cart sql injection	29.04.2026
CVE-2026-7407	SourceCodester Pizzafy Ecommerce System Setting ajax.php save_settings sql injection	29.04.2026
CVE-2026-7408	SourceCodester Pizzafy Ecommerce System ajax.php save_menu sql injection	29.04.2026
CVE-2025-50328		29.04.2026
CVE-2026-1858	wget2 Improper Certificate Validation	29.04.2026	4.8
CVE-2026-7403	geldata gel-mcp server.py fetch_rule path traversal	29.04.2026
CVE-2026-7404	getsimpletool mcpo-simple-server base_manager.py delete_shared_prompt path traversal	29.04.2026
CVE-2018-25298	Merge PACS 7.0 Cross-Site Request Forgery via merge-viewer	29.04.2026
CVE-2018-25299	Prime95 29.4b8 Local Buffer Overflow via SEH	29.04.2026
CVE-2018-25300	XATABoost CMS 1.0.0 SQL Injection via news.php	29.04.2026
CVE-2018-25301	Easy MPEG to DVD Burner 1.7.11 SEH Local Buffer Overflow	29.04.2026
CVE-2018-25302	Allok AVI to DVD SVCD VCD Converter 4.0.1217 Buffer Overflow SEH	29.04.2026
CVE-2018-25303	Allok Video to DVD Burner 2.6.1217 Buffer Overflow SEH	29.04.2026
CVE-2018-25304	Free Download Manager 2.0 Built 417 Local Buffer Overflow SEH	29.04.2026
CVE-2018-25305	librsvg2-bin 2.40.13 Buffer Overflow via Malformed SVG	29.04.2026
CVE-2018-25306	PDFunite 0.41.0 Buffer Overflow via Malformed PDF	29.04.2026
CVE-2018-25307	SysGauge Pro 4.6.12 Local Buffer Overflow SEH	29.04.2026
CVE-2018-25308	BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution	29.04.2026
CVE-2018-25309	MyBB Recent threads 17.0 Persistent Cross-Site Scripting	29.04.2026
CVE-2018-25310	VideoFlow Digital Video Protection DVP 10 Authenticated Remote Code Execution	29.04.2026
CVE-2018-25311	VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2)	29.04.2026
CVE-2018-25312	LifeSize ClearSea 3.1.4 Directory Traversal Remote Code Execution	29.04.2026
CVE-2018-25313	SysGauge 4.5.18 Local Denial of Service via Proxy Configuration	29.04.2026
CVE-2018-25314	Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 Buffer Overflow	29.04.2026
CVE-2018-25315	Alloksoft Video joiner 4.6.1217 Buffer Overflow via License Name	29.04.2026
CVE-2018-25316	Tenda W308R v2 V5.07.48 Cookie Session Weakness DNS Change	29.04.2026
CVE-2018-25317	Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change	29.04.2026
CVE-2018-25318	Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change	29.04.2026
CVE-2026-34965	Cockpit CMS Authenticated Remote Code Execution via Collections	29.04.2026	8.8
CVE-2026-7400	geekgod382 filesystem-mcp-server read_file_tool/write_file_tool server.py is_path_allowed path traversal	29.04.2026
CVE-2026-7401	SourceCodester CET Automated Grading System with AI Predictive Analytics Registration index.php register cross site scripting	29.04.2026
CVE-2026-7425	Out-of-Bounds Read in Router Advertisement Option Parser in FreeRTOS-Plus-TCP	29.04.2026	6.5
CVE-2026-7426	Out-of-Bounds Write via Unsanitized Prefix Length in Router Advertisement Processing in FreeRTOS-Plus-TCP	29.04.2026	8.1
CVE-2026-27105		29.04.2026	6.3
CVE-2026-7398	florensiawidjaja BioinfoMCP Upload Endpoint app.py upload path traversal	29.04.2026
CVE-2026-7422	MAC Address Validation Bypass in FreeRTOS-Plus-TCP IPv4 and IPv6 Packet Processing	29.04.2026	6.5
CVE-2026-7423	Integer Underflow in ICMP Echo Reply Processing in FreeRTOS-Plus-TCP	29.04.2026	5.3
CVE-2026-7424	Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP	29.04.2026	8.1
CVE-2026-7466	AgentFlow Arbitrary Python Pipeline Execution via pipeline_path	29.04.2026
CVE-2026-26206	Wazuh: API brute-force protection bypass via race condition in login attempt tracking	29.04.2026	6.5
CVE-2026-28221	Wazuh: Pre-auth stack-based buffer overflow in wazuh-remoted print_hex_string() due to signed char promotion on x86_64	29.04.2026	6.5
CVE-2026-30893	Wazuh cluster sync path traversal in decompress_files() enables arbitrary file write and code execution from authenticated cluster peer	29.04.2026	9
CVE-2026-41499	Wazuh: Multiple Heap-based NULL WRITE Buffer Underflows in parse_uname_string()	29.04.2026	6.5
CVE-2026-7397	NousResearch hermes-agent file_tools.py _check_sensitive_path symlink	29.04.2026
CVE-2026-7439	AgentFlow Local Web API Content-Type Validation Bypass	29.04.2026
CVE-2026-26015	Unauthenticated RCE in DocsGPT MCP STDIO Configuration	29.04.2026
CVE-2026-26204	Wazuh: Heap-based NULL WRITE Buffer Underflow in GetAlertData	29.04.2026	4.4
CVE-2026-5712	IdentityIQ Role Editor Incorrect Authorization Vulnerability	30.04.2026	8
CVE-2026-7394	SourceCodester Pizzafy Ecommerce System GET Parameter view_order.php sql injection	29.04.2026
CVE-2026-7396	NousResearch hermes-agent WeChat Work Platform Adapter wecom.py path traversal	29.04.2026
CVE-2026-6914	MD5 checksum creation may cause availability loss	29.04.2026
CVE-2026-6915	Flaw in the updateUser Command May Allow Unauthorized Configuration Change	29.04.2026
CVE-2026-7392	SourceCodester Pharmacy Sales and Inventory System ajax.php delete_supplier sql injection	29.04.2026
CVE-2026-7393	SourceCodester Pizzafy Ecommerce System File Extension admin_class_novo.php save_menu unrestricted upload	29.04.2026
CVE-2026-0204		30.04.2026
CVE-2026-0205		29.04.2026
CVE-2026-0206		29.04.2026
CVE-2026-7391	SourceCodester Pharmacy Sales and Inventory System ajax.php save_supplier sql injection	29.04.2026
CVE-2025-56534		29.04.2026
CVE-2025-56535		29.04.2026
CVE-2025-56536		29.04.2026
CVE-2025-56537		29.04.2026
CVE-2026-2810	Endpoint DLP Driver Out-of-Bounds Read	29.04.2026
CVE-2026-30769		29.04.2026
CVE-2026-37555		29.04.2026
CVE-2026-40229	Helpy 2.8.0 - Stored XSS in post author display via PostsHelper	29.04.2026
CVE-2026-40230	Helpy 2.8.0 - Stored XSS in knowledgebase Doc body rendering	29.04.2026
CVE-2026-42198	pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS	29.04.2026	7.5
CVE-2026-7389	EyouCMS common.php GetSortData sql injection	29.04.2026
CVE-2026-7390	SourceCodester Pharmacy Sales and Inventory System index.php customer cross site scripting	29.04.2026
CVE-2026-38991		29.04.2026
CVE-2026-38993		29.04.2026
CVE-2026-41940	cPanel and WHM Authentication Bypass via Login Flow	30.04.2026
CVE-2026-5166	Path Traversal in TUBITAK BILGEM's Pardus Software Center	29.04.2026	9.6
CVE-2026-6849	OS Command Injection in TUBITAK BILGEM's Pardus OS My Computer	29.04.2026	8.8
CVE-2026-7386	fatbobman mail-mcp-bridge mail_mcp_server.py path traversal	29.04.2026
CVE-2026-7388	EyouCMS Template File FilemanagerLogic.php editFile code injection	29.04.2026
CVE-2026-25852		29.04.2026
CVE-2026-36837		29.04.2026
CVE-2026-36841		29.04.2026
CVE-2026-38992		29.04.2026
CVE-2026-41220		29.04.2026
CVE-2026-41952		29.04.2026
CVE-2026-5141	Improper Access Control in TUBITAK BILGEM's Pardus Software Center	29.04.2026	8.8
CVE-2026-5161	Improper Authentication in TUBITAK BILGEM's Pardus About	29.04.2026	8.8
CVE-2026-7111	Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption	29.04.2026
CVE-2026-7384	ezequiroga mcp-bases research_server.py search_papers path traversal	29.04.2026
CVE-2026-42519		29.04.2026
CVE-2026-42520		29.04.2026
CVE-2026-42521		29.04.2026
CVE-2026-42522		29.04.2026
CVE-2026-42523		29.04.2026
CVE-2026-42524		29.04.2026
CVE-2026-42525		29.04.2026
CVE-2026-5140	Authorization Bypass in TUBITAK BILGEM's Pardus Update	29.04.2026	8.8
CVE-2026-22741	Static resource cache poisoning in Spring MVC and WebFlux	29.04.2026	3.1
CVE-2026-22745	CVE-2026-22745 : Denial of service in static resource handling on Windows platforms	29.04.2026	5.3
CVE-2026-2902	WP Meteor Website Speed Optimization Addon <= 3.4.16 - Unauthenticated Stored Cross-Site Scripting via Comment	29.04.2026	6.1
CVE-2026-42248	Missing Signature Verification for Updates in Ollama	29.04.2026
CVE-2026-42249	Remote Code Execution in Ollama via Update Mechanism	29.04.2026