CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users 02.04.2026 9.8
CVE-2026-32871 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability 02.04.2026 10
CVE-2026-35002 Agno < 2.3.24 field_type Eval Injection Arbitrary Code Execution 02.04.2026 9.3
CVE-2026-2699 EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC) 02.04.2026 9.8
CVE-2026-2701 RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC) 02.04.2026 9.1
CVE-2026-33615 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the setinfo Endpoint 02.04.2026 9.1
CVE-2026-34563 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS 01.04.2026 9.1
CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 9.1
CVE-2026-34566 CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 9.1
CVE-2026-34567 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 9.1
CVE-2026-34568 CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34569 CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 10
CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) 01.04.2026 10
CVE-2026-34571 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise 01.04.2026 10
CVE-2026-34559 CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 9.1
CVE-2026-34560 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34456 Reviactyl: OAuth account takeover via auto-linking 02.04.2026 9.1
CVE-2026-34751 Payload has Unvalidated Input in Password Recovery Endpoints 01.04.2026 9.1
CVE-2026-34159 llama.cpp: Unauthenticated RCE via GRAPH_COMPUTE buffer=0 bypass in llama.cpp RPC backend 02.04.2026 9.8
CVE-2026-20093 Cisco Integrated Management Controller Authentication Bypass Vulnerability 02.04.2026 9.8
CVE-2026-20160 Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability 02.04.2026 9.8
CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE 01.04.2026 9.3
CVE-2026-4370 Improper TLS Client/Server authentication and certificate verification on Database Cluster 01.04.2026 10
CVE-2025-71279 XenForo Passkey Security Bypass 01.04.2026 9.3
CVE-2026-34448 SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client 31.03.2026 9.1
CVE-2026-34449 SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection 01.04.2026 9.7
CVE-2026-34406 APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint 31.03.2026 9.4
CVE-2026-1579 PX4 Autopilot Missing authentication for critical function 31.03.2026 9.3
CVE-2026-3356 Missing Authentication for Critical Function vulnerability in Anritsu Remote Spectrum Monitor 01.04.2026 9.3
CVE-2026-34361 HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft 31.03.2026 9.3
CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body` 02.04.2026 9.8
CVE-2026-34220 MikroORM is vulnerable to SQL Injection via specially crafted object 02.04.2026 9.3
CVE-2026-0596 Command Injection in mlflow/mlflow 01.04.2026 9.6
CVE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal 31.03.2026 9.1
CVE-2026-34162 FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft 31.03.2026 10
CVE-2026-34202 Zebra node crash — V5 transaction hash panic (P2P reachable) 31.03.2026 9.2
CVE-2026-34156 NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node 02.04.2026 10
CVE-2026-32916 OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes 31.03.2026 9.2
CVE-2026-32917 OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP 31.03.2026 9.2
CVE-2026-4317 SQL inyection in Umami Software application 31.03.2026 9.3
CVE-2026-3106 Multiple vulnerabilities in Teampass 31.03.2026 9.3
CVE-2026-3107 Multiple vulnerabilities in Teampass 31.03.2026 9.3
CVE-2026-32714 SciTokens vulnerable to SQL Injection in KeyCache 31.03.2026 9.8
CVE-2026-3300 Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field 31.03.2026 9.8
CVE-2026-21861 baserCMS: OS Command Injection Leading to Remote Code Execution (RCE) 31.03.2026 9.1
CVE-2026-30877 baserCMS: OS Command Injection in the baserCMS Update Functionality 02.04.2026 9.1
CVE-2026-30880 baserCMS: OS command injection vulnerability in installer 31.03.2026 9.2
CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality 31.03.2026 9.8
CVE-2026-31946 OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow 31.03.2026 9.8
CVE-2026-34557 CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 31.03.2026 9.1
CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 31.03.2026 9.1
CVE-2026-33026 nginx-ui Backup Restore Allows Tampering with Encrypted Backups 31.03.2026 9.4
CVE-2026-34714 02.04.2026 9.2
CVE-2026-33032 Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover 30.03.2026 9.8
CVE-2026-4415 GIGABYTE|Gigabyte Control Center - Arbitrary File Write 31.03.2026 9.2
CVE-2025-15379 Command Injection in mlflow/mlflow 31.03.2026 10
CVE-2025-15036 Path Traversal Vulnerability in mlflow/mlflow 31.03.2026 9.6
CVE-2026-32915 OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Subagent Control Surface 30.03.2026 9.3
CVE-2026-32918 OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool 30.03.2026 9.2
CVE-2026-32922 OpenClaw < 2026.3.11 - Privilege Escalation via Unvalidated Scope in device.token.rotate 30.03.2026 9.4
CVE-2026-32978 OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners 30.03.2026 9.4
CVE-2026-32987 OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing 30.03.2026 9.3
CVE-2016-20049 JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow Remote Code Execution 30.03.2026 9.3
CVE-2017-20225 TiEmu 2.08 Stack-Based Buffer Overflow Vulnerability 30.03.2026 9.3
CVE-2017-20227 JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow 01.04.2026 9.3
CVE-2017-20229 MAWK 1.3.3-17 Stack-Based Buffer Overflow 30.03.2026 9.3
CVE-2018-25220 Bochs 2.6-5 Buffer Overflow Remote Code Execution 30.03.2026 9.3
CVE-2018-25221 EChat Server 3.1 Buffer Overflow via chat.ghp username Parameter 30.03.2026 9.3
CVE-2018-25223 Crashmail 1.6 Stack-based Buffer Overflow Remote Code Execution 01.04.2026 9.3
CVE-2026-33992 pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration 30.03.2026 9.3
CVE-2026-33976 Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering 01.04.2026 9.7
CVE-2026-33937 Handlebars.js has JavaScript Injection via AST Type Confusion 01.04.2026 9.8
CVE-2026-33875 Authenticator Vulnerable to Authentication Flow Hijack 30.03.2026 9.3
CVE-2026-33873 Langflow has Authenticated Code Execution in Agentic Assistant Validation 02.04.2026 9.3
CVE-2026-34205 Home Assistant: Unauthenticated App (Add-on) Endpoints Exposed to Local Network via Host Network Mode 01.04.2026 9.7
CVE-2026-34374 AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key 27.03.2026 9.1
CVE-2026-33867 AVideo has Plaintext Video Password Storage 27.03.2026 9.1
CVE-2026-27876 RCE on Grafana via sqlExpressions 02.04.2026 9.1
CVE-2026-1496 Coverity CLI Authentication Bypass 27.03.2026 9.3
CVE-2026-33757 OpenBao lacks user confirmation for OIDC direct callback mode 01.04.2026 9.6
CVE-2026-33758 OpenBao has Reflected XSS in its OIDC authentication error message 27.03.2026 9.4
CVE-2026-22738 SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution 28.03.2026 9.8
CVE-2026-33701 OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution 27.03.2026 9.3
CVE-2026-33728 dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution 27.03.2026 9.3
CVE-2026-33945 Abitrary file write through systemd-creds option 27.03.2026 10
CVE-2026-33897 Incus vulnerable to arbitrary file read and write through pongo templates 27.03.2026 10
CVE-2026-33669 SiYuan has Arbitrary Document Reading within the Publishing Service 27.03.2026 9.8
CVE-2026-33670 SiYuan has directory traversal within its publishing service 30.03.2026 9.8
CVE-2026-33640 Outline has a rate limit bypass that allows brute force of email login OTP 01.04.2026 9.1
CVE-2026-33152 Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication 26.03.2026 9.1

Latest Updates

CVE Title Updated Score
CVE-2026-30332 02.04.2026 7.5
CVE-2026-5351 Trendnet TEW-657BRM setup.cgi add_wps_client os command injection 02.04.2026
CVE-2026-33691 OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks 02.04.2026 6.8
CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users 02.04.2026 9.8
CVE-2026-34876 02.04.2026
CVE-2026-5349 Trendnet TEW-657BRM setup.cgi add_apcdb stack-based overflow 02.04.2026
CVE-2026-5350 Trendnet TEW-657BRM setup.cgi update_pcdb stack-based overflow 02.04.2026
CVE-2026-32629 phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor 02.04.2026
CVE-2026-32871 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability 02.04.2026
CVE-2026-33533 Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard 02.04.2026
CVE-2026-33544 Tinyauth has OAuth account confusion via shared mutable state on singleton service instances 02.04.2026 7.7
CVE-2026-33641 Glances Vulnerable to Command Injection via Dynamic Configuration Values 02.04.2026 7.8
CVE-2026-34728 phpMyFAQ: Path Traversal - Arbitrary File Deletion in MediaBrowserController 02.04.2026 8.7
CVE-2026-34729 phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes() 02.04.2026 6.1
CVE-2026-34790 Endian Firewall /cgi-bin/backup.cgi remove ARCHIVE Directory Traversal 02.04.2026
CVE-2026-34791 Endian Firewall /cgi-bin/logs_proxy.cgi DATE Perl Command Injection 02.04.2026
CVE-2026-34792 Endian Firewall /cgi-bin/logs_clamav.cgi DATE Perl Command Injection 02.04.2026
CVE-2026-34793 Endian Firewall /cgi-bin/logs_firewall.cgi DATE Perl Command Injection 02.04.2026
CVE-2026-34794 Endian Firewall /cgi-bin/logs_ids.cgi DATE Perl Command Injection 02.04.2026
CVE-2026-34795 Endian Firewall /cgi-bin/logs_log.cgi DATE Perl Command Injection 02.04.2026
CVE-2026-34796 Endian Firewall /cgi-bin/logs_openvpn.cgi DATE Perl Command Injection 02.04.2026
CVE-2026-34797 Endian Firewall /cgi-bin/logs_smtp.cgi DATE Perl Command Injection 02.04.2026
CVE-2026-34798 Endian Firewall /cgi-bin/routing.cgi remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34799 Endian Firewall /manage/dnsmasq/hosts/ remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34800 Endian Firewall /cgi-bin/uplinkeditor.cgi NAME Stored Cross-Site Scripting 02.04.2026
CVE-2026-34801 Endian Firewall /manage/dhcp/fixed_leases/ remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34802 Endian Firewall /cgi-bin/salearn.cgi remark user ham spam Stored Cross-Site Scripting 02.04.2026
CVE-2026-34803 Endian Firewall /manage/qos/classes/ name Stored Cross-Site Scripting 02.04.2026
CVE-2026-34804 Endian Firewall /manage/qos/rules/ dscp Stored Cross-Site Scripting 02.04.2026
CVE-2026-34805 Endian Firewall /cgi-bin/dnat.cgi remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34806 Endian Firewall /cgi-bin/snat.cgi remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34807 Endian Firewall /cgi-bin/incoming.cgi remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34808 Endian Firewall /cgi-bin/outgoingfw.cgi remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34809 Endian Firewall /cgi-bin/zonefw.cgi remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34810 Endian Firewall /cgi-bin/vpnfw.cgi remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34811 Endian Firewall /cgi-bin/xtaccess.cgi remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34812 Endian Firewall /cgi-bin/proxypolicy.cgi mimetypes Stored Cross-Site Scripting 02.04.2026
CVE-2026-34813 Endian Firewall /cgi-bin/proxyuser.cgi user Stored Cross-Site Scripting 02.04.2026
CVE-2026-34814 Endian Firewall /cgi-bin/proxygroup.cgi group Stored Cross-Site Scripting 02.04.2026
CVE-2026-34815 Endian Firewall /cgi-bin/smtpdomains.cgi DOMAIN Stored Cross-Site Scripting 02.04.2026
CVE-2026-34816 Endian Firewall /manage/smtpscan/domainrouting/ domain Stored Cross-Site Scripting 02.04.2026
CVE-2026-34817 Endian Firewall /cgi-bin/smtprouting.cgi ADDRESS BCC Stored Cross-Site Scripting 02.04.2026
CVE-2026-34818 Endian Firewall /manage/dnsmasq/localdomains/ remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34819 Endian Firewall /cgi-bin/openvpnclient.cgi REMARK Stored Cross-Site Scripting 02.04.2026
CVE-2026-34820 Endian Firewall /manage/ipsec/ remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34821 Endian Firewall /manage/vpnauthentication/user/ remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34822 Endian Firewall /manage/ca/certificate/ new_cert_name Stored Cross-Site Scripting 02.04.2026
CVE-2026-34823 Endian Firewall /manage/password/web/ remark Stored Cross-Site Scripting 02.04.2026
CVE-2026-34973 phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure 02.04.2026
CVE-2026-34974 phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege Escalation 02.04.2026 5.4
CVE-2026-5344 Textpattern XML-RPC TXP_RPCServer.php mt_uploadImage path traversal 02.04.2026
CVE-2026-5346 huimeicloud hm_editor image-to-base64 Endpoint mcp-server.js client.get server-side request forgery 02.04.2026
CVE-2026-31934 Suricata smtp/mine: quadratic complexity in extracting urls 02.04.2026 7.5
CVE-2026-31935 Suricata http2: unbounded resource consumption 02.04.2026 7.5
CVE-2026-31937 Suricata dcerpc: quadratic complexity in dcerpc buffering 02.04.2026 7.5
CVE-2026-35002 Agno < 2.3.24 field_type Eval Injection Arbitrary Code Execution 02.04.2026
CVE-2026-5339 Tenda G103 Setting gpon.lua action_set_net_settings command injection 02.04.2026
CVE-2026-5342 LibRaw TIFF/NEF decoders_libraw.cpp nikon_load_padded_packed_raw out-of-bounds 02.04.2026
CVE-2026-26927 URL (HTTP Origin) call location spoofing in Szafir SDK Web 02.04.2026
CVE-2026-26928 Lack of Dynamic Library Validation in SzafirHost 02.04.2026
CVE-2026-28805 OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter 02.04.2026 8.8
CVE-2026-29782 OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2 02.04.2026 7.2
CVE-2026-30867 CocoaMQTT: Denial of Service via Reachable Assertion in `PUBLISH` Packet Parsing 02.04.2026 5.7
CVE-2026-31931 Suricata tls: null dereference in tls.alpn rule keyword 02.04.2026 7.5
CVE-2026-31932 Suricata krb5: quadratic complexity in krb5 buffering 02.04.2026 7.5
CVE-2026-31933 Suricata stream: quadratic complexity in stream inspection 02.04.2026 7.5
CVE-2026-35168 OpenSTAManager: SQL Injection via Aggiornamenti Module 02.04.2026 8.8
CVE-2026-5334 itsourcecode Online Enrollment System Parameter index.php sql injection 02.04.2026
CVE-2026-5338 Tenda G103 Setting system.lua action_set_system_settings command injection 02.04.2026
CVE-2026-2699 EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC) 02.04.2026 9.8
CVE-2026-2701 RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC) 02.04.2026 9.1
CVE-2026-2737 Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon web application 02.04.2026
CVE-2026-3692 Unintended command execution during report generation in Progress Flowmon 02.04.2026
CVE-2026-5332 Xiaopi Panel WAF Firewall demo.php cross site scripting 02.04.2026
CVE-2026-5333 DefaultFuction Content-Management-System tools.php command injection 02.04.2026
CVE-2026-34890 WordPress MSTW League Manager plugin <= 2.10 - Cross Site Scripting (XSS) vulnerability 02.04.2026 6.5
CVE-2026-3872 Keycloak: keycloak: information disclosure due to redirect_uri validation bypass 02.04.2026
CVE-2026-4282 Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw 02.04.2026
CVE-2026-4325 Keycloak: keycloak: replay of action tokens via improper handling of single-use entries 02.04.2026
CVE-2026-4634 Keycloak: keycloak: denial of service via excessive processing of openid connect scope parameters 02.04.2026
CVE-2026-4636 Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources. 02.04.2026
CVE-2026-5330 SourceCodester/mayuri_k Best Courier Management System User Delete ajax.php access control 02.04.2026
CVE-2026-5331 OpenCart Extension Installer installer.php path traversal 02.04.2026
CVE-2026-5328 shsuishang modulithshop ProductItemDao ProductIndexServiceImpl.java listItem sql injection 02.04.2026
CVE-2026-23412 netfilter: bpf: defer hook memory release until rcu readers are done 02.04.2026
CVE-2026-23413 clsact: Fix use-after-free in init/destroy rollback asymmetry 02.04.2026
CVE-2026-23414 tls: Purge async_hold in tls_decrypt_async_wait() 02.04.2026
CVE-2026-23415 futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() 02.04.2026
CVE-2026-23416 mm/mseal: update VMA end correctly on merge 02.04.2026
CVE-2026-23417 bpf: Fix constant blinding for PROBE_MEM32 stores 02.04.2026
CVE-2026-5327 efforthye fast-filesystem-mcp index.ts handleGetDiskUsage command injection 02.04.2026
CVE-2026-5326 SourceCodester Leave Application System User Information index.php authorization 02.04.2026
CVE-2026-32145 Multipart form body parser bypasses body size limits in wisp 02.04.2026
CVE-2026-5246 Cesanta Mongoose P-384 Public Key mongoose.c mg_tls_verify_cert_signature authorization 02.04.2026
CVE-2026-33613 MB connect line mbCONNECT24 vulnerable to RCE in generateSrpArray 02.04.2026 7.2
CVE-2026-33614 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the getinfo endpoint 02.04.2026 7.5
CVE-2026-33615 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the setinfo Endpoint 02.04.2026 9.1
CVE-2026-33616 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the mb24api Endpoint 02.04.2026 7.5
CVE-2026-33617 MB connect line mbCONNECT24 vulnerable to an unauthenticated information disclosure in the data24 Endpoint 02.04.2026 5.3
CVE-2026-5245 Cesanta Mongoose mDNS Record mongoose.c handle_mdns_record stack-based overflow 02.04.2026
CVE-2026-0634 Code Execution in AssistFeedbackService on TECNO Pova7 Pro 5G 02.04.2026
CVE-2026-29131 PGP Decryption Recipient LDAP Injection 02.04.2026
CVE-2026-29136 CA Notification HTML Injection 02.04.2026
CVE-2026-29137 Long Subject Untagging 02.04.2026
CVE-2026-29138 PGP Decryption Sender LDAP Injection 02.04.2026
CVE-2026-29139 GINA State Confusion Account Takeover 02.04.2026
CVE-2026-29141 Bounded Subject Tag Sanitization 02.04.2026
CVE-2026-29142 Plaintext secure-mail.html 02.04.2026
CVE-2026-29143 S/MIME Decryption Impersonation 02.04.2026
CVE-2026-29144 Unicode Subject Tags 02.04.2026
CVE-2026-29132 ESWmail-Verify Bypass 02.04.2026
CVE-2026-29133 UID Regex Bypass 02.04.2026
CVE-2026-29134 GINA Domain Switch 02.04.2026
CVE-2026-29135 Webmail Password Tag Sanitization Bypass 02.04.2026
CVE-2026-29140 S/MIME Signature Additional Certificate 02.04.2026
CVE-2026-5244 Cesanta Mongoose TLS 1.3 mongoose.c mg_tls_recv_cert heap-based overflow 02.04.2026
CVE-2026-0686 Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery 02.04.2026 7.2
CVE-2026-0688 Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery 02.04.2026 6.4
CVE-2026-5032 W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header 02.04.2026 7.5
CVE-2026-5325 SourceCodester Simple Customer Relationship Management System Create Ticket create-ticket.php cross site scripting 02.04.2026
CVE-2026-5323 priyankark a11y-mcp index.js A11yServer server-side request forgery 02.04.2026
CVE-2026-1540 Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution 02.04.2026
CVE-2026-4347 MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir 02.04.2026 8.1
CVE-2026-5322 AlejandroArciniegas mcp-data-vis MCP server.js request sql injection 02.04.2026
CVE-2026-5321 vanna-ai vanna FastAPI/Flask Server cross-domain policy 02.04.2026
CVE-2026-5320 vanna-ai vanna Chat API Endpoint v2 missing authentication 02.04.2026
CVE-2026-5319 itsourcecode Payroll Management System navbar.php cross site scripting 02.04.2026
CVE-2026-5318 LibRaw JPEG DHT losslessjpeg.cpp initval out-of-bounds write 02.04.2026
CVE-2026-1243 IBM Content Navigator is affected by , a Cross-Site Scripting (XSS) vulnerability 02.04.2026 5.4
CVE-2026-5317 Nothings stb stb_vorbis.c start_decoder out-of-bounds write 02.04.2026
CVE-2026-5316 Nothings stb stb_vorbis.c setup_free allocation of resources 02.04.2026
CVE-2026-21767 HCL BigFix Platform is affected by insufficient authentication 01.04.2026 4
CVE-2026-21765 HCL BigFix Platform is affected by insecure permissions on private cryptographic keys 01.04.2026 8.8
CVE-2026-5315 Nothings stb TTF File stb_truetype.h stbtt__buf_get8 out-of-bounds 02.04.2026
CVE-2025-66483 Multiple vulnerabilities have been addressed in IBM Aspera Shares 02.04.2026 6.3
CVE-2025-66484 Multiple vulnerabilities have been addressed in IBM Aspera Shares 02.04.2026 5.5
CVE-2025-66485 Multiple vulnerabilities have been addressed in IBM Aspera Shares 01.04.2026 5.4
CVE-2025-66486 Multiple vulnerabilities have been addressed in IBM Aspera Shares 01.04.2026 4.8
CVE-2025-66487 Multiple vulnerabilities have been addressed in IBM Aspera Shares 02.04.2026 2.7
CVE-2026-32925 02.04.2026 7.8
CVE-2026-32926 02.04.2026 7.8
CVE-2026-32927 02.04.2026 7.8
CVE-2026-32928 02.04.2026 7.8
CVE-2026-32929 02.04.2026 7.8
CVE-2025-36375 IBM DataPower Gateway vulnerable to CSRF 01.04.2026 6.5
CVE-2025-0711 01.04.2026
CVE-2026-3882 01.04.2026
CVE-2026-4759 01.04.2026
CVE-2026-5314 Nothings stb TTF File stb_truetype.h stbtt_InitFont_internal out-of-bounds 02.04.2026
CVE-2026-34561 CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 4.7
CVE-2026-34562 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 4.7
CVE-2026-34563 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS 01.04.2026 9.1
CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 9.1
CVE-2026-34566 CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 9.1
CVE-2026-34567 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 9.1
CVE-2026-34568 CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34569 CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 10
CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) 01.04.2026
CVE-2026-34571 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise 01.04.2026 10
CVE-2026-34572 CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) 02.04.2026 8.8
CVE-2026-3987 WatchGuard Firebox Arbitrary File Write vis Path Traversal in Fireware Web UI 02.04.2026
CVE-2026-5313 Nothings stb GIF Decoder stb_image.h stbi__gif_load_next denial of service 01.04.2026
CVE-2026-34559 CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 9.1
CVE-2026-34560 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2025-13916 Multiple vulnerabilities have been addressed in IBM Aspera Shares 02.04.2026 5.9
CVE-2025-36373 Incorrect administrative access control in IBM DataPower Gateway 02.04.2026 4.1
CVE-2026-1491 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 01.04.2026 5.3
CVE-2026-2475 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 02.04.2026 3.1
CVE-2026-2862 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 02.04.2026 5.3
CVE-2026-34530 File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection 01.04.2026 6.9
CVE-2026-34531 Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client 01.04.2026 6.5
CVE-2026-34543 OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl) 02.04.2026
CVE-2026-34544 OpenEXR: integer overflow to OOB write in uncompress_b44_impl() 01.04.2026
CVE-2026-34545 OpenEXR: integer overflow lead to OOB in HTJ2K decoder 01.04.2026
CVE-2026-4820 IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_<workspace_name> was not set with secure flag 02.04.2026 4.3
CVE-2026-1345 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 02.04.2026 7.3
CVE-2026-34519 AIOHTTP: HTTP response splitting via \r in reason phrase 02.04.2026
CVE-2026-34520 AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass 01.04.2026
CVE-2026-34525 AIOHTTP: Duplicate Host header accepted 01.04.2026
CVE-2026-34528 File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution 02.04.2026 8.1
CVE-2026-34529 File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file 02.04.2026 7.6
CVE-2026-4101 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 01.04.2026 8.1
CVE-2026-4364 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 02.04.2026 5.4
CVE-2026-5312 D-Link DNS-1550-04 dsk_mgr.cgi Get_current_raidtype access control 02.04.2026
CVE-2026-22815 AIOHTTP: Uncapped memory usage possible through aiohttp allowing unlimited trailer headers 01.04.2026
CVE-2026-34513 AIOHTTP: Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector 01.04.2026
CVE-2026-34514 AIOHTTP: CRLF injection in multipart part content type header construction 02.04.2026
CVE-2026-34515 AIOHTTP: UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows 02.04.2026
CVE-2026-34516 AIOHTTP: Multipart Header Size Bypass 01.04.2026
CVE-2026-34517 AIOHTTP: Late size enforcement for non-file multipart fields causes memory DoS 01.04.2026
CVE-2026-34518 AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect 02.04.2026
CVE-2026-34873 01.04.2026
CVE-2026-34455 Hi.Events: SQL Injection via Unvalidated sort_by Query Parameter in Multiple Repository Classes 01.04.2026
CVE-2026-34456 Reviactyl: OAuth account takeover via auto-linking 02.04.2026 9.1
CVE-2026-34746 Payload has Authenticated SSRF via Upload Functionality 02.04.2026 7.7
CVE-2026-34747 Payload has an SQL Injection via Query Handling 01.04.2026 8.5
CVE-2026-34748 @payloadcms/next has Stored XSS in Admin Panel 01.04.2026 8.7
CVE-2026-34749 Payload has a CSRF Protection Bypass in Authentication Flow 01.04.2026 5.4
CVE-2026-34750 Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints 02.04.2026 6.5
CVE-2026-5311 D-Link DNS-1550-04 file_center.cgi Webdav_Access_List access control 02.04.2026
CVE-2025-66442 01.04.2026
CVE-2026-34872 01.04.2026