CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-39808 14.04.2026 9.1
CVE-2026-39813 14.04.2026 9.1
CVE-2025-63939 14.04.2026 9.8
CVE-2025-65135 14.04.2026 9.8
CVE-2026-38526 14.04.2026 9.9
CVE-2025-8095 Recoverable obfuscation using the OECH1 prefix encoding in OpenEdge 14.04.2026 9.1
CVE-2026-2449 14.04.2026 9
CVE-2026-40288 PraisonAI: Critical RCE via `type: job` workflow YAML 14.04.2026 9.8
CVE-2026-40289 PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions 14.04.2026 9.1
CVE-2026-40313 PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence 14.04.2026 9.1
CVE-2026-6264 Critical Security fix for the Talend JobServer and Talend Runtime 14.04.2026 9.8
CVE-2026-4365 LearnPress <= 4.3.2.8 - Missing Authorization to Unauthenticated Arbitrary Quiz Answer Deletion 14.04.2026 9.1
CVE-2026-27681 SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse 14.04.2026 9.9
CVE-2026-22562 14.04.2026 9.8
CVE-2026-22563 14.04.2026 9.8
CVE-2026-22564 14.04.2026 9.8
CVE-2026-40042 Pachno 1.0.6 Wiki TextParser XML External Entity Injection 13.04.2026 9.3
CVE-2026-40044 Pachno 1.0.6 FileCache Deserialization Remote Code Execution 13.04.2026 9.3
CVE-2026-6100 Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure 14.04.2026 9.1
CVE-2026-6195 Totolink A7100RU CGI cstecgi.cgi setPasswordCfg os command injection 13.04.2026 9.3
CVE-2026-23891 Decidim has a Cross-site scripting (XSS) vulnerability via user name field 13.04.2026 9.3
CVE-2026-4810 Remote Code Execution in Google Agent Development Kit (ADK) 13.04.2026 9.3
CVE-2026-34865 13.04.2026 10
CVE-2026-6154 Totolink A7100RU CGI cstecgi.cgi setWizardCfg os command injection 13.04.2026 9.3
CVE-2026-6155 Totolink A7100RU CGI cstecgi.cgi setWanCfg os command injection 13.04.2026 9.3
CVE-2026-6156 Totolink A7100RU CGI cstecgi.cgi setIpQosRules os command injection 13.04.2026 9.3
CVE-2026-6139 Totolink A7100RU CGI cstecgi.cgi UploadOpenVpnCert os command injection 13.04.2026 9.3
CVE-2026-6140 Totolink A7100RU CGI cstecgi.cgi UploadFirmwareFile os command injection 13.04.2026 9.3
CVE-2026-6138 Totolink A7100RU CGI cstecgi.cgi setAccessDeviceCfg os command injection 13.04.2026 9.3
CVE-2026-6132 Totolink A7100RU CGI cstecgi.cgi setLedCfg os command injection 13.04.2026 9.3
CVE-2026-6131 Totolink A7100RU CGI cstecgi.cgi setTracerouteCfg os command injection 12.04.2026 9.3
CVE-2019-25709 CF Image Hosting Script 1.6.5 Unauthorized Database Access 12.04.2026 9.3
CVE-2026-6115 Totolink A7100RU CGI cstecgi.cgi setAppCfg os command injection 13.04.2026 9.3
CVE-2026-6116 Totolink A7100RU CGI cstecgi.cgi setDiagnosisCfg os command injection 13.04.2026 9.3
CVE-2026-6112 Totolink A7100RU CGI cstecgi.cgi setRadvdCfg os command injection 12.04.2026 9.3
CVE-2026-6113 Totolink A7100RU CGI cstecgi.cgi setTtyServiceCfg os command injection 14.04.2026 9.3
CVE-2026-6114 Totolink A7100RU CGI cstecgi.cgi setNetworkCfg os command injection 12.04.2026 9.3
CVE-2026-31845 13.04.2026 9.3
CVE-2026-4149 Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability 13.04.2026 10
CVE-2026-5058 aws-mcp-server Command Injection Remote Code Execution Vulnerability 13.04.2026 9.8
CVE-2026-5059 aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability 13.04.2026 9.8
CVE-2026-40189 goshs has a file-based ACL authorization bypass in goshs state-changing routes 13.04.2026 9.3
CVE-2026-40175 Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain 14.04.2026 10
CVE-2026-40177 Password bypass when 2FA is activated 14.04.2026 9.3
CVE-2026-33707 Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms 13.04.2026 9.4
CVE-2026-33698 Chamilo LMS affected by unauthenticated RCE in main/install folder 10.04.2026 9.3
CVE-2026-32892 OS Command Injection in Chamilo LMS 1.11.36 14.04.2026 9.1
CVE-2026-40157 PraisonAI affected by arbitrary file write via path traversal in `praisonai recipe unpack` 14.04.2026 9.4
CVE-2026-5412 Juju CloudSpec API could leak senstive information 10.04.2026 9.9
CVE-2026-1115 Stored XSS in parisneo/lollms 10.04.2026 9.6
CVE-2026-6028 Totolink A7100RU CGI cstecgi.cgi setPptpServerCfg os command injection 10.04.2026 9.3
CVE-2026-6029 Totolink A7100RU CGI cstecgi.cgi setVpnAccountCfg os command injection 10.04.2026 9.3
CVE-2026-6026 Totolink A7100RU CGI cstecgi.cgi setPortalConfWeChat os command injection 10.04.2026 9.3
CVE-2026-6027 Totolink A7100RU CGI cstecgi.cgi setUrlFilterRules os command injection 14.04.2026 9.3
CVE-2026-6025 Totolink A7100RU CGI cstecgi.cgi setSyslogCfg os command injection 10.04.2026 9.3
CVE-2026-5996 Totolink A7100RU CGI cstecgi.cgi setAdvancedInfoShow os command injection 14.04.2026 9.3
CVE-2026-5997 Totolink A7100RU CGI cstecgi.cgi setLoginPasswordCfg os command injection 10.04.2026 9.3
CVE-2026-5993 Totolink A7100RU CGI cstecgi.cgi setWiFiGuestCfg os command injection 10.04.2026 9.3
CVE-2026-5994 Totolink A7100RU CGI cstecgi.cgi setTelnetCfg os command injection 10.04.2026 9.3
CVE-2026-5995 Totolink A7100RU CGI cstecgi.cgi setMiniuiHomeInfoShow os command injection 10.04.2026 9.3
CVE-2026-34424 Smart Slider 3 Pro 3.5.1.35 Supply Chain Attack Remote Access Toolkit 14.04.2026 9.3
CVE-2026-33771 CTP OS: Configuring password requirements does not work which permits the use of weak passwords 13.04.2026 9.1
CVE-2026-33784 JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access 13.04.2026 9.3
CVE-2026-40154 PraisonAI Affected by Untrusted Remote Template Code Execution 10.04.2026 9.3
CVE-2026-40111 PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py) 13.04.2026 9.3
CVE-2026-5977 Totolink A7100RU CGI cstecgi.cgi setWiFiBasicCfg os command injection 14.04.2026 9.3
CVE-2026-5978 Totolink A7100RU CGI cstecgi.cgi setWiFiAclRules os command injection 09.04.2026 9.3
CVE-2026-5976 Totolink A7100RU CGI cstecgi.cgi setStorageCfg os command injection 13.04.2026 9.3
CVE-2025-13926 Contemporary Controls BASC 20T Reliance on Untrusted Inputs in a Security Decision 10.04.2026 9.3
CVE-2026-40088 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai 09.04.2026 9.7
CVE-2026-40089 Sonicverse has Server-Side Request Forgery via user-controlled URLs in dashboard API client 13.04.2026 9.9
CVE-2026-5194 wolfSSL ECDSA Certificate Verification 10.04.2026 9.3
CVE-2026-5975 Totolink A7100RU CGI cstecgi.cgi setDmzCfg os command injection 09.04.2026 9.3
CVE-2026-28205 Initialization of a resource with an insecure default in OpenPLC_V3 10.04.2026 9.2
CVE-2026-34971 Wasmtime miscompiled guest heap access enables sandbox escape on aarch64 Cranelift 13.04.2026 9
CVE-2026-34987 Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access 10.04.2026 9
CVE-2026-35556 Plaintext storage of a password in OpenPLC_V3 10.04.2026 9.2
CVE-2026-39912 v2board / Xboard Authentication Token Exposure via loginWithMailLink 13.04.2026 9.1
CVE-2026-39980 OpenCTI affected by RCE via notifier template 09.04.2026 9.1
CVE-2026-39987 marimo Affected by Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass 09.04.2026 9.3
CVE-2025-62718 Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF 09.04.2026 9.3
CVE-2026-34177 VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf 09.04.2026 9.1
CVE-2026-34178 Importing a crafted backup leads to project restriction bypass 09.04.2026 9.1
CVE-2026-34179 Update of type field in restricted TLS certificate allows privilege escalation to cluster admin 09.04.2026 9.1
CVE-2026-5852 Totolink A7100RU CGI cstecgi.cgi setIptvCfg os command injection 09.04.2026 9.3
CVE-2026-5853 Totolink A7100RU CGI cstecgi.cgi setIpv6LanCfg os command injection 09.04.2026 9.3
CVE-2026-5854 Totolink A7100RU CGI cstecgi.cgi setWiFiEasyCfg os command injection 09.04.2026 9.3
CVE-2026-5850 Totolink A7100RU CGI cstecgi.cgi setVpnPassCfg os command injection 13.04.2026 9.3
CVE-2026-5851 Totolink A7100RU CGI cstecgi.cgi setUPnPCfg os command injection 09.04.2026 9.3
CVE-2026-1830 Quick Playground <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload 09.04.2026 9.8
CVE-2026-3199 Nexus Repository 3 - Authenticated Remote Code Execution via Task Property Injection 09.04.2026 9.4
CVE-2026-40035 Unfurl - Werkzeug Debugger Exposure via String Config Parsing 09.04.2026 9.3
CVE-2026-39860 Nix sandbox escape: file write via symlink at FOD `.tmp` copy destination 09.04.2026 9
CVE-2026-39888 PraisonAIAgents has a sandbox escape via exception frame traversal in `execute_code` (subprocess mode) 09.04.2026 10
CVE-2026-39890 PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading 09.04.2026 9.8
CVE-2026-2942 ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess 08.04.2026 9.8
CVE-2025-14815 Information Disclosure, Tampering, and Denial-of-Service Vulnerabilities in GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64 08.04.2026 9.3
CVE-2025-14816 Information Disclosure, Tampering, and Denial-of-Service Vulnerabilities in GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64 08.04.2026 9.3
CVE-2026-25776 08.04.2026 9.3
CVE-2026-3535 DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter 08.04.2026 9.8
CVE-2026-4003 Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action 08.04.2026 9.8
CVE-2026-3296 Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata 08.04.2026 9.8
CVE-2026-1346 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 09.04.2026 9.3
CVE-2026-34078 Flatpak has a complete sandbox escape leading to host file access and code execution in the host context 11.04.2026 9.3
CVE-2026-39846 SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions 08.04.2026 9.1
CVE-2026-39847 Emmett has a path traversal in internal assets handler 08.04.2026 9.1
CVE-2026-34580 Botan has a certificate authentication bypass due to trust anchor confusion 09.04.2026 9.3
CVE-2026-33439 Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM 08.04.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2024-23104 14.04.2026 5.4
CVE-2025-53847 14.04.2026 6.2
CVE-2025-59809 14.04.2026 4.1
CVE-2025-61624 14.04.2026 5.4
CVE-2025-61848 14.04.2026 6.8
CVE-2025-61886 14.04.2026 4.9
CVE-2025-68649 14.04.2026 5.4
CVE-2026-21741 14.04.2026 2.2
CVE-2026-21742 14.04.2026 5.4
CVE-2026-22154 14.04.2026 4.4
CVE-2026-22155 14.04.2026 6.2
CVE-2026-22573 14.04.2026 6.2
CVE-2026-22574 14.04.2026 4.1
CVE-2026-22576 14.04.2026 4.1
CVE-2026-22828 14.04.2026 7.3
CVE-2026-23708 14.04.2026 6.7
CVE-2026-25691 14.04.2026 6.2
CVE-2026-27316 14.04.2026 2.5
CVE-2026-39808 14.04.2026 9.1
CVE-2026-39810 14.04.2026 5.2
CVE-2026-39811 14.04.2026 4.4
CVE-2026-39812 14.04.2026 4.3
CVE-2026-39813 14.04.2026 9.1
CVE-2026-39814 14.04.2026 6.2
CVE-2026-39815 14.04.2026 7.9
CVE-2025-63939 14.04.2026 9.8
CVE-2025-65132 14.04.2026
CVE-2025-65133 14.04.2026
CVE-2025-65134 14.04.2026
CVE-2025-65135 14.04.2026 9.8
CVE-2025-65136 14.04.2026
CVE-2026-2399 14.04.2026
CVE-2026-2400 14.04.2026
CVE-2026-2401 14.04.2026
CVE-2026-2402 14.04.2026
CVE-2026-2403 14.04.2026
CVE-2026-2404 14.04.2026
CVE-2026-2405 14.04.2026
CVE-2026-38526 14.04.2026 9.9
CVE-2026-38527 14.04.2026 8.5
CVE-2026-38528 14.04.2026 7.1
CVE-2026-38529 14.04.2026 8.8
CVE-2026-38530 14.04.2026 8.1
CVE-2026-38532 14.04.2026 8.1
CVE-2026-38533 14.04.2026
CVE-2026-39809 14.04.2026 6.2
CVE-2026-4832 14.04.2026
CVE-2026-5713 Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target 14.04.2026
CVE-2025-69893 14.04.2026
CVE-2025-69993 14.04.2026 6.1
CVE-2026-37980 Org.keycloak.forms.login: keycloak: keycloak: arbitrary code execution via stored cross-site scripting (xss) in organization selection login page 14.04.2026
CVE-2025-61260 14.04.2026
CVE-2026-30480 14.04.2026
CVE-2026-37589 14.04.2026
CVE-2026-37590 14.04.2026
CVE-2026-37591 14.04.2026
CVE-2026-37592 14.04.2026
CVE-2026-37593 14.04.2026
CVE-2026-37594 14.04.2026
CVE-2026-37595 14.04.2026
CVE-2026-37596 14.04.2026
CVE-2026-37597 14.04.2026
CVE-2026-37598 14.04.2026
CVE-2026-37600 14.04.2026
CVE-2026-37601 14.04.2026
CVE-2026-37602 14.04.2026
CVE-2026-4344 Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Component Name 14.04.2026 7.1
CVE-2026-4345 Stored Cross-Site Scripting (XSS) Vulnerability in Design Name 14.04.2026 7.1
CVE-2026-4369 Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Variant Name 14.04.2026 7.1
CVE-2026-4913 14.04.2026 5.7
CVE-2026-4914 14.04.2026 5.4
CVE-2025-7389 Unauthorized Arbitrary File Read via RMI in AdminServer Interface 14.04.2026
CVE-2025-8095 Recoverable obfuscation using the OECH1 prefix encoding in OpenEdge 14.04.2026
CVE-2026-31049 14.04.2026
CVE-2024-9168 14.04.2026
CVE-2026-2450 14.04.2026
CVE-2026-5307 14.04.2026
CVE-2026-2449 14.04.2026
CVE-2026-24069 Improper Enforcement of Disabled Accounts in WebUI SSO in Kiuwan SAST 14.04.2026
CVE-2026-2332 HTTP Request Smuggling via Chunked Extension Quoted-String Parsing 14.04.2026 7.4
CVE-2025-13822 Authentication bypass in MCPHub 14.04.2026
CVE-2025-40745 14.04.2026 3.7
CVE-2026-24032 14.04.2026 7.3
CVE-2026-25654 14.04.2026 8.8
CVE-2026-27668 14.04.2026 8.8
CVE-2026-31923 Apache APISIX: Openid-connect `tls_verify` field is disabled by default 14.04.2026
CVE-2026-33892 14.04.2026 7.1
CVE-2026-31908 Apache APISIX: forward auth plugin allows header injection 14.04.2026
CVE-2026-31924 Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP 14.04.2026
CVE-2026-33929 Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code 14.04.2026
CVE-2026-4109 Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) <= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure 14.04.2026 4.3
CVE-2026-2582 Germanized for WooCommerce <= 3.20.5 - Unauthenticated Arbitrary Shortcode Execution 14.04.2026 6.5
CVE-2026-3017 Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts <= 3.0.12 - Authenticated (Administrator+) PHP Object Injection 14.04.2026 7.2
CVE-2026-1607 Surbma | Booking.com <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 14.04.2026 6.4
CVE-2026-40287 PraisonAI has RCE via Automatic tools.py Import 14.04.2026 8.4
CVE-2026-40288 PraisonAI: Critical RCE via `type: job` workflow YAML 14.04.2026 9.8
CVE-2026-40289 PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions 14.04.2026 9.1
CVE-2026-40313 PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence 14.04.2026 9.1
CVE-2026-40315 PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries 14.04.2026
CVE-2026-4059 ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute 14.04.2026 6.4
CVE-2026-4479 WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings 14.04.2026 4.4
CVE-2026-34984 External Secrets Operator has DNS exfiltration via getHostByName in its v2 template engine 14.04.2026
CVE-2026-4388 Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box 14.04.2026 7.2
CVE-2026-6227 BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter 14.04.2026 7.2
CVE-2026-6264 Critical Security fix for the Talend JobServer and Talend Runtime 14.04.2026 9.8
CVE-2026-34225 Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality 14.04.2026 4.3
CVE-2026-39419 MaxKB: Sandbox Result Validation Bypass via Tool Output Spoofing 14.04.2026 3.1
CVE-2026-39425 MaxKB: Stored XSS via Unsanitized html_rander Tags in Markdown Rendering 14.04.2026
CVE-2026-39426 MaxKB: Stored XSS via Unsanitized iframe_render Parsing 14.04.2026
CVE-2026-4352 JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via '_cct_search' Parameter 14.04.2026 7.5
CVE-2026-4365 LearnPress <= 4.3.2.8 - Missing Authorization to Unauthenticated Arbitrary Quiz Answer Deletion 14.04.2026 9.1
CVE-2026-34256 Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) 14.04.2026 7.1
CVE-2026-34257 Open Redirect vulnerability in SAP NetWeaver Application Server ABAP 14.04.2026 6.1
CVE-2026-34261 Missing Authorization check in SAP Business Analytics and SAP Content Management 14.04.2026 6.5
CVE-2026-34262 Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer 14.04.2026 5
CVE-2026-34264 Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA 14.04.2026 6.5
CVE-2026-39418 MaxKB: SSRF via sandbox network hook bypass 14.04.2026 5
CVE-2026-39420 MaxKB: Sandbox escape via LD_PRELOAD bypass 14.04.2026 6.3
CVE-2026-39421 MaxKB: Sandbox escape via ctypes and unhooked SYS_pkey_mprotect 14.04.2026 6.3
CVE-2026-39422 MaxKB has Stored XSS via ChatHeadersMiddleware 14.04.2026
CVE-2026-39423 Stored XSS via Eval Injection in EchartsRander Component 14.04.2026
CVE-2026-39424 MaxKB has CSV Injection in its Application Chat Export Functionality 14.04.2026
CVE-2026-0512 Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog) 14.04.2026 6.1
CVE-2026-24318 Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform 14.04.2026 4.2
CVE-2026-27672 Missing Authorization check in Material Master Application 14.04.2026 4.3
CVE-2026-27673 Missing Authorization Check in SAP S/4HANA (Private Cloud and On-Premise) 14.04.2026 4.9
CVE-2026-27674 Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java) 14.04.2026 6.1
CVE-2026-27675 Code Injection vulnerability in SAP Landscape Transformation 14.04.2026 2
CVE-2026-27676 Missing Authorization check in SAP S/4HANA OData Service (Manage Technical Object Structures) 14.04.2026 4.3
CVE-2026-27677 Missing Authorization check in SAP S/4HANA OData Service (Manage Reference Equipment) 14.04.2026 6.5
CVE-2026-27678 Missing Authorization check in SAP S/4HANA Backend OData Service (Manage Reference Structures) 14.04.2026 6.5
CVE-2026-27679 Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures) 14.04.2026 6.5
CVE-2026-27681 SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse 14.04.2026 9.9
CVE-2026-27683 Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform 14.04.2026 4.1
CVE-2026-34069 nimiq-consensus panics via RequestMacroChain micro-block locator 13.04.2026 5.3
CVE-2026-39417 MaxKB: RCE via MCP stdio command injection in workflow engine 14.04.2026 4.6
CVE-2026-33948 jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input 14.04.2026
CVE-2026-40164 jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed 13.04.2026 7.5
CVE-2026-5086 Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks 14.04.2026
CVE-2026-39979 jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers 14.04.2026
CVE-2026-6203 User Registration & Membership <= 5.1.4 - Unauthenticated Open Redirect via 'redirect_to_on_logout' Parameter 14.04.2026 6.1
CVE-2026-39956 jq: Missing runtime type checks for _strindices lead to crash and limited memory disclosure 13.04.2026 6.1
CVE-2026-33947 jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted() 14.04.2026 6.2
CVE-2026-40311 ImageMagick: Heap-use-after-free via XMP profile could result in a crash when printing values 14.04.2026 5.5
CVE-2026-40312 ImageMagick: Off-by-One in MSL decoder could result in crash 13.04.2026 6.2
CVE-2026-4786 Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() 14.04.2026
CVE-2026-22562 14.04.2026 9.8
CVE-2026-22563 14.04.2026 9.8
CVE-2026-22564 14.04.2026 9.8
CVE-2026-22565 13.04.2026
CVE-2026-22566 14.04.2026 7.5
CVE-2026-40169 ImageMagick: Heap buffer overflow (WRITE) in the YAML and JSON encoders 14.04.2026 6.2
CVE-2026-40183 ImageMagick: Heap buffer overflow when encoding JXL image with a 16-bit float 13.04.2026 5.5
CVE-2026-40310 ImageMagick: Heap out-of-bounds write in JP2 encoder 13.04.2026 5.5
CVE-2026-33902 ImageMagick: Stack Overflow via Recursive FX Expression Parsing 14.04.2026 5.5
CVE-2026-33905 ImageMagick has an Out-of-Bounds read via -sample operation 13.04.2026 5.5
CVE-2026-33908 ImageMagick is vulnerable to Stack Overflow in DestroyXMLTree() 13.04.2026 7.5
CVE-2026-34238 ImageMagick: Integer overflow in despeckle operation causes heap buffer overflow on 32-bit builds 14.04.2026 5.1
CVE-2026-6220 HummerRisk Video File Download URL ServerService.java ServerService.addServer server-side request forgery 14.04.2026
CVE-2026-6224 nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox 13.04.2026
CVE-2025-70936 14.04.2026
CVE-2026-26460 13.04.2026
CVE-2026-33899 ImageMagick: Heap BufferOverflow write of single zero byte when parsing XML 13.04.2026 5.3
CVE-2026-33900 ImageMagick has a Heap overflow caused by integer overflow/wraparound in viff encoder on 32-bit builds 13.04.2026 5.9
CVE-2026-33901 ImageMagick has a Heap Buffer Overflow via MVG decoder 14.04.2026 7.5
CVE-2026-6219 aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection 13.04.2026