CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-5965 NewSoft|NewSoftOA - OS Command Injection 21.04.2026 9.3
CVE-2026-41329 OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation 20.04.2026 9
CVE-2026-32604 Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths 20.04.2026 10
CVE-2026-32613 Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling 20.04.2026 10
CVE-2026-32311 Command Injection and Docker container escape allows root on host machine 20.04.2026 9.3
CVE-2026-6257 Vvveb CMS v1.0.8 Remote Code Execution via Media Management 20.04.2026 9.2
CVE-2026-24467 OpenAEV's Improper Password Reset Token Management Leads to Unauthenticated Account Takeover and Platform Compromise 20.04.2026 9.1
CVE-2026-39918 Vvveb < 1.0.8.1 Code Injection via Installation Endpoint 20.04.2026 9.2
CVE-2026-5963 Digiwin|EasyFlow .NET - SQL Injection 20.04.2026 9.3
CVE-2026-5964 Digiwin|EasyFlow .NET - SQL Injection 20.04.2026 9.3
CVE-2026-6644 A command injection vulnerability was found in the PPTP VPN Clients on the ADM 20.04.2026 9.4
CVE-2026-32956 20.04.2026 9.3
CVE-2026-41242 protobufjs has an arbitrary code execution issue 20.04.2026 9.4
CVE-2026-40492 SAIL has heap buffer overflow in XWD decoder — bits_per_pixel vs pixmap_depth type confusion in byte-swap 20.04.2026 9.8
CVE-2026-40493 SAIL has heap buffer overflow in PSD decoder — bpp mismatch in LAB 16-bit mode 20.04.2026 9.8
CVE-2026-40494 SAIL has heap buffer overflow in TGA RLE decoder — raw packet path missing bounds check 20.04.2026 9.8
CVE-2026-40317 NovumOS has Privilege Escalation in the Syscall Interface 20.04.2026 9.4
CVE-2026-40572 NovumOS has Arbitrary Memory Mapping via Syscall 15 (MemoryMapRange) 20.04.2026 9
CVE-2026-40484 ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function 20.04.2026 9.1
CVE-2026-40324 Hot Chocolate's Utf8GraphQLParser has Stack Overflow via Deeply Nested GraphQL Documents 20.04.2026 9.1
CVE-2026-40582 ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout 20.04.2026 9.1
CVE-2026-40477 Improper restriction of the scope of accessible objects in Thymeleaf expressions 20.04.2026 9.1
CVE-2026-40478 Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf 20.04.2026 9.1
CVE-2026-40258 Gramps Web API has Zip Slip Path Traversal in Media Archive Import 20.04.2026 9.1
CVE-2026-40351 FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass 20.04.2026 9.8
CVE-2026-23500 Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration 18.04.2026 9.4
CVE-2026-32105 xrdp: RDP MAC signature (dataSignature) never verified on receive — integrity bypass in non-TLS mode 20.04.2026 9.3
CVE-2026-35546 Anviz Products Missing Authentication for Critical Function 17.04.2026 9.8
CVE-2026-40342 Firebird: Path Traversal + Arbitrary File Write Leads to Remote Code Execution 20.04.2026 10
CVE-2026-40525 OpenViking Authentication Bypass via VikingBot OpenAPI 20.04.2026 9.1
CVE-2026-6284 Horner Automation Cscape and XL4, XL7 PLC Weak password requirements 20.04.2026 9.3
CVE-2025-15623 Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user 17.04.2026 9.3
CVE-2025-15624 Plaintext Storage of a Password in Sparx Pro Cloud Server. 17.04.2026 9.3
CVE-2025-15625 Unauthenticated execution of arbitrary SQL queries in Sparx Pro Cloud Server 17.04.2026 9.5
CVE-2026-6443 Accordion and Accordion Slider 1.4.6 - Injected Backdoor 17.04.2026 9.8
CVE-2026-40322 SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE 17.04.2026 9.1
CVE-2026-6270 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes 16.04.2026 9.1
CVE-2026-31843 16.04.2026 10
CVE-2026-3596 Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action 16.04.2026 9.8
CVE-2026-6348 Simopro Technology|WinMatrix - Missing Authentication 16.04.2026 9.3
CVE-2026-6349 HGiga|iSherlock - OS Command Injection 16.04.2026 10
CVE-2026-6350 Openfind|MailGates/MailAudit - Stack-based Buffer Overflow 16.04.2026 9.3
CVE-2026-40504 Creolabs Gravity < 0.9.6 Heap Buffer Overflow via gravity_vm_exec 16.04.2026 9.3
CVE-2026-40959 16.04.2026 9.3
CVE-2026-4880 Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication 16.04.2026 9.8
CVE-2026-6388 Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation 16.04.2026 9.1
CVE-2026-40173 Dgraph: Unauthenticated pprof endpoint leaks admin auth token 16.04.2026 9.4
CVE-2025-41118 Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection 20.04.2026 9.1
CVE-2026-5189 Nexus Repository 3 - Hardcoded Credential in Internal Database Component 16.04.2026 9.2
CVE-2025-15610 15.04.2026 9.3
CVE-2026-20147 Cisco Identity Services Engine Remote Code Execution Vulnerability 16.04.2026 9.9
CVE-2026-20180 Cisco Identity Services Engine Multiple Remote Code Execution Vulnerability 16.04.2026 9.9
CVE-2026-20184 Cisco Webex Meetings Certificate Validation Vulnerability 16.04.2026 9.8
CVE-2026-20186 Cisco Identity Services Engine Multiple Authenticated Remote Code Execution Vulnerability 16.04.2026 9.9
CVE-2026-5387 AVEVA Pipeline Simulation Missing Authorization 15.04.2026 9.3
CVE-2026-33805 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers 15.04.2026 9
CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes 15.04.2026 9.1
CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) 15.04.2026 9.1
CVE-2025-14813 GOSTCTR implementation unable to process more than 255 blocks correctly 15.04.2026 9.3
CVE-2026-5598 Non-constant time comparisons risk private key leakage in FrodoKEM. 15.04.2026 10
CVE-2026-3461 Visa Acceptance Solutions <= 2.1.0 - Unauthenticated Authentication Bypass via Billing Email 15.04.2026 9.8
CVE-2026-1555 WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload 15.04.2026 9.8
CVE-2026-39842 OpenRemote is Vulnerable to Expression Injection 16.04.2026 10
CVE-2026-39399 NuGet Gallery: Arbitrary Blob Overwrite via Nuspec Confusion and URI Fragment Truncation 15.04.2026 9.6
CVE-2026-34457 OAuth2 Proxy: Health Check User-Agent Matching Bypasses Authentication in auth_request Mode 15.04.2026 9.1
CVE-2026-35031 Jellyfin: Potential RCE via subtitle upload path traversal + .strm chain 16.04.2026 10
CVE-2026-35033 Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection 15.04.2026 9.3
CVE-2026-27304 ColdFusion | Improper Input Validation (CWE-20) 15.04.2026 9.3
CVE-2026-27243 Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79) 14.04.2026 9.3
CVE-2026-27245 Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79) 14.04.2026 9.3
CVE-2026-27246 Adobe Connect | Cross-site Scripting (DOM-based XSS) (CWE-79) 14.04.2026 9.3
CVE-2026-27303 Adobe Connect | Deserialization of Untrusted Data (CWE-502) 15.04.2026 9.6
CVE-2026-34615 Adobe Connect | Deserialization of Untrusted Data (CWE-502) 15.04.2026 9.3
CVE-2026-26149 Microsoft Power Apps Spoofing Vulnerability 20.04.2026 9
CVE-2026-33824 Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability 20.04.2026 9.8
CVE-2026-39808 15.04.2026 9.1
CVE-2026-39813 15.04.2026 9.1
CVE-2025-63939 14.04.2026 9.8
CVE-2025-65135 14.04.2026 9.8
CVE-2026-38526 14.04.2026 9.9
CVE-2025-8095 Recoverable obfuscation using the OECH1 prefix encoding in OpenEdge 15.04.2026 9.1
CVE-2026-2449 14.04.2026 9

Latest Updates

CVE Title Updated Score
CVE-2026-31368 Privilege Bypass in AiAssistant 21.04.2026 7.8
CVE-2026-31369 Privilege Bypass in PcManager 21.04.2026 3.2
CVE-2026-31370 Information Leak Vulnerability in Honor E 21.04.2026 6.3
CVE-2026-6703 Responsive Blocks <= 2.2.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via AJAX Actions 21.04.2026 4.3
CVE-2026-6711 Website LLMs.txt <= 8.2.6 - Reflected Cross-Site Scripting 21.04.2026 6.1
CVE-2026-6712 Website LLMs.txt <= 8.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting 21.04.2026 4.4
CVE-2026-5965 NewSoft|NewSoftOA - OS Command Injection 21.04.2026
CVE-2026-40497 FreeScout Vulnerable to CSS Injection via Stored Style Tag in Mailbox Signature (CSRF Token Exfiltration) 21.04.2026 8.1
CVE-2026-6674 Plugin: CMS für Motorrad Werkstätten <= 1.0.0 - Authenticated (Subscriber+) SQL Injection via 'arttype' Parameter 21.04.2026 6.5
CVE-2026-6675 Responsive Blocks <= 2.2.0 - Unauthenticated Open Email Relay via REST API 'email_to' Parameter 21.04.2026 5.3
CVE-2026-39866 Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml 21.04.2026
CVE-2026-39886 OpenEXR has HTJ2K Signed Integer Overflow in ht_undo_impl() 21.04.2026 5.3
CVE-2026-39973 Apktool: Path Traversal to Arbitrary File Write 21.04.2026 7.1
CVE-2026-40244 OpenEXR has integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589) 21.04.2026
CVE-2026-40250 OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589) 21.04.2026
CVE-2026-40496 FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force 21.04.2026
CVE-2026-6058 21.04.2026 4.5
CVE-2026-39320 Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths 21.04.2026 7.5
CVE-2026-39377 nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames 21.04.2026 6.5
CVE-2026-39378 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding 21.04.2026 6.5
CVE-2026-39386 Neko has Self-service Privilege Escalation for Authenticated Users 21.04.2026 8.8
CVE-2026-39388 OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate 21.04.2026
CVE-2026-39396 OpenBao has Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS) 21.04.2026 3.1
CVE-2026-39861 Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace 21.04.2026
CVE-2026-39946 OpenBao allows SQL Injection in PostgreSQL database secrets engine 21.04.2026
CVE-2026-40264 OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation 21.04.2026
CVE-2026-34839 Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS 20.04.2026
CVE-2026-35570 OpenClaude has Sandbox Bypass via Early-Exit Logic Flaw that Allows Path Traversal 20.04.2026 8.4
CVE-2026-35587 Glances IP Plugin has SSRF via public_api that leads to credential leakage 20.04.2026
CVE-2026-35588 Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values 20.04.2026 6.3
CVE-2026-40045 OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints 20.04.2026
CVE-2026-41285 20.04.2026 4.3
CVE-2026-41294 OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File 20.04.2026
CVE-2026-41295 OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup 20.04.2026
CVE-2026-41296 OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile 20.04.2026
CVE-2026-41297 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect 20.04.2026
CVE-2026-41298 OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint 20.04.2026
CVE-2026-41299 OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard 20.04.2026
CVE-2026-41300 OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding 20.04.2026
CVE-2026-41301 OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass 20.04.2026
CVE-2026-41302 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download 20.04.2026
CVE-2026-41303 OpenClaw < 2026.3.28 - Authorization Bypass in Discord Text Approval Commands 20.04.2026
CVE-2026-41329 OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation 20.04.2026
CVE-2026-41330 OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy 20.04.2026
CVE-2026-41331 OpenClaw < 2026.3.31 - Resource Consumption via Unauthorized Telegram Audio Preflight Transcription 20.04.2026
CVE-2026-34082 Dify has IDOR in deleting someone else's chat conversation 20.04.2026
CVE-2026-5721 wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 6.5.0.4 - Unauthenticated Stored Cross-Site Scripting via CSV/Excel Data Import 20.04.2026 4.7
CVE-2026-6729 HKUDS OpenHarness Session Key Collision Privilege Escalation 20.04.2026
CVE-2026-0930 Potential wolfSSHd Buffer out-of-bounds Read on Windows Handling Terminal Resize 20.04.2026
CVE-2026-22051 20.04.2026
CVE-2026-29643 20.04.2026
CVE-2026-29642 20.04.2026
CVE-2026-29646 20.04.2026
CVE-2026-29647 20.04.2026
CVE-2026-29648 20.04.2026
CVE-2026-32604 Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths 20.04.2026 10
CVE-2026-32613 Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling 20.04.2026 10
CVE-2026-33031 Nginx-UI: Disabled users retain full API access through previously issued bearer tokens 20.04.2026
CVE-2026-33431 Roxy-WI Vulnerable to Authenticated Arbitrary File Read via Path Traversal in Config Version Viewer 20.04.2026
CVE-2026-33432 Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass 20.04.2026
CVE-2026-33626 LMDeploy Vulnerable to Server-Side Request Forgery (SSRF) via Vision-Language Image Loading 20.04.2026 7.5
CVE-2026-34403 Nginx-UI vulnerable to Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints 20.04.2026
CVE-2026-4852 Image Source Control Lite – Show Image Credits and Captions <= 3.9.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'Image Source' Field 20.04.2026 6.4
CVE-2026-5358 Static buffer overflow in deprecated nis_local_principal 20.04.2026
CVE-2026-5450 scanf %mc off-by-one heap buffer overflow 20.04.2026
CVE-2026-5928 Static buffer overflow in deprecated nis_local_principal 20.04.2026
CVE-2026-29649 20.04.2026
CVE-2026-32311 Command Injection and Docker container escape allows root on host machine 20.04.2026
CVE-2026-6249 Vvveb CMS 1.0.8 Remote Code Execution via Media Upload 20.04.2026
CVE-2026-29645 20.04.2026
CVE-2026-32135 NanoMQ has Heap Buffer Overflow in URI Parameter Parsing 20.04.2026
CVE-2026-5478 Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter 20.04.2026 8.1
CVE-2026-6257 Vvveb CMS v1.0.8 Remote Code Execution via Media Management 20.04.2026
CVE-2026-6550 Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python 20.04.2026 4.7
CVE-2025-11249 20.04.2026
CVE-2026-6060 Possible DoS via SQL Box 20.04.2026 4.5
CVE-2026-6248 wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Profile Field File Path 20.04.2026 8.1
CVE-2026-23752 GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter 20.04.2026
CVE-2026-23753 GFI HelpDesk < 4.99.9 Stored XSS via charset Parameter 20.04.2026
CVE-2026-23757 GFI HelpDesk < 4.99.10 Stored XSS via Reports Module 20.04.2026
CVE-2026-41389 OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Paths 20.04.2026
CVE-2026-23756 GFI HelpDesk < 4.99.9 Stored XSS via Troubleshooter Step Subject 20.04.2026
CVE-2026-23758 GFI HelpDesk < 4.99.9 Stored XSS via editsubject Parameter 20.04.2026
CVE-2026-26399 20.04.2026
CVE-2026-39109 20.04.2026
CVE-2026-39110 20.04.2026
CVE-2026-39111 20.04.2026
CVE-2026-39112 20.04.2026
CVE-2026-22761 20.04.2026 6.7
CVE-2026-26951 20.04.2026 6.7
CVE-2026-30266 20.04.2026
CVE-2026-35154 20.04.2026 6.3
CVE-2026-6662 ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy 20.04.2026
CVE-2025-66954 20.04.2026
CVE-2026-24504 20.04.2026 7.2
CVE-2026-24505 20.04.2026 7.2
CVE-2026-24506 20.04.2026 7.2
CVE-2026-25524 OpenMage LTS's Phar Deserialization leads to Remote Code Execution 20.04.2026 8.1
CVE-2026-25525 OpenMage LTS has Path Traversal Filter Bypass in Dataflow Module 20.04.2026 4.9
CVE-2026-26942 20.04.2026 6.7
CVE-2026-26943 20.04.2026 7.2
CVE-2026-28684 python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback 20.04.2026 6.6
CVE-2026-30269 20.04.2026
CVE-2026-40098 OpenMage LTS imports cross-user wishlist item via shared wishlist code, leading to private option disclosure and file-disclosure variant 20.04.2026
CVE-2026-40488 OpenMage LTS has Customer File Upload Extension Blocklist Bypass that Leads to Remote Code Execution 20.04.2026
CVE-2026-41445 KissFFT Integer Overflow Heap Buffer Overflow via kiss_fftndr_alloc() 20.04.2026
CVE-2026-23774 20.04.2026 7.2
CVE-2026-24467 OpenAEV's Improper Password Reset Token Management Leads to Unauthenticated Account Takeover and Platform Compromise 20.04.2026 9.1
CVE-2026-24468 OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API 20.04.2026 5.3
CVE-2026-25058 Vexa's unauthenticated internal transcript endpoint exposed by default 20.04.2026 7.5
CVE-2026-25883 Vexa Webhook Feature has a SSRF Vulnerability 20.04.2026 5.8
CVE-2026-26944 20.04.2026 8.8
CVE-2026-40896 OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup 20.04.2026 6.5
CVE-2026-41245 Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix 20.04.2026 5.9
CVE-2026-6066 Unencrypted Client‑Server Communication in ConnectWise Automate™ Solution Center 20.04.2026 7.1
CVE-2026-39918 Vvveb < 1.0.8.1 Code Injection via Installation Endpoint 20.04.2026
CVE-2026-3219 pip doesn't reject concatenated ZIP and tar archives 20.04.2026
CVE-2026-6650 Z-BlogPHP ZBA File app_upload.php UnPack unrestricted upload 20.04.2026
CVE-2026-6651 erponline.xyz ERP Online Inventory Edit Item cross site scripting 20.04.2026
CVE-2026-6652 Pagekit CMS StringStorage Template PhpEngine.php evaluate eval injection 20.04.2026
CVE-2026-34427 Vvveb < 1.0.8.1 Privilege Escalation via admin/user/save 20.04.2026
CVE-2026-34428 Vvveb < 1.0.8.1 SSRF via oEmbedProxy 20.04.2026
CVE-2026-34429 Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename 20.04.2026
CVE-2025-66335 Apache Doris MCP Server: MCP SQL inject 20.04.2026
CVE-2026-33557 Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication 20.04.2026
CVE-2026-33558 Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output 20.04.2026
CVE-2026-3517 OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF 20.04.2026 8.4
CVE-2026-3518 OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF 20.04.2026 8.4
CVE-2026-3519 OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF 20.04.2026 8.4
CVE-2026-4048 OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF 20.04.2026 8.4
CVE-2026-5760 CVE-2026-5760 20.04.2026
CVE-2026-6369 Exposed Session Token in canonical-livepatch client snap 20.04.2026
CVE-2026-6649 Qibo CMS headers server-side request forgery 20.04.2026
CVE-2026-6648 Qibo CMS Internal Message cross site scripting 20.04.2026
CVE-2026-5958 Race Condition in GNU Sed 20.04.2026
CVE-2026-6636 p2r3 convert API buildCache.js Bun.serve path traversal 20.04.2026
CVE-2026-6633 Yifang CMS Extended Management L_rbac_admin.php store cross site scripting 20.04.2026
CVE-2026-6634 usememos UpdateInstanceSetting App.tsx memos_access_token improper authorization 20.04.2026
CVE-2026-6635 rowboatlabs rowboat tools_webhook app.py tool_call improper authentication 20.04.2026
CVE-2026-6632 Tenda F451 httpd SafeClientFilter fromSafeClientFilter buffer overflow 20.04.2026