| CVE-2026-6270 |
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes |
16.04.2026 |
9.1 |
| CVE-2026-31843 |
|
16.04.2026 |
10 |
| CVE-2026-3596 |
Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action |
16.04.2026 |
9.8 |
| CVE-2026-6348 |
Simopro Technology|WinMatrix - Missing Authentication |
16.04.2026 |
9.3 |
| CVE-2026-6349 |
HGiga|iSherlock - OS Command Injection |
16.04.2026 |
10 |
| CVE-2026-6350 |
Openfind|MailGates/MailAudit - Stack-based Buffer Overflow |
16.04.2026 |
9.3 |
| CVE-2026-40504 |
Creolabs Gravity < 0.9.6 Heap Buffer Overflow via gravity_vm_exec |
16.04.2026 |
9.3 |
| CVE-2026-40959 |
|
16.04.2026 |
9.3 |
| CVE-2026-4880 |
Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication |
16.04.2026 |
9.8 |
| CVE-2026-6388 |
Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation |
16.04.2026 |
9.1 |
| CVE-2026-40173 |
Dgraph: Unauthenticated pprof endpoint leaks admin auth token |
16.04.2026 |
9.4 |
| CVE-2025-41118 |
Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection |
15.04.2026 |
9.1 |
| CVE-2026-5189 |
Nexus Repository 3 - Hardcoded Credential in Internal Database Component |
16.04.2026 |
9.2 |
| CVE-2025-15610 |
|
15.04.2026 |
9.3 |
| CVE-2026-20147 |
Cisco Identity Services Engine Remote Code Execution Vulnerability |
16.04.2026 |
9.9 |
| CVE-2026-20180 |
Cisco Identity Services Engine Multiple Remote Code Execution Vulnerability |
16.04.2026 |
9.9 |
| CVE-2026-20184 |
Cisco Webex Meetings Certificate Validation Vulnerability |
16.04.2026 |
9.8 |
| CVE-2026-20186 |
Cisco Identity Services Engine Multiple Authenticated Remote Code Execution Vulnerability |
16.04.2026 |
9.9 |
| CVE-2026-5387 |
AVEVA Pipeline Simulation Missing Authorization |
15.04.2026 |
9.3 |
| CVE-2026-33805 |
@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers |
15.04.2026 |
9 |
| CVE-2026-33807 |
@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes |
15.04.2026 |
9.1 |
| CVE-2026-33808 |
@fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) |
15.04.2026 |
9.1 |
| CVE-2025-14813 |
GOSTCTR implementation unable to process more than 255 blocks correctly |
15.04.2026 |
9.3 |
| CVE-2026-5598 |
Non-constant time comparisons risk private key leakage in FrodoKEM. |
15.04.2026 |
10 |
| CVE-2026-3461 |
Visa Acceptance Solutions <= 2.1.0 - Unauthenticated Authentication Bypass via Billing Email |
15.04.2026 |
9.8 |
| CVE-2026-1555 |
WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload |
15.04.2026 |
9.8 |
| CVE-2026-39842 |
OpenRemote is Vulnerable to Expression Injection |
16.04.2026 |
10 |
| CVE-2026-39399 |
NuGet Gallery: Arbitrary Blob Overwrite via Nuspec Confusion and URI Fragment Truncation |
15.04.2026 |
9.6 |
| CVE-2026-34457 |
OAuth2 Proxy: Health Check User-Agent Matching Bypasses Authentication in auth_request Mode |
15.04.2026 |
9.1 |
| CVE-2026-35031 |
Jellyfin: Potential RCE via subtitle upload path traversal + .strm chain |
16.04.2026 |
10 |
| CVE-2026-35033 |
Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection |
15.04.2026 |
9.3 |
| CVE-2026-27304 |
ColdFusion | Improper Input Validation (CWE-20) |
15.04.2026 |
9.3 |
| CVE-2026-27243 |
Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79) |
14.04.2026 |
9.3 |
| CVE-2026-27245 |
Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79) |
14.04.2026 |
9.3 |
| CVE-2026-27246 |
Adobe Connect | Cross-site Scripting (DOM-based XSS) (CWE-79) |
14.04.2026 |
9.3 |
| CVE-2026-27303 |
Adobe Connect | Deserialization of Untrusted Data (CWE-502) |
15.04.2026 |
9.6 |
| CVE-2026-34615 |
Adobe Connect | Deserialization of Untrusted Data (CWE-502) |
15.04.2026 |
9.3 |
| CVE-2026-26149 |
Microsoft Power Apps Security Feature Bypass |
16.04.2026 |
9 |
| CVE-2026-33824 |
Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability |
16.04.2026 |
9.8 |
| CVE-2026-39808 |
|
15.04.2026 |
9.1 |
| CVE-2026-39813 |
|
15.04.2026 |
9.1 |
| CVE-2025-63939 |
|
14.04.2026 |
9.8 |
| CVE-2025-65135 |
|
14.04.2026 |
9.8 |
| CVE-2026-38526 |
|
14.04.2026 |
9.9 |
| CVE-2025-8095 |
Recoverable obfuscation using the OECH1 prefix encoding in OpenEdge |
15.04.2026 |
9.1 |
| CVE-2026-2449 |
|
14.04.2026 |
9 |
| CVE-2026-40288 |
PraisonAI: Critical RCE via `type: job` workflow YAML |
14.04.2026 |
9.8 |
| CVE-2026-40289 |
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions |
14.04.2026 |
9.1 |
| CVE-2026-40313 |
PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence |
14.04.2026 |
9.1 |
| CVE-2026-6264 |
Critical Security fix for the Talend JobServer and Talend Runtime |
16.04.2026 |
9.8 |
| CVE-2026-4365 |
LearnPress <= 4.3.2.8 - Missing Authorization to Unauthenticated Arbitrary Quiz Answer Deletion |
14.04.2026 |
9.1 |
| CVE-2026-27681 |
SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse |
14.04.2026 |
9.9 |
| CVE-2026-22562 |
|
14.04.2026 |
9.8 |
| CVE-2026-22563 |
|
14.04.2026 |
9.8 |
| CVE-2026-22564 |
|
14.04.2026 |
9.8 |
| CVE-2026-40042 |
Pachno 1.0.6 Wiki TextParser XML External Entity Injection |
14.04.2026 |
9.3 |
| CVE-2026-40044 |
Pachno 1.0.6 FileCache Deserialization Remote Code Execution |
13.04.2026 |
9.3 |
| CVE-2026-6100 |
Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure |
14.04.2026 |
9.1 |
| CVE-2026-6195 |
Totolink A7100RU CGI cstecgi.cgi setPasswordCfg os command injection |
13.04.2026 |
9.3 |
| CVE-2026-23891 |
Decidim has a Cross-site scripting (XSS) vulnerability via user name field |
14.04.2026 |
9.3 |
| CVE-2026-4810 |
Remote Code Execution in Google Agent Development Kit (ADK) |
13.04.2026 |
9.3 |
| CVE-2026-34865 |
|
13.04.2026 |
10 |
| CVE-2026-6154 |
Totolink A7100RU CGI cstecgi.cgi setWizardCfg os command injection |
13.04.2026 |
9.3 |
| CVE-2026-6155 |
Totolink A7100RU CGI cstecgi.cgi setWanCfg os command injection |
14.04.2026 |
9.3 |
| CVE-2026-6156 |
Totolink A7100RU CGI cstecgi.cgi setIpQosRules os command injection |
13.04.2026 |
9.3 |
| CVE-2026-6139 |
Totolink A7100RU CGI cstecgi.cgi UploadOpenVpnCert os command injection |
14.04.2026 |
9.3 |
| CVE-2026-6140 |
Totolink A7100RU CGI cstecgi.cgi UploadFirmwareFile os command injection |
13.04.2026 |
9.3 |
| CVE-2026-6138 |
Totolink A7100RU CGI cstecgi.cgi setAccessDeviceCfg os command injection |
13.04.2026 |
9.3 |
| CVE-2026-6132 |
Totolink A7100RU CGI cstecgi.cgi setLedCfg os command injection |
13.04.2026 |
9.3 |
| CVE-2026-6131 |
Totolink A7100RU CGI cstecgi.cgi setTracerouteCfg os command injection |
14.04.2026 |
9.3 |
| CVE-2019-25709 |
CF Image Hosting Script 1.6.5 Unauthorized Database Access |
15.04.2026 |
9.3 |
| CVE-2026-6115 |
Totolink A7100RU CGI cstecgi.cgi setAppCfg os command injection |
13.04.2026 |
9.3 |
| CVE-2026-6116 |
Totolink A7100RU CGI cstecgi.cgi setDiagnosisCfg os command injection |
13.04.2026 |
9.3 |
| CVE-2026-6112 |
Totolink A7100RU CGI cstecgi.cgi setRadvdCfg os command injection |
15.04.2026 |
9.3 |
| CVE-2026-6113 |
Totolink A7100RU CGI cstecgi.cgi setTtyServiceCfg os command injection |
14.04.2026 |
9.3 |
| CVE-2026-6114 |
Totolink A7100RU CGI cstecgi.cgi setNetworkCfg os command injection |
14.04.2026 |
9.3 |
| CVE-2026-31845 |
|
13.04.2026 |
9.3 |
| CVE-2026-4149 |
Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability |
13.04.2026 |
10 |
| CVE-2026-5058 |
aws-mcp-server Command Injection Remote Code Execution Vulnerability |
13.04.2026 |
9.8 |
| CVE-2026-5059 |
aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability |
13.04.2026 |
9.8 |
| CVE-2026-40189 |
goshs has a file-based ACL authorization bypass in goshs state-changing routes |
13.04.2026 |
9.3 |
| CVE-2026-40175 |
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain |
14.04.2026 |
10 |
| CVE-2026-40177 |
Password bypass when 2FA is activated |
14.04.2026 |
9.3 |
| CVE-2026-33707 |
Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms |
13.04.2026 |
9.4 |
| CVE-2026-33698 |
Chamilo LMS affected by unauthenticated RCE in main/install folder |
15.04.2026 |
9.3 |
| CVE-2026-32892 |
OS Command Injection in Chamilo LMS 1.11.36 |
14.04.2026 |
9.1 |
| CVE-2026-40157 |
PraisonAI affected by arbitrary file write via path traversal in `praisonai recipe unpack` |
14.04.2026 |
9.4 |
| CVE-2026-5412 |
Juju CloudSpec API could leak senstive information |
10.04.2026 |
9.9 |
| CVE-2026-1115 |
Stored XSS in parisneo/lollms |
10.04.2026 |
9.6 |
| CVE-2026-6028 |
Totolink A7100RU CGI cstecgi.cgi setPptpServerCfg os command injection |
10.04.2026 |
9.3 |
| CVE-2026-6029 |
Totolink A7100RU CGI cstecgi.cgi setVpnAccountCfg os command injection |
10.04.2026 |
9.3 |
| CVE-2026-6026 |
Totolink A7100RU CGI cstecgi.cgi setPortalConfWeChat os command injection |
10.04.2026 |
9.3 |
| CVE-2026-6027 |
Totolink A7100RU CGI cstecgi.cgi setUrlFilterRules os command injection |
14.04.2026 |
9.3 |
| CVE-2026-6025 |
Totolink A7100RU CGI cstecgi.cgi setSyslogCfg os command injection |
10.04.2026 |
9.3 |
| CVE-2026-5996 |
Totolink A7100RU CGI cstecgi.cgi setAdvancedInfoShow os command injection |
14.04.2026 |
9.3 |
| CVE-2026-5997 |
Totolink A7100RU CGI cstecgi.cgi setLoginPasswordCfg os command injection |
10.04.2026 |
9.3 |
| CVE-2026-5993 |
Totolink A7100RU CGI cstecgi.cgi setWiFiGuestCfg os command injection |
14.04.2026 |
9.3 |
| CVE-2026-5994 |
Totolink A7100RU CGI cstecgi.cgi setTelnetCfg os command injection |
10.04.2026 |
9.3 |
| CVE-2026-5995 |
Totolink A7100RU CGI cstecgi.cgi setMiniuiHomeInfoShow os command injection |
10.04.2026 |
9.3 |
| CVE-2026-34424 |
Smart Slider 3 Pro 3.5.1.35 Supply Chain Attack Remote Access Toolkit |
14.04.2026 |
9.3 |
| CVE-2026-33771 |
CTP OS: Configuring password requirements does not work which permits the use of weak passwords |
13.04.2026 |
9.1 |
| CVE-2026-33784 |
JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access |
13.04.2026 |
9.3 |
| CVE-2026-40154 |
PraisonAI Affected by Untrusted Remote Template Code Execution |
10.04.2026 |
9.3 |
| CVE-2026-40111 |
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py) |
13.04.2026 |
9.3 |
| CVE-2026-5977 |
Totolink A7100RU CGI cstecgi.cgi setWiFiBasicCfg os command injection |
14.04.2026 |
9.3 |
| CVE-2026-5978 |
Totolink A7100RU CGI cstecgi.cgi setWiFiAclRules os command injection |
14.04.2026 |
9.3 |
| CVE-2026-5976 |
Totolink A7100RU CGI cstecgi.cgi setStorageCfg os command injection |
13.04.2026 |
9.3 |
| CVE-2025-13926 |
Contemporary Controls BASC 20T Reliance on Untrusted Inputs in a Security Decision |
10.04.2026 |
9.3 |
| CVE-2026-40088 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai |
09.04.2026 |
9.7 |
| CVE-2026-40089 |
Sonicverse has Server-Side Request Forgery via user-controlled URLs in dashboard API client |
13.04.2026 |
9.9 |
| CVE-2026-5194 |
wolfSSL ECDSA Certificate Verification |
10.04.2026 |
9.3 |
| CVE-2026-5975 |
Totolink A7100RU CGI cstecgi.cgi setDmzCfg os command injection |
09.04.2026 |
9.3 |
| CVE-2026-28205 |
Initialization of a resource with an insecure default in OpenPLC_V3 |
10.04.2026 |
9.2 |
| CVE-2026-34971 |
Wasmtime miscompiled guest heap access enables sandbox escape on aarch64 Cranelift |
13.04.2026 |
9 |
| CVE-2026-34987 |
Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access |
10.04.2026 |
9 |
| CVE-2026-35556 |
Plaintext storage of a password in OpenPLC_V3 |
10.04.2026 |
9.2 |
| CVE-2026-39912 |
v2board / Xboard Authentication Token Exposure via loginWithMailLink |
13.04.2026 |
9.1 |