CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2016-20052 Snews CMS 1.7 Unrestricted File Upload via snews_files 04.04.2026 9.3
CVE-2018-25254 NICO-FTP 3.0.1.19 Buffer Overflow SEH 04.04.2026 9.3
CVE-2026-35616 04.04.2026 9.1
CVE-2017-20236 ProSoft Technology ICX35-HWC Command Injection via Web Interface 03.04.2026 9.3
CVE-2026-34938 PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code 03.04.2026 10
CVE-2026-34952 PraisonAI: Missing Authentication in WebSocket Gateway 03.04.2026 9.1
CVE-2026-34953 PraisonAI: Authentication Bypass in OAuthManager.validate_token() 03.04.2026 9.1
CVE-2017-20234 GarrettCom Magnum 6K and 10K Authentication Bypass via Hardcoded String 03.04.2026 9.3
CVE-2018-25236 Hirschmann HiOS HiSecOS Authentication Bypass via HTTP Management 03.04.2026 9.3
CVE-2021-4477 Hirschmann HiLCOS OpenBAT BAT450 IPv6 IPsec Firewall Bypass 03.04.2026 9.3
CVE-2026-34612 Kestra: Remote Code Execution via SQL Injection 03.04.2026 10
CVE-2026-34934 PraisonAI: Second-Order SQL Injection in `get_all_user_threads` 03.04.2026 9.8
CVE-2026-34935 PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command() 03.04.2026 9.8
CVE-2018-25237 Hirschmann HiSecOS Buffer Overflow via HTTPS Login 03.04.2026 9.3
CVE-2017-20237 Hirschmann Industrial HiVision Authentication Bypass Remote Code Execution 03.04.2026 9.3
CVE-2026-25197 Gardyn Cloud API Authorization Bypass Through User-Controlled Key 03.04.2026 9.3
CVE-2026-28766 Gardyn Cloud API Missing Authentication for Critical Function 03.04.2026 9.2
CVE-2026-35560 Improper certificate validation in identity provider connection components in Amazon Athena ODBC driver 03.04.2026 9.1
CVE-2026-35561 Insufficient authentication security controls in browser-based authentication components in Amazon Athena ODBC driver 03.04.2026 9.1
CVE-2026-28798 Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS 03.04.2026 9.1
CVE-2026-0545 Missing Authentication for Critical Function in mlflow/mlflow 03.04.2026 9.1
CVE-2026-35216 Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step 03.04.2026 9.1
CVE-2026-31818 Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist 03.04.2026 9.6
CVE-2026-5463 03.04.2026 9.3
CVE-2026-26135 Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability 04.04.2026 9.6
CVE-2026-32211 Azure MCP Server Information Disclosure Vulnerability 04.04.2026 9.1
CVE-2026-32213 Azure AI Foundry Elevation of Privilege Vulnerability 04.04.2026 10
CVE-2026-33105 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability 04.04.2026 10
CVE-2026-33107 Azure Databricks Elevation of Privilege Vulnerability 04.04.2026 10
CVE-2025-15620 HiOS Switch Platform Denial-of-Service via Web Interface 03.04.2026 9.2
CVE-2024-14034 Hirschmann HiEOS Authentication Bypass via HTTP Management Module 03.04.2026 9.3
CVE-2026-34838 Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection` 03.04.2026 10
CVE-2026-35053 OneUptime: Unauthenticated Workflow Execution via ManualAPI 03.04.2026 9.2
CVE-2026-34745 Unauthenticated Path Traversal Arbitrary File Write in /api/uploadChunked/public 02.04.2026 9.1
CVE-2026-34758 OneUptime: Missing Authentication on Notification Endpoints 03.04.2026 9.1
CVE-2026-34759 OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure 03.04.2026 9.2
CVE-2026-34717 OpenProject: SQL Injection in Cost Reporting =n Operator via parse_number_string 03.04.2026 9.9
CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity 03.04.2026 9.4
CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users 02.04.2026 9.8
CVE-2026-32871 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability 02.04.2026 10
CVE-2026-35002 Agno < 2.3.24 field_type Eval Injection Arbitrary Code Execution 02.04.2026 9.3
CVE-2026-2699 EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC) 03.04.2026 9.8
CVE-2026-2701 RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC) 03.04.2026 9.1
CVE-2026-33615 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the setinfo Endpoint 02.04.2026 9.1
CVE-2026-34563 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS 02.04.2026 9.1
CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34566 CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 04.04.2026 9.1
CVE-2026-34567 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34568 CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34569 CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 10
CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) 03.04.2026 10
CVE-2026-34571 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise 02.04.2026 10
CVE-2026-34559 CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34560 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34456 Reviactyl: OAuth account takeover via auto-linking 02.04.2026 9.1
CVE-2026-34751 Payload has Unvalidated Input in Password Recovery Endpoints 04.04.2026 9.1
CVE-2026-34159 llama.cpp: Unauthenticated RCE via GRAPH_COMPUTE buffer=0 bypass in llama.cpp RPC backend 02.04.2026 9.8
CVE-2026-20093 Cisco Integrated Management Controller Authentication Bypass Vulnerability 02.04.2026 9.8
CVE-2026-20160 Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability 02.04.2026 9.8
CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE 03.04.2026 9.3
CVE-2026-4370 Improper TLS Client/Server authentication and certificate verification on Database Cluster 01.04.2026 10
CVE-2025-71279 XenForo Passkey Security Bypass 01.04.2026 9.3
CVE-2026-34448 SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client 03.04.2026 9.1
CVE-2026-34449 SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection 01.04.2026 9.7
CVE-2026-34406 APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint 03.04.2026 9.4
CVE-2026-1579 PX4 Autopilot Missing authentication for critical function 31.03.2026 9.3
CVE-2026-3356 Missing Authentication for Critical Function vulnerability in Anritsu Remote Spectrum Monitor 01.04.2026 9.3
CVE-2026-34361 HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft 31.03.2026 9.3
CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body` 02.04.2026 9.8
CVE-2026-34220 MikroORM is vulnerable to SQL Injection via specially crafted object 02.04.2026 9.3
CVE-2026-0596 Command Injection in mlflow/mlflow 01.04.2026 9.6
CVE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal 31.03.2026 9.1
CVE-2026-34162 FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft 31.03.2026 10
CVE-2026-34202 Zebra node crash — V5 transaction hash panic (P2P reachable) 31.03.2026 9.2
CVE-2026-34156 NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node 02.04.2026 10
CVE-2026-32916 OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes 31.03.2026 9.2
CVE-2026-32917 OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP 31.03.2026 9.2
CVE-2026-4317 SQL inyection in Umami Software application 31.03.2026 9.3
CVE-2026-3106 Multiple vulnerabilities in Teampass 31.03.2026 9.3
CVE-2026-3107 Multiple vulnerabilities in Teampass 31.03.2026 9.3
CVE-2026-32714 SciTokens vulnerable to SQL Injection in KeyCache 31.03.2026 9.8
CVE-2026-3300 Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field 31.03.2026 9.8
CVE-2026-21861 baserCMS: OS Command Injection Leading to Remote Code Execution (RCE) 31.03.2026 9.1
CVE-2026-30877 baserCMS: OS Command Injection in the baserCMS Update Functionality 02.04.2026 9.1
CVE-2026-30880 baserCMS: OS command injection vulnerability in installer 31.03.2026 9.2
CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality 31.03.2026 9.8
CVE-2026-31946 OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow 31.03.2026 9.8
CVE-2026-34557 CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 31.03.2026 9.1
CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 31.03.2026 9.1
CVE-2026-33026 nginx-ui Backup Restore Allows Tampering with Encrypted Backups 31.03.2026 9.4
CVE-2026-34714 03.04.2026 9.2
CVE-2026-33032 Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover 30.03.2026 9.8
CVE-2026-4415 GIGABYTE|Gigabyte Control Center - Arbitrary File Write 31.03.2026 9.2
CVE-2025-15379 Command Injection in mlflow/mlflow 31.03.2026 10
CVE-2025-15036 Path Traversal Vulnerability in mlflow/mlflow 31.03.2026 9.6
CVE-2026-32915 OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Subagent Control Surface 30.03.2026 9.3
CVE-2026-32918 OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool 30.03.2026 9.2
CVE-2026-32922 OpenClaw < 2026.3.11 - Privilege Escalation via Unvalidated Scope in device.token.rotate 30.03.2026 9.4
CVE-2026-32978 OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners 30.03.2026 9.4
CVE-2026-32987 OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing 30.03.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2016-20050 NetSchedScan 1.0 Buffer Overflow Denial of Service 04.04.2026
CVE-2016-20051 Snews CMS 1.7 Cross-Site Request Forgery via changeup 04.04.2026
CVE-2016-20052 Snews CMS 1.7 Unrestricted File Upload via snews_files 04.04.2026
CVE-2016-20053 Redaxo CMS 5.2 Cross-Site Request Forgery via users endpoint 04.04.2026
CVE-2016-20055 IObit Advanced SystemCare 10.0.2 Unquoted Service Path Privilege Escalation 04.04.2026
CVE-2016-20056 Spy Emergency build 23.0.205 Unquoted Service Path Privilege Escalation 04.04.2026
CVE-2016-20057 NETGATE Registry Cleaner build 16.0.205 Unquoted Service Path Privilege Escalation 04.04.2026
CVE-2016-20058 Netgate AMITI Antivirus build 23.0.305 Unquoted Service Path Privilege Escalation 04.04.2026
CVE-2016-20059 IObit Malware Fighter 4.3.1 Unquoted Service Path Privilege Escalation 04.04.2026
CVE-2016-20060 Hotspot Shield 6.0.3 Unquoted Service Path Privilege Escalation 04.04.2026
CVE-2016-20061 sheed AntiVirus 2.3 Unquoted Service Path Privilege Escalation 04.04.2026
CVE-2018-25238 Microsoft VSCO 1.1.1.0 Denial of Service via Search 04.04.2026
CVE-2018-25239 Microsoft Smart VPN 1.1.3.0 Denial of Service via Search 04.04.2026
CVE-2018-25240 Microsoft Watchr 1.1.0.0 Denial of Service via Search 04.04.2026
CVE-2018-25241 Microsoft VPN Browser+ 1.1.0.0 Denial of Service 04.04.2026
CVE-2018-25242 Microsoft One Search 1.1.0.0 Denial of Service 04.04.2026
CVE-2018-25243 Microsoft FastTube 1.0.1.0 Denial of Service via Search 04.04.2026
CVE-2018-25244 Microsoft Eco Search 1.0.2.0 Denial of Service 04.04.2026
CVE-2018-25245 Microsoft 7 Tik 1.0.1.0 Denial of Service via Search 04.04.2026
CVE-2018-25247 MyBB Like Plugin 3.0.0 Cross-Site Scripting via User Profiles 04.04.2026
CVE-2018-25248 MyBB Downloads Plugin 2.0.3 Persistent XSS via downloads.php 04.04.2026
CVE-2018-25249 MyBB My Arcade Plugin 1.3 Persistent XSS via Comment 04.04.2026
CVE-2018-25250 MyBB Last User's Threads in Profile Plugin 1.2 Persistent XSS 04.04.2026
CVE-2018-25251 Snes9K 0.0.9z Buffer Overflow SEH via Netplay Socket 04.04.2026
CVE-2018-25252 FTP Voyager 16.2.0 Denial of Service via Malformed Site Profile 04.04.2026
CVE-2018-25253 Termite 3.4 Denial of Service via Settings Buffer Overflow 04.04.2026
CVE-2018-25254 NICO-FTP 3.0.1.19 Buffer Overflow SEH 04.04.2026
CVE-2018-25255 10-Strike LANState 8.8 Local Buffer Overflow SEH 04.04.2026
CVE-2025-14938 Listeo-Core - Directory Plugin by Purethemes <= 2.0.27 - Unauthenticated Arbitrary Media Upload 04.04.2026 5.3
CVE-2026-0626 WPFunnels <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode 04.04.2026 6.4
CVE-2026-1233 Text to Speech (TTS) by Mementor <= 1.9.8 - Use of Hardcoded Password to Unauthenticated Remote Database Access 04.04.2026 7.5
CVE-2026-2936 Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting 04.04.2026 7.2
CVE-2026-3309 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields 04.04.2026 6.5
CVE-2026-3666 wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body 04.04.2026 8.8
CVE-2026-2437 WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode 04.04.2026 6.4
CVE-2026-2826 Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload 04.04.2026 4.3
CVE-2026-3445 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Missing Authorization to Authenticated (Subscriber+) Membership Payment Bypass 04.04.2026 7.1
CVE-2026-5425 Widgets for Social Photo Feed <= 1.7.9 - Unauthenticated Stored Cross-Site Scripting via feed_data 04.04.2026 7.2
CVE-2025-13368 Xpro Addons — 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting 04.04.2026 6.4
CVE-2025-15064 Ultimate Member <= 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via DOM Gadgets 04.04.2026 6.4
CVE-2026-0552 Simple Shopping Cart <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsc_display_product' Shortcode 04.04.2026 6.4
CVE-2026-0664 Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass 04.04.2026 6.4
CVE-2026-0737 Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode 04.04.2026 6.4
CVE-2026-0738 Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode 04.04.2026 6.4
CVE-2026-2600 ElementsKit Elementor Addons and Templates <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Simple Tab Widget 04.04.2026 6.4
CVE-2026-4896 WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation 04.04.2026 8.1
CVE-2026-2924 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad' 04.04.2026 6.4
CVE-2026-2949 Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Box Widget 04.04.2026 6.4
CVE-2026-3571 Pie Register – User Registration, Profiles & Content Restriction <= 3.8.4.8 - Missing Authorization to Unauthenticated Registration Form Status Modification 04.04.2026 6.5
CVE-2026-34780 Electron: Context Isolation bypass via contextBridge VideoFrame transfer 04.04.2026 8.4
CVE-2026-35616 04.04.2026 9.1
CVE-2026-34773 Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows 03.04.2026 4.7
CVE-2026-34774 Electron: Use-after-free in offscreen child window paint callback 03.04.2026 8.1
CVE-2026-34775 Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes 03.04.2026 6.8
CVE-2026-34776 Electron: Out-of-bounds read in second-instance IPC on macOS and Linux 03.04.2026 5.3
CVE-2026-34777 Electron: Incorrect origin passed to permission request handler for iframe requests 03.04.2026 5.4
CVE-2026-34778 Electron: Service worker can spoof executeJavaScript IPC replies 03.04.2026 5.9
CVE-2026-34779 Electron: AppleScript injection in app.moveToApplicationsFolder on macOS 04.04.2026 6.5
CVE-2026-34766 Electron: USB device selection not validated against filtered device list 03.04.2026 3.3
CVE-2026-34767 Electron: HTTP Response Header Injection in custom protocol handlers and webRequest 03.04.2026 5.9
CVE-2026-34768 Electron: Unquoted executable path in app.setLoginItemSettings on Windows 03.04.2026 3.9
CVE-2026-34770 Electron: Use-after-free in PowerMonitor on Windows and macOS 03.04.2026 7
CVE-2026-34771 Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks 03.04.2026 7.5
CVE-2026-34772 Electron: Use-after-free in download save dialog callback 03.04.2026 5.8
CVE-2026-34769 Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference 03.04.2026 7.8
CVE-2026-34955 PraisonAI: Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox 03.04.2026 8.8
CVE-2017-20235 ProSoft Technology ICX35-HWC Authentication Bypass 03.04.2026 8.8
CVE-2017-20236 ProSoft Technology ICX35-HWC Command Injection via Web Interface 03.04.2026 9.8
CVE-2026-34936 PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback 03.04.2026 7.7
CVE-2026-34937 PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution 03.04.2026 7.8
CVE-2026-34938 PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code 03.04.2026 10
CVE-2026-34939 PraisonAI: ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools() 03.04.2026 6.5
CVE-2026-34952 PraisonAI: Missing Authentication in WebSocket Gateway 03.04.2026 9.1
CVE-2026-34953 PraisonAI: Authentication Bypass in OAuthManager.validate_token() 03.04.2026 9.1
CVE-2026-34954 PraisonAI: SSRF in FileTools.download_file() via Unvalidated URL 03.04.2026 8.6
CVE-2017-20233 Hirschmann HiLCOS Layer-2 Firewall Multicast Broadcast Traffic Bypass 03.04.2026 5.4
CVE-2017-20234 GarrettCom Magnum 6K and 10K Authentication Bypass via Hardcoded String 03.04.2026 9.8
CVE-2018-25236 Hirschmann HiOS HiSecOS Authentication Bypass via HTTP Management 03.04.2026 9.8
CVE-2021-4477 Hirschmann HiLCOS OpenBAT BAT450 IPv6 IPsec Firewall Bypass 03.04.2026
CVE-2026-34229 Emlog: Stored XSS in Comment Module via URI Scheme Validation Bypass 03.04.2026 6.1
CVE-2026-34607 Emlog: Path Traversal in emUnZip() allows arbitrary file write leading to RCE 03.04.2026 7.2
CVE-2026-34612 Kestra: Remote Code Execution via SQL Injection 03.04.2026 10
CVE-2026-34787 Emlog: Local File Inclusion in plugin.php via unsanitized plugin parameter 03.04.2026 6.5
CVE-2026-34788 Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters 03.04.2026 6.5
CVE-2026-34824 Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service 03.04.2026 7.5
CVE-2026-34933 Avahi: Reachable assertion in `transport_flags_from_domain()` via conflicting publish flags crashes avahi-daemon 03.04.2026 5.5
CVE-2026-34934 PraisonAI: Second-Order SQL Injection in `get_all_user_threads` 03.04.2026 9.8
CVE-2026-34935 PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command() 03.04.2026 9.8
CVE-2026-34228 Emlog: CSRF in Backend Upgrade Interface Leading to Arbitrary Remote SQL Execution and Arbitrary File Write 03.04.2026
CVE-2017-20238 Hirschmann Industrial HiVision Improper Authorization Privilege Escalation 03.04.2026 7.1
CVE-2026-33184 nimiq/core-rs-albatross: Discovery handshake limit could underflow and later provoke a deterministic overflow panic 03.04.2026 7.5
CVE-2026-34052 LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service) 03.04.2026 5.9
CVE-2026-34061 nimiq/core-rs-albatross: Macro block proposal interlink bug 03.04.2026 4.9
CVE-2026-35468 nimiq/core-rs-albatross: Panic in history index request handlers when a full node runs without the history index 03.04.2026 5.3
CVE-2016-15058 Hirschmann HiLCOS Classic Platform Password Exposure via SNMP 03.04.2026 8.1
CVE-2026-33175 OAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email Claims 03.04.2026 8.8
CVE-2026-33709 JupyterHub has an Open Redirect Vulnerability 03.04.2026
CVE-2015-10148 Hirschmann HiLCOS Hard-coded Credentials SSH SSL Keys 03.04.2026 7.5
CVE-2026-27885 Piwigo: SQL Injection in Activity.getList 03.04.2026 7.2
CVE-2026-28797 RAGFlow: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Agent "Text Processing" Component 03.04.2026
CVE-2018-25237 Hirschmann HiSecOS Buffer Overflow via HTTPS Login 03.04.2026 9.8
CVE-2026-27456 util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup 03.04.2026 4.7
CVE-2026-27481 Discourse: Hidden tag visibility bypass on tag routes 03.04.2026
CVE-2026-27634 Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter 03.04.2026
CVE-2026-27833 Piwigo: Unauthenticated Information Disclosure via pwg.history.search API 03.04.2026 7.5
CVE-2026-27834 Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter 03.04.2026 7.2
CVE-2026-34947 Discourse: Staged user custom fields are exposed on public invite pages 03.04.2026
CVE-2026-27447 OpenPrinting CUPS: Authorization bypass via case-insensitive group-member lookup 03.04.2026 4.8
CVE-2026-34978 OpenPrinting CUPS: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (and clobbering of job.cache) 03.04.2026 6.5
CVE-2026-34979 OpenPrinting CUPS: Heap overflow in `get_options()` 03.04.2026 5.3
CVE-2026-34980 OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network 03.04.2026
CVE-2026-34990 OpenPrinting CUPS: Local print admin token disclosure using temporary printers 03.04.2026
CVE-2017-20237 Hirschmann Industrial HiVision Authentication Bypass Remote Code Execution 03.04.2026 9.8
CVE-2026-26058 Zulip: Path Traversal in Import 03.04.2026 6.1
CVE-2026-34511 OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter 03.04.2026
CVE-2025-10681 Gardyn Mobile Application and Device Firmware Use Hard-coded Credentials 03.04.2026
CVE-2026-22661 prompts.chat Path Traversal via Skill File Handling 03.04.2026
CVE-2026-22662 prompts.chat Blind SSRF via media-generate 03.04.2026
CVE-2026-22663 prompts.chat Authorization Bypass Information Disclosure 03.04.2026
CVE-2026-22664 prompts.chat SSRF via Fal.ai Media Status Polling 03.04.2026
CVE-2026-22665 prompts.chat Identity Confusion via Case-Sensitive Username Handling 03.04.2026
CVE-2026-25197 Gardyn Cloud API Authorization Bypass Through User-Controlled Key 03.04.2026
CVE-2026-28766 Gardyn Cloud API Missing Authentication for Critical Function 03.04.2026
CVE-2020-37216 Hirschmann HiOS EtherNet/IP Stack Denial of Service 04.04.2026 7.5
CVE-2022-4987 Hirschmann Industrial HiVision External Application Path Hijacking Leading to Arbitrary Code Execution 03.04.2026 7.3
CVE-2026-25742 Zulip: Anonymous File Access After Disabling Spectator Access 03.04.2026 5.3
CVE-2026-28767 Gardyn Cloud API Missing Authentication for Critical Function 03.04.2026
CVE-2026-32646 Gardyn Cloud API Missing Authentication for Critical Function 03.04.2026
CVE-2026-32662 Gardyn Cloud API Active Debug Code 03.04.2026
CVE-2026-35558 Improper neutralization of special elements in authentication components in Amazon Athena ODBC driver 03.04.2026 7.8
CVE-2026-35559 Out-of-bounds write in query processing components in Amazon Athena ODBC driver 03.04.2026 6.5
CVE-2026-35560 Improper certificate validation in identity provider connection components in Amazon Athena ODBC driver 03.04.2026 7.4
CVE-2026-35561 Insufficient authentication security controls in browser-based authentication components in Amazon Athena ODBC driver 03.04.2026 7.4
CVE-2026-35562 Allocation of resources without limits in parsing components in Amazon Athena ODBC driver 03.04.2026 7.5
CVE-2026-5485 OS command injection in Amazon Athena ODBC driver on Linux 03.04.2026 7.8