Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10671
Total
727
Critical
3077
High
3393
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2025-55449 | UNKNOWN | — | AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT. | May 08, 2026 |
| CVE-2023-46453 | UNKNOWN | — | Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL … | May 08, 2026 |
| CVE-2024-53326 | UNKNOWN | — | LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution. | May 08, 2026 |
| CVE-2024-51092 | CRITICAL | 9.1 | LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory(). | May 08, 2026 |
| CVE-2024-46508 | UNKNOWN | — | yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than … | May 08, 2026 |
| CVE-2024-46507 | UNKNOWN | — | A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the … | May 08, 2026 |
| CVE-2024-45257 | UNKNOWN | — | A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server … | May 08, 2026 |
| CVE-2024-33724 | UNKNOWN | — | SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php. | May 08, 2026 |
| CVE-2024-33722 | UNKNOWN | — | SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[]. | May 08, 2026 |
| CVE-2024-33288 | UNKNOWN | — | Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page. | May 08, 2026 |
| CVE-2024-30167 | MEDIUM | 6.3 | /cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName … | May 08, 2026 |
| CVE-2024-27686 | HIGH | 7.5 | Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data … | May 08, 2026 |
| CVE-2023-47268 | UNKNOWN | — | In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and … | May 08, 2026 |
| CVE-2026-8148 | UNKNOWN | — | NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks. | May 08, 2026 |
| CVE-2026-8138 | HIGH | 8.8 | A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. … | May 08, 2026 |
| CVE-2026-8137 | HIGH | 8.8 | A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url … | May 08, 2026 |
| CVE-2026-42279 | MEDIUM | 5.8 | solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all … | May 08, 2026 |
| CVE-2026-42278 | UNKNOWN | — | UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its … | May 08, 2026 |
| CVE-2026-42277 | MEDIUM | 6.5 | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other … | May 08, 2026 |
| CVE-2026-42276 | MEDIUM | 4.3 | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's … | May 08, 2026 |
| CVE-2023-42346 | UNKNOWN | — | Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host. | May 08, 2026 |
| CVE-2023-42345 | MEDIUM | 6.1 | A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp. | May 08, 2026 |
| CVE-2023-42344 | HIGH | 7.3 | Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. | May 08, 2026 |
| CVE-2023-42343 | MEDIUM | 6.1 | A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type. | May 08, 2026 |
| CVE-2022-45899 | MEDIUM | 6.5 | Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log … | May 08, 2026 |