Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10671
Total
727
Critical
3077
High
3393
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-36388 | MEDIUM | 5.4 | A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to … | May 07, 2026 |
| CVE-2026-36387 | MEDIUM | 6.5 | A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /add_members.php. This vulnerability affects the file upload functionality, where improper file … | May 07, 2026 |
| CVE-2026-36341 | MEDIUM | 5.4 | Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on … | May 07, 2026 |
| CVE-2025-65122 | HIGH | 7.5 | Regex Denial of Service in youtube-regex npm package through version 1.0.5. | May 07, 2026 |
| CVE-2025-63704 | UNKNOWN | — | NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly … | May 07, 2026 |
| CVE-2025-63703 | UNKNOWN | — | npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js(). | May 07, 2026 |
| CVE-2025-4397 | MEDIUM | 6.8 | Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data. | May 07, 2026 |
| CVE-2025-4386 | MEDIUM | 6.8 | Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal. | May 07, 2026 |
| CVE-2026-44349 | UNKNOWN | — | Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly … | May 07, 2026 |
| CVE-2026-44264 | MEDIUM | 4.3 | Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize … | May 07, 2026 |
| CVE-2026-44263 | MEDIUM | 4.3 | Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in … | May 07, 2026 |
| CVE-2026-42011 | HIGH | 7.4 | A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name … | May 07, 2026 |
| CVE-2026-41689 | MEDIUM | 6.0 | Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in … | May 07, 2026 |
| CVE-2026-41688 | HIGH | 7.7 | Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but … | May 07, 2026 |
| CVE-2026-41687 | MEDIUM | 4.3 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an … | May 07, 2026 |
| CVE-2026-41654 | UNKNOWN | — | Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any … | May 07, 2026 |
| CVE-2026-41650 | MEDIUM | 6.1 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" … | May 07, 2026 |
| CVE-2026-41519 | MEDIUM | 4.2 | Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but … | May 07, 2026 |
| CVE-2026-41505 | HIGH | 8.7 | RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. … | May 07, 2026 |
| CVE-2026-41422 | HIGH | 8.3 | Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() … | May 07, 2026 |
| CVE-2026-36458 | UNKNOWN | — | ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a … | May 07, 2026 |
| CVE-2026-32686 | UNKNOWN | — | Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing … | May 07, 2026 |
| CVE-2025-67202 | UNKNOWN | — | Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb. | May 07, 2026 |
| CVE-2025-63706 | UNKNOWN | — | NPM package next-npm-version1.0.1 is vulnerable to Command injection. | May 07, 2026 |
| CVE-2025-63705 | UNKNOWN | — | NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js. | May 07, 2026 |