Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41658 | MEDIUM | 6.5 | Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in … | May 07, 2026 |
| CVE-2026-41657 | MEDIUM | 4.9 | Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the … | May 07, 2026 |
| CVE-2026-41656 | MEDIUM | 4.5 | Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type … | May 07, 2026 |
| CVE-2026-41655 | MEDIUM | 6.5 | Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe … | May 07, 2026 |
| CVE-2026-41640 | HIGH | 7.5 | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package … | May 07, 2026 |
| CVE-2026-41587 | UNKNOWN | — | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version … | May 07, 2026 |
| CVE-2026-41203 | UNKNOWN | — | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload … | May 07, 2026 |
| CVE-2026-41202 | UNKNOWN | — | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore … | May 07, 2026 |
| CVE-2026-41201 | CRITICAL | 9.1 | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can … | May 07, 2026 |
| CVE-2026-41142 | HIGH | 8.8 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to … | May 07, 2026 |
| CVE-2026-41004 | MEDIUM | 4.4 | When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from … | May 07, 2026 |
| CVE-2026-41002 | HIGH | 7.2 | The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config … | May 07, 2026 |
| CVE-2026-40982 | CRITICAL | 9.1 | Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request … | May 07, 2026 |
| CVE-2026-40981 | HIGH | 7.5 | When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially … | May 07, 2026 |
| CVE-2026-40004 | MEDIUM | 5.5 | There exists an openssl.cnf privilege escalation vulnerability in ZTE Cloud PC client uSmartview. An attacker can execute arbitrary code locally and escalate privileges. | May 07, 2026 |
| CVE-2026-4807 | MEDIUM | 6.5 | The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed … | May 07, 2026 |
| CVE-2026-44600 | LOW | 3.7 | Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010. | May 07, 2026 |
| CVE-2026-44599 | LOW | 3.7 | Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008. | May 07, 2026 |
| CVE-2026-6222 | MEDIUM | 5.3 | The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method … | May 07, 2026 |
| CVE-2026-40003 | MEDIUM | 5.1 | ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB … | May 07, 2026 |
| CVE-2026-44597 | LOW | 3.7 | Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011. | May 07, 2026 |
| CVE-2026-6278 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | May 06, 2026 |
| CVE-2026-41484 | MEDIUM | 5.3 | OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to the configured … | May 06, 2026 |
| CVE-2026-41483 | MEDIUM | 5.9 | OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance … | May 06, 2026 |
| CVE-2026-41417 | MEDIUM | 5.3 | Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors … | May 06, 2026 |