Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40330 | UNKNOWN | — | Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a … | May 05, 2026 |
| CVE-2026-40329 | UNKNOWN | — | Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the … | May 05, 2026 |
| CVE-2026-40280 | UNKNOWN | — | Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive … | May 05, 2026 |
| CVE-2026-38947 | MEDIUM | 6.1 | FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin. | May 05, 2026 |
| CVE-2026-35453 | UNKNOWN | — | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and … | May 05, 2026 |
| CVE-2026-35397 | UNKNOWN | — | Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated … | May 05, 2026 |
| CVE-2026-34596 | UNKNOWN | — | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When … | May 05, 2026 |
| CVE-2026-34527 | UNKNOWN | — | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high … | May 05, 2026 |
| CVE-2026-34464 | UNKNOWN | — | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed … | May 05, 2026 |
| CVE-2026-34462 | UNKNOWN | — | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR … | May 05, 2026 |
| CVE-2026-34461 | UNKNOWN | — | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The … | May 05, 2026 |
| CVE-2026-34459 | UNKNOWN | — | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that … | May 05, 2026 |
| CVE-2026-34458 | UNKNOWN | — | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to … | May 05, 2026 |
| CVE-2026-34084 | UNKNOWN | — | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and … | May 05, 2026 |
| CVE-2026-33975 | UNKNOWN | — | Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using … | May 05, 2026 |
| CVE-2026-33489 | UNKNOWN | — | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a … | May 05, 2026 |
| CVE-2026-33420 | UNKNOWN | — | Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that … | May 05, 2026 |
| CVE-2026-33324 | UNKNOWN | — | SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to … | May 05, 2026 |
| CVE-2026-33190 | UNKNOWN | — | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, … | May 05, 2026 |
| CVE-2026-32936 | UNKNOWN | — | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and … | May 05, 2026 |
| CVE-2026-32934 | UNKNOWN | — | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory … | May 05, 2026 |
| CVE-2026-32699 | UNKNOWN | — | FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST … | May 05, 2026 |
| CVE-2026-32603 | UNKNOWN | — | Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a local denial of service vulnerability exists in the Sandboxie … | May 05, 2026 |
| CVE-2026-31893 | UNKNOWN | — | Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files … | May 05, 2026 |
| CVE-2024-52911 | HIGH | 7.5 | Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14. | May 05, 2026 |