Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40603 | MEDIUM | 6.5 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew … | Apr 30, 2026 |
| CVE-2026-40601 | HIGH | 7.5 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew … | Apr 30, 2026 |
| CVE-2026-40600 | HIGH | 8.1 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew … | Apr 30, 2026 |
| CVE-2026-40595 | HIGH | 7.5 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew … | Apr 30, 2026 |
| CVE-2026-35514 | MEDIUM | 6.5 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the … | Apr 30, 2026 |
| CVE-2026-32148 | UNKNOWN | — | Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums. Hex stores checksums for dependencies in … | Apr 30, 2026 |
| CVE-2026-3833 | MEDIUM | 6.5 | A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints … | Apr 30, 2026 |
| CVE-2026-3832 | LOW | 3.7 | A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during … | Apr 30, 2026 |
| CVE-2026-36766 | MEDIUM | 5.4 | Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a … | Apr 30, 2026 |
| CVE-2026-36765 | UNKNOWN | — | An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload. | Apr 30, 2026 |
| CVE-2026-36763 | MEDIUM | 6.1 | A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a … | Apr 30, 2026 |
| CVE-2026-36762 | UNKNOWN | — | An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal … | Apr 30, 2026 |
| CVE-2026-36761 | MEDIUM | 6.1 | A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a … | Apr 30, 2026 |
| CVE-2026-33845 | HIGH | 7.5 | A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting … | Apr 30, 2026 |
| CVE-2026-36767 | CRITICAL | 10.0 | A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request. | Apr 30, 2026 |
| CVE-2026-36764 | MEDIUM | 5.0 | A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testConnection endpoint of SpringBlade v4.8.0 allows authenticated attackers to scan internal resources via a crafted GET request. | Apr 30, 2026 |
| CVE-2026-36760 | CRITICAL | 9.6 | An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal … | Apr 30, 2026 |
| CVE-2026-36757 | MEDIUM | 4.3 | A Server-Side Request Forgery (SSRF) in the /plugins/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | Apr 30, 2026 |
| CVE-2025-71284 | CRITICAL | 9.8 | Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split … | Apr 30, 2026 |
| CVE-2025-51846 | HIGH | 7.5 | CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed … | Apr 30, 2026 |
| CVE-2022-50993 | CRITICAL | 9.8 | Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious … | Apr 30, 2026 |
| CVE-2022-50992 | HIGH | 7.5 | Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated … | Apr 30, 2026 |
| CVE-2026-5174 | HIGH | 7.7 | Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation. This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, … | Apr 30, 2026 |
| CVE-2026-4670 | CRITICAL | 9.8 | Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 … | Apr 30, 2026 |
| CVE-2026-38940 | MEDIUM | 6.1 | Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detail_produk.php component | Apr 30, 2026 |