Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-38939 | MEDIUM | 6.1 | Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the product_catalogue.php component | Apr 30, 2026 |
| CVE-2026-36960 | HIGH | 8.8 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection … | Apr 30, 2026 |
| CVE-2026-36759 | MEDIUM | 6.5 | A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | Apr 30, 2026 |
| CVE-2026-36758 | MEDIUM | 4.3 | A Server-Side Request Forgery (SSRF) in the /themes/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | Apr 30, 2026 |
| CVE-2026-36756 | MEDIUM | 5.4 | A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | Apr 30, 2026 |
| CVE-2026-36340 | HIGH | 8.1 | An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function | Apr 30, 2026 |
| CVE-2026-34998 | UNKNOWN | — | Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not … | Apr 30, 2026 |
| CVE-2026-34997 | UNKNOWN | — | Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not … | Apr 30, 2026 |
| CVE-2026-34996 | UNKNOWN | — | Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not … | Apr 30, 2026 |
| CVE-2026-34995 | UNKNOWN | — | Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not … | Apr 30, 2026 |
| CVE-2026-34994 | UNKNOWN | — | Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not … | Apr 30, 2026 |
| CVE-2025-51850 | UNKNOWN | — | Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not … | Apr 30, 2026 |
| CVE-2025-51849 | UNKNOWN | — | Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not … | Apr 30, 2026 |
| CVE-2025-51847 | UNKNOWN | — | Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not … | Apr 30, 2026 |
| CVE-2025-14543 | UNKNOWN | — | Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before … | Apr 30, 2026 |
| CVE-2025-13890 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-12494. Reason: This candidate is a reservation duplicate of CVE-2025-12494. Notes: All CVE … | Apr 30, 2026 |
| CVE-2026-7500 | MEDIUM | 5.4 | When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — … | Apr 30, 2026 |
| CVE-2026-36959 | HIGH | 7.5 | U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network … | Apr 30, 2026 |
| CVE-2026-36958 | HIGH | 7.5 | A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints … | Apr 30, 2026 |
| CVE-2026-36957 | HIGH | 7.5 | Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa web server URI handler. By initiating … | Apr 30, 2026 |
| CVE-2026-36956 | HIGH | 8.8 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to … | Apr 30, 2026 |
| CVE-2026-7246 | HIGH | 7.2 | Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged … | Apr 30, 2026 |
| CVE-2026-7163 | MEDIUM | 6.1 | A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped … | Apr 30, 2026 |
| CVE-2026-2892 | HIGH | 7.5 | The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the … | Apr 30, 2026 |
| CVE-2026-7402 | HIGH | 8.1 | Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc. PDKS allows Flooding. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117. | Apr 30, 2026 |