Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41481 | MEDIUM | 6.5 | LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the … | Apr 24, 2026 |
| CVE-2026-41478 | CRITICAL | 9.9 | Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows … | Apr 24, 2026 |
| CVE-2026-41473 | UNKNOWN | — | CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary … | Apr 24, 2026 |
| CVE-2026-41472 | UNKNOWN | — | CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows … | Apr 24, 2026 |
| CVE-2026-41248 | CRITICAL | 9.1 | Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them … | Apr 24, 2026 |
| CVE-2026-6968 | MEDIUM | 5.9 | Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute … | Apr 24, 2026 |
| CVE-2026-6967 | MEDIUM | 5.9 | Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF … | Apr 24, 2026 |
| CVE-2026-6966 | MEDIUM | 5.3 | Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement … | Apr 24, 2026 |
| CVE-2026-41503 | UNKNOWN | — | BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service … | Apr 24, 2026 |
| CVE-2026-41502 | UNKNOWN | — | BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an off-by-one out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple … | Apr 24, 2026 |
| CVE-2026-41477 | HIGH | 7.8 | Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with … | Apr 24, 2026 |
| CVE-2026-41476 | UNKNOWN | — | Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138, a remote memory-safety vulnerability in Deskflow's clipboard deserialization allows a connected peer to trigger … | Apr 24, 2026 |
| CVE-2026-41475 | UNKNOWN | — | BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's WritePropertyMultiple service … | Apr 24, 2026 |
| CVE-2026-41433 | HIGH | 8.4 | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows … | Apr 24, 2026 |
| CVE-2026-41429 | HIGH | 8.8 | arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption … | Apr 24, 2026 |
| CVE-2026-41428 | CRITICAL | 9.1 | Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url. Since … | Apr 24, 2026 |
| CVE-2026-41427 | UNKNOWN | — | Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation … | Apr 24, 2026 |
| CVE-2026-41426 | MEDIUM | 6.1 | pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by … | Apr 24, 2026 |
| CVE-2026-41425 | MEDIUM | 5.4 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in … | Apr 24, 2026 |
| CVE-2026-41244 | MEDIUM | 4.7 | Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard … | Apr 24, 2026 |
| CVE-2026-41907 | UNKNOWN | — | uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject … | Apr 24, 2026 |
| CVE-2026-41894 | UNKNOWN | — | SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check (IsSensitivePath) but did not address … | Apr 24, 2026 |
| CVE-2026-41492 | CRITICAL | 9.8 | Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because … | Apr 24, 2026 |
| CVE-2026-41421 | HIGH | 8.8 | SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification … | Apr 24, 2026 |
| CVE-2026-41419 | HIGH | 7.6 | 4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges … | Apr 24, 2026 |