Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41678 | UNKNOWN | — | rust-openssl provides OpenSSL bindings for the Rust programming language. From to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= … | Apr 24, 2026 |
| CVE-2026-41677 | UNKNOWN | — | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the … | Apr 24, 2026 |
| CVE-2026-41676 | UNKNOWN | — | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as … | Apr 24, 2026 |
| CVE-2026-41322 | MEDIUM | 5.3 | @astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed … | Apr 24, 2026 |
| CVE-2026-41321 | LOW | 2.2 | @astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default … | Apr 24, 2026 |
| CVE-2026-41140 | UNKNOWN | — | Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions … | Apr 24, 2026 |
| CVE-2026-6912 | HIGH | 8.8 | Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to … | Apr 24, 2026 |
| CVE-2026-6911 | CRITICAL | 9.8 | Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the … | Apr 24, 2026 |
| CVE-2026-41411 | MEDIUM | 6.6 | Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a … | Apr 24, 2026 |
| CVE-2026-41079 | MEDIUM | 4.3 | OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted … | Apr 24, 2026 |
| CVE-2026-41067 | MEDIUM | 6.1 | Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected … | Apr 24, 2026 |
| CVE-2026-41066 | HIGH | 7.5 | lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default … | Apr 24, 2026 |
| CVE-2026-40897 | HIGH | 8.8 | Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser … | Apr 24, 2026 |
| CVE-2026-40609 | UNKNOWN | — | Rejected reason: This CVE is a duplicate of another CVE. | Apr 24, 2026 |
| CVE-2026-39920 | CRITICAL | 9.8 | BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated … | Apr 24, 2026 |
| CVE-2026-30368 | UNKNOWN | — | A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorization tokens, leading to … | Apr 24, 2026 |
| CVE-2025-67259 | MEDIUM | 6.5 | A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. … | Apr 24, 2026 |
| CVE-2025-59308 | MEDIUM | 4.7 | In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member … | Apr 24, 2026 |
| CVE-2026-42095 | MEDIUM | 4.0 | bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL. | Apr 24, 2026 |
| CVE-2026-31672 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00usb: fix devres lifetime USB drivers bind to USB interfaces and any device managed … | Apr 24, 2026 |
| CVE-2026-31671 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_report() struct xfrm_user_report is a __u8 proto field followed by … | Apr 24, 2026 |
| CVE-2026-31670 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: net: rfkill: prevent unlimited numbers of rfkill events from being created Userspace can create an … | Apr 24, 2026 |
| CVE-2026-31669 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU … | Apr 24, 2026 |
| CVE-2026-31668 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses … | Apr 24, 2026 |
| CVE-2026-31667 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular locking dependency with ff-core A lockdep circular locking dependency warning … | Apr 24, 2026 |