Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-6074 | UNKNOWN | — | A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface … | Apr 23, 2026 |
| CVE-2026-41259 | UNKNOWN | — | Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on … | Apr 23, 2026 |
| CVE-2026-41247 | UNKNOWN | — | elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the … | Apr 23, 2026 |
| CVE-2026-41246 | HIGH | 8.1 | Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua … | Apr 23, 2026 |
| CVE-2026-41241 | HIGH | 8.7 | pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails … | Apr 23, 2026 |
| CVE-2026-41213 | MEDIUM | 5.9 | @node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE … | Apr 23, 2026 |
| CVE-2026-41205 | UNKNOWN | — | Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). … | Apr 23, 2026 |
| CVE-2026-41173 | MEDIUM | 5.9 | The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response … | Apr 23, 2026 |
| CVE-2026-41078 | MEDIUM | 5.9 | OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on … | Apr 23, 2026 |
| CVE-2026-40894 | MEDIUM | 5.3 | OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and … | Apr 23, 2026 |
| CVE-2026-40886 | HIGH | 7.7 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the … | Apr 23, 2026 |
| CVE-2026-33694 | UNKNOWN | — | This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates … | Apr 23, 2026 |
| CVE-2026-31173 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the interval parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31169 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the week parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31168 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the recHour parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31167 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the mode parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31166 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31163 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the dhcpMtu parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31162 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the ttlWay parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-6921 | HIGH | 8.3 | Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video … | Apr 23, 2026 |
| CVE-2026-6920 | CRITICAL | 9.6 | Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to … | Apr 23, 2026 |
| CVE-2026-6919 | CRITICAL | 9.6 | Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a … | Apr 23, 2026 |
| CVE-2026-5039 | UNKNOWN | — | TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable … | Apr 23, 2026 |
| CVE-2026-41909 | MEDIUM | 5.4 | OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with … | Apr 23, 2026 |
| CVE-2026-41908 | MEDIUM | 4.3 | OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files … | Apr 23, 2026 |