Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40891 | MEDIUM | 5.3 | OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may … | Apr 23, 2026 |
| CVE-2026-40182 | MEDIUM | 5.3 | OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol … | Apr 23, 2026 |
| CVE-2026-31533 | UNKNOWN | — | In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced … | Apr 23, 2026 |
| CVE-2026-31181 | CRITICAL | 9.8 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31179 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunPort parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31178 | CRITICAL | 9.8 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31177 | CRITICAL | 9.8 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31176 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31175 | CRITICAL | 9.8 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31174 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31172 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the user parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31171 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the url parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31165 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeServiceName parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31164 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeMtu parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31160 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the provider parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31159 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the password parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-41240 | UNKNOWN | — | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when … | Apr 23, 2026 |
| CVE-2026-41239 | MEDIUM | 6.8 | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions … | Apr 23, 2026 |
| CVE-2026-41238 | MEDIUM | 6.9 | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When … | Apr 23, 2026 |
| CVE-2026-40472 | CRITICAL | 9.9 | In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks. | Apr 23, 2026 |
| CVE-2026-40471 | CRITICAL | 9.6 | hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to … | Apr 23, 2026 |
| CVE-2026-40470 | CRITICAL | 9.9 | A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is … | Apr 23, 2026 |
| CVE-2026-39087 | CRITICAL | 9.8 | An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function | Apr 23, 2026 |
| CVE-2026-34003 | HIGH | 7.8 | A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the … | Apr 23, 2026 |
| CVE-2026-34001 | HIGH | 7.8 | A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An … | Apr 23, 2026 |