Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41314 | UNKNOWN | — | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF … | Apr 22, 2026 |
| CVE-2026-41313 | UNKNOWN | — | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF … | Apr 22, 2026 |
| CVE-2026-41312 | UNKNOWN | — | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF … | Apr 22, 2026 |
| CVE-2026-41177 | MEDIUM | 5.5 | Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind … | Apr 22, 2026 |
| CVE-2026-41175 | HIGH | 8.1 | Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST … | Apr 22, 2026 |
| CVE-2026-41172 | UNKNOWN | — | Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset … | Apr 22, 2026 |
| CVE-2026-41171 | UNKNOWN | — | Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due … | Apr 22, 2026 |
| CVE-2026-41170 | UNKNOWN | — | Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply … | Apr 22, 2026 |
| CVE-2026-40517 | HIGH | 7.8 | radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a … | Apr 22, 2026 |
| CVE-2026-41168 | UNKNOWN | — | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF … | Apr 22, 2026 |
| CVE-2026-41167 | CRITICAL | 9.1 | Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating … | Apr 22, 2026 |
| CVE-2026-41166 | HIGH | 7.0 | OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to … | Apr 22, 2026 |
| CVE-2026-41134 | UNKNOWN | — | Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks … | Apr 22, 2026 |
| CVE-2026-40937 | HIGH | 8.3 | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` … | Apr 22, 2026 |
| CVE-2026-40882 | HIGH | 7.6 | OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user … | Apr 22, 2026 |
| CVE-2026-3837 | UNKNOWN | — | An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. … | Apr 22, 2026 |
| CVE-2026-34068 | MEDIUM | 6.8 | nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` … | Apr 22, 2026 |
| CVE-2026-34067 | LOW | 3.1 | nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != … | Apr 22, 2026 |
| CVE-2026-33733 | HIGH | 7.2 | EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and … | Apr 22, 2026 |
| CVE-2026-33656 | CRITICAL | 9.1 | EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an … | Apr 22, 2026 |
| CVE-2026-6019 | UNKNOWN | — | http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the … | Apr 22, 2026 |
| CVE-2026-3673 | UNKNOWN | — | An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are … | Apr 22, 2026 |
| CVE-2026-34066 | MEDIUM | 5.3 | nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within … | Apr 22, 2026 |
| CVE-2026-34065 | HIGH | 7.5 | nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a … | Apr 22, 2026 |
| CVE-2026-34064 | MEDIUM | 5.3 | nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs … | Apr 22, 2026 |