Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-22001 | LOW | 2.7 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable … | Apr 21, 2026 |
| CVE-2026-21999 | MEDIUM | 5.3 | Vulnerability in the XML Database component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with … | Apr 21, 2026 |
| CVE-2026-21998 | MEDIUM | 4.9 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability … | Apr 21, 2026 |
| CVE-2026-21997 | HIGH | 8.5 | Vulnerability in the Oracle Life Sciences Empirica Signal product of Oracle Life Science Applications (component: Common Core). Supported versions that are affected are 9.2.1-9.2.3. Easily … | Apr 21, 2026 |
| CVE-2025-70420 | HIGH | 8.8 | A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability … | Apr 21, 2026 |
| CVE-2026-6819 | HIGH | 8.8 | HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. … | Apr 21, 2026 |
| CVE-2026-41320 | MEDIUM | 6.5 | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint … | Apr 21, 2026 |
| CVE-2026-40909 | HIGH | 8.7 | WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating … | Apr 21, 2026 |
| CVE-2026-40908 | MEDIUM | 5.3 | WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and … | Apr 21, 2026 |
| CVE-2026-40907 | MEDIUM | 6.5 | WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that … | Apr 21, 2026 |
| CVE-2026-40903 | CRITICAL | 9.1 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow … | Apr 21, 2026 |
| CVE-2026-40890 | HIGH | 7.5 | The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is … | Apr 21, 2026 |
| CVE-2026-40889 | MEDIUM | 6.5 | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain … | Apr 21, 2026 |
| CVE-2026-40888 | MEDIUM | 6.5 | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized … | Apr 21, 2026 |
| CVE-2026-40887 | CRITICAL | 9.1 | Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists … | Apr 21, 2026 |
| CVE-2026-40885 | UNKNOWN | — | goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is … | Apr 21, 2026 |
| CVE-2026-40884 | CRITICAL | 9.8 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If … | Apr 21, 2026 |
| CVE-2026-40883 | UNKNOWN | — | goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An … | Apr 21, 2026 |
| CVE-2026-40881 | UNKNOWN | — | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which … | Apr 21, 2026 |
| CVE-2026-40880 | UNKNOWN | — | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification … | Apr 21, 2026 |
| CVE-2026-40879 | HIGH | 7.5 | Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP … | Apr 21, 2026 |
| CVE-2026-40878 | UNKNOWN | — | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to … | Apr 21, 2026 |
| CVE-2026-40876 | UNKNOWN | — | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user … | Apr 21, 2026 |
| CVE-2026-40875 | UNKNOWN | — | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders … | Apr 21, 2026 |
| CVE-2026-40874 | UNKNOWN | — | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts … | Apr 21, 2026 |