Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40873 | UNKNOWN | — | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML … | Apr 21, 2026 |
| CVE-2026-40872 | UNKNOWN | — | mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value … | Apr 21, 2026 |
| CVE-2026-40871 | HIGH | 7.2 | mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field … | Apr 21, 2026 |
| CVE-2026-40870 | HIGH | 7.5 | Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level `commentable` field in the API … | Apr 21, 2026 |
| CVE-2026-40869 | HIGH | 7.5 | Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user … | Apr 21, 2026 |
| CVE-2026-40372 | CRITICAL | 9.1 | Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. | Apr 21, 2026 |
| CVE-2026-33813 | HIGH | 7.5 | Parsing a WEBP image with an invalid, large size panics on 32-bit platforms. | Apr 21, 2026 |
| CVE-2026-33812 | MEDIUM | 6.1 | Parsing a malicious font file can cause excessive memory allocation. | Apr 21, 2026 |
| CVE-2026-6745 | LOW | 3.5 | A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation … | Apr 21, 2026 |
| CVE-2026-6744 | MEDIUM | 6.3 | A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results in server-side … | Apr 21, 2026 |
| CVE-2026-41456 | UNKNOWN | — | Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by … | Apr 21, 2026 |
| CVE-2026-40868 | HIGH | 8.1 | Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using … | Apr 21, 2026 |
| CVE-2026-40867 | UNKNOWN | — | Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows … | Apr 21, 2026 |
| CVE-2026-40866 | UNKNOWN | — | Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint … | Apr 21, 2026 |
| CVE-2026-40865 | UNKNOWN | — | Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows … | Apr 21, 2026 |
| CVE-2026-40614 | UNKNOWN | — | PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus … | Apr 21, 2026 |
| CVE-2026-40613 | HIGH | 7.5 | Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer … | Apr 21, 2026 |
| CVE-2026-22751 | MEDIUM | 4.8 | Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue … | Apr 21, 2026 |
| CVE-2026-41194 | MEDIUM | 5.4 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. It … | Apr 21, 2026 |
| CVE-2026-41193 | CRITICAL | 9.1 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating file paths, … | Apr 21, 2026 |
| CVE-2026-41192 | HIGH | 7.1 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any … | Apr 21, 2026 |
| CVE-2026-40611 | HIGH | 8.8 | Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file … | Apr 21, 2026 |
| CVE-2026-40608 | MEDIUM | 6.2 | Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST … | Apr 21, 2026 |
| CVE-2026-40606 | MEDIUM | 4.8 | mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 … | Apr 21, 2026 |
| CVE-2026-40604 | UNKNOWN | — | ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.6, the opfilter Endpoint Security system extension (bundle ID uk.craigbass.clearancekit.opfilter) can … | Apr 21, 2026 |