Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40896 | MEDIUM | 6.5 | OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings … | Apr 20, 2026 |
| CVE-2026-3219 | UNKNOWN | — | pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This … | Apr 20, 2026 |
| CVE-2026-39918 | CRITICAL | 9.8 | Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration … | Apr 20, 2026 |
| CVE-2026-34429 | MEDIUM | 5.4 | Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by … | Apr 20, 2026 |
| CVE-2026-34428 | HIGH | 7.7 | Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly … | Apr 20, 2026 |
| CVE-2026-34427 | HIGH | 8.8 | Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on … | Apr 20, 2026 |
| CVE-2026-26944 | HIGH | 8.8 | Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for … | Apr 20, 2026 |
| CVE-2026-25883 | MEDIUM | 5.8 | Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an … | Apr 20, 2026 |
| CVE-2026-25058 | HIGH | 7.5 | Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` … | Apr 20, 2026 |
| CVE-2026-24468 | MEDIUM | 5.3 | OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior … | Apr 20, 2026 |
| CVE-2026-24467 | CRITICAL | 9.0 | OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior … | Apr 20, 2026 |
| CVE-2026-23774 | HIGH | 7.2 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 … | Apr 20, 2026 |
| CVE-2026-6649 | MEDIUM | 6.3 | A vulnerability was determined in Qibo CMS 1.0. Affected by this issue is some unknown functionality of the file /index/image/headers. Executing a manipulation of the … | Apr 20, 2026 |
| CVE-2026-6369 | UNKNOWN | — | An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication … | Apr 20, 2026 |
| CVE-2026-5760 | CRITICAL | 9.8 | SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are … | Apr 20, 2026 |
| CVE-2026-4048 | HIGH | 8.4 | OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on … | Apr 20, 2026 |
| CVE-2026-3519 | HIGH | 8.4 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands … | Apr 20, 2026 |
| CVE-2026-3518 | HIGH | 8.4 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on … | Apr 20, 2026 |
| CVE-2026-3517 | HIGH | 8.4 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands … | Apr 20, 2026 |
| CVE-2026-33558 | MEDIUM | 5.3 | Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in … | Apr 20, 2026 |
| CVE-2026-33557 | CRITICAL | 9.1 | A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token … | Apr 20, 2026 |
| CVE-2025-66335 | MEDIUM | 5.3 | Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended … | Apr 20, 2026 |
| CVE-2026-6648 | LOW | 3.5 | A vulnerability was found in Qibo CMS 1.0. Affected by this vulnerability is an unknown functionality of the component Internal Message Module. Performing a manipulation … | Apr 20, 2026 |
| CVE-2026-6636 | MEDIUM | 4.3 | A vulnerability was detected in p2r3 convert up to 6998584ace3e11db66dff0b423612a5cf91de75b. Affected is the function Bun.serve of the file buildCache.js of the component API. Performing a … | Apr 20, 2026 |
| CVE-2026-6635 | HIGH | 7.3 | A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. … | Apr 20, 2026 |