Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40317 | CRITICAL | 9.3 | NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry … | Apr 18, 2026 |
| CVE-2026-35465 | HIGH | 7.5 | SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, … | Apr 18, 2026 |
| CVE-2026-40593 | MEDIUM | 4.8 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value … | Apr 18, 2026 |
| CVE-2026-40582 | UNKNOWN | — | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's … | Apr 18, 2026 |
| CVE-2026-40581 | HIGH | 8.1 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records … | Apr 18, 2026 |
| CVE-2026-40485 | MEDIUM | 5.3 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on … | Apr 18, 2026 |
| CVE-2026-40484 | CRITICAL | 9.1 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from … | Apr 18, 2026 |
| CVE-2026-40483 | MEDIUM | 5.4 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes … | Apr 18, 2026 |
| CVE-2026-40482 | UNKNOWN | — | ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue … | Apr 18, 2026 |
| CVE-2026-40480 | UNKNOWN | — | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization … | Apr 18, 2026 |
| CVE-2026-40349 | HIGH | 8.8 | Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate … | Apr 18, 2026 |
| CVE-2026-40348 | HIGH | 7.7 | Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger … | Apr 18, 2026 |
| CVE-2026-40347 | MEDIUM | 5.3 | Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large … | Apr 18, 2026 |
| CVE-2026-40346 | UNKNOWN | — | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request … | Apr 18, 2026 |
| CVE-2026-40341 | LOW | 3.5 | libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out of bound read in ptp_unpack_EOS_FocusInfoEx could be used … | Apr 18, 2026 |
| CVE-2026-40340 | MEDIUM | 6.1 | libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read vulnerability in `ptp_unpack_OI()` in `camlibs/ptp2/ptp-pack.c` (lines 530–563). … | Apr 18, 2026 |
| CVE-2026-40339 | MEDIUM | 5.2 | libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 842). The … | Apr 18, 2026 |
| CVE-2026-40338 | MEDIUM | 5.2 | libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in … | Apr 18, 2026 |
| CVE-2026-40337 | MEDIUM | 5.1 | The Sentry kernel is a high security level micro-kernel implementation made for high security embedded systems. A given task with one of the DEV or … | Apr 18, 2026 |
| CVE-2026-40336 | LOW | 2.4 | libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When … | Apr 18, 2026 |
| CVE-2026-40335 | MEDIUM | 5.2 | libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_DPV()` in `camlibs/ptp2/ptp-pack.c` (lines 622–629). The … | Apr 18, 2026 |
| CVE-2026-40334 | LOW | 3.5 | libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line … | Apr 18, 2026 |
| CVE-2026-40333 | MEDIUM | 6.1 | libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no … | Apr 18, 2026 |
| CVE-2026-40324 | CRITICAL | 9.1 | Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth … | Apr 18, 2026 |
| CVE-2026-40323 | UNKNOWN | — | SP1 is a zero‑knowledge virtual machine that proves the correct execution of programs compiled for the RISC-V architecture. In versions 6.0.0 through 6.0.2, a soundness … | Apr 18, 2026 |