Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40293 | MEDIUM | 6.5 | OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground … | Apr 17, 2026 |
| CVE-2026-40286 | HIGH | 7.5 | WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' … | Apr 17, 2026 |
| CVE-2026-40285 | HIGH | 8.8 | WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the … | Apr 17, 2026 |
| CVE-2026-40284 | MEDIUM | 6.8 | WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject … | Apr 17, 2026 |
| CVE-2026-40282 | UNKNOWN | — | WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject … | Apr 17, 2026 |
| CVE-2026-40196 | HIGH | 8.1 | HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user … | Apr 17, 2026 |
| CVE-2026-40155 | MEDIUM | 5.4 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce … | Apr 17, 2026 |
| CVE-2026-35603 | UNKNOWN | — | Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating … | Apr 17, 2026 |
| CVE-2026-35512 | UNKNOWN | — | xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to … | Apr 17, 2026 |
| CVE-2026-35402 | UNKNOWN | — | mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using … | Apr 17, 2026 |
| CVE-2026-33689 | UNKNOWN | — | xrdp is an open source RDP server. Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing logic. A remote, unauthenticated … | Apr 17, 2026 |
| CVE-2026-33436 | LOW | 3.1 | Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames … | Apr 17, 2026 |
| CVE-2026-33145 | MEDIUM | 6.3 | xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe … | Apr 17, 2026 |
| CVE-2026-23500 | UNKNOWN | — | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion … | Apr 17, 2026 |
| CVE-2026-40461 | HIGH | 7.5 | Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate … | Apr 17, 2026 |
| CVE-2026-40434 | HIGH | 8.1 | Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt … | Apr 17, 2026 |
| CVE-2026-40342 | CRITICAL | 9.9 | Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine … | Apr 17, 2026 |
| CVE-2026-40283 | MEDIUM | 6.8 | WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject … | Apr 17, 2026 |
| CVE-2026-40066 | HIGH | 8.8 | Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated … | Apr 17, 2026 |
| CVE-2026-35682 | HIGH | 8.8 | Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level … | Apr 17, 2026 |
| CVE-2026-35546 | CRITICAL | 9.8 | Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code … | Apr 17, 2026 |
| CVE-2026-35215 | HIGH | 7.5 | Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of … | Apr 17, 2026 |
| CVE-2026-35061 | MEDIUM | 5.3 | Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery. | Apr 17, 2026 |
| CVE-2026-34232 | HIGH | 7.5 | Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type … | Apr 17, 2026 |
| CVE-2026-33569 | MEDIUM | 6.5 | Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise … | Apr 17, 2026 |