Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40262 | HIGH | 8.7 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection … | Apr 17, 2026 |
| CVE-2026-40260 | UNKNOWN | — | pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who … | Apr 17, 2026 |
| CVE-2026-22734 | HIGH | 8.6 | Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. … | Apr 17, 2026 |
| CVE-2026-40322 | CRITICAL | 9.0 | SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting … | Apr 16, 2026 |
| CVE-2026-40318 | HIGH | 8.5 | SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter … | Apr 16, 2026 |
| CVE-2026-40259 | HIGH | 8.1 | SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service … | Apr 16, 2026 |
| CVE-2026-40255 | MEDIUM | 6.1 | AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and … | Apr 16, 2026 |
| CVE-2026-40253 | MEDIUM | 6.8 | openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common … | Apr 16, 2026 |
| CVE-2024-58343 | MEDIUM | 4.3 | Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. | Apr 16, 2026 |
| CVE-2026-41113 | HIGH | 8.1 | sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c. | Apr 16, 2026 |
| CVE-2026-40308 | UNKNOWN | — | My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied … | Apr 16, 2026 |
| CVE-2026-40249 | UNKNOWN | — | free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy … | Apr 16, 2026 |
| CVE-2026-40248 | UNKNOWN | — | free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating … | Apr 16, 2026 |
| CVE-2026-40247 | UNKNOWN | — | free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence … | Apr 16, 2026 |
| CVE-2026-40246 | UNKNOWN | — | free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence … | Apr 16, 2026 |
| CVE-2026-40170 | HIGH | 7.5 | ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack … | Apr 16, 2026 |
| CVE-2026-39313 | UNKNOWN | — | mcp-framework is a framework for building Model Context Protocol (MCP) servers. In versions 0.2.21 and below, the readRequestBody() function in the HTTP transport concatenates request … | Apr 16, 2026 |
| CVE-2026-35469 | UNKNOWN | — | spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts … | Apr 16, 2026 |
| CVE-2026-34164 | MEDIUM | 4.9 | Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at … | Apr 16, 2026 |
| CVE-2026-33472 | MEDIUM | 4.8 | Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the … | Apr 16, 2026 |
| CVE-2026-40901 | UNKNOWN | — | DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization … | Apr 16, 2026 |
| CVE-2026-40900 | UNKNOWN | — | DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL … | Apr 16, 2026 |
| CVE-2026-40899 | UNKNOWN | — | DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. … | Apr 16, 2026 |
| CVE-2026-33207 | UNKNOWN | — | DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method … | Apr 16, 2026 |
| CVE-2026-33122 | UNKNOWN | — | DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When … | Apr 16, 2026 |