Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11037
Total
752
Critical
3191
High
3530
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40190 | MEDIUM | 5.6 | LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix … | Apr 10, 2026 |
| CVE-2026-40189 | UNKNOWN | — | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but … | Apr 10, 2026 |
| CVE-2026-40188 | HIGH | 7.7 | goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, … | Apr 10, 2026 |
| CVE-2026-40185 | HIGH | 7.1 | TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed … | Apr 10, 2026 |
| CVE-2026-40184 | LOW | 3.7 | TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2. | Apr 10, 2026 |
| CVE-2026-40180 | UNKNOWN | — | Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java … | Apr 10, 2026 |
| CVE-2026-40178 | UNKNOWN | — | ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible during a … | Apr 10, 2026 |
| CVE-2026-40177 | UNKNOWN | — | ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass … | Apr 10, 2026 |
| CVE-2026-40175 | CRITICAL | 10.0 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack … | Apr 10, 2026 |
| CVE-2026-40168 | HIGH | 8.2 | Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied … | Apr 10, 2026 |
| CVE-2026-39922 | UNKNOWN | — | GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to … | Apr 10, 2026 |
| CVE-2026-39921 | UNKNOWN | — | GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger … | Apr 10, 2026 |
| CVE-2026-32252 | HIGH | 7.7 | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a … | Apr 10, 2026 |
| CVE-2026-30232 | UNKNOWN | — | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew … | Apr 10, 2026 |
| CVE-2026-3446 | UNKNOWN | — | When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to … | Apr 10, 2026 |
| CVE-2026-33737 | MEDIUM | 5.3 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files … | Apr 10, 2026 |
| CVE-2026-33736 | MEDIUM | 6.5 | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, … | Apr 10, 2026 |
| CVE-2026-33710 | HIGH | 7.5 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, … | Apr 10, 2026 |
| CVE-2026-33708 | MEDIUM | 6.5 | Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, … | Apr 10, 2026 |
| CVE-2026-33707 | CRITICAL | 9.4 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, … | Apr 10, 2026 |
| CVE-2026-33706 | HIGH | 7.1 | Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via … | Apr 10, 2026 |
| CVE-2026-33705 | MEDIUM | 5.3 | Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. … | Apr 10, 2026 |
| CVE-2026-33704 | HIGH | 7.1 | Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via … | Apr 10, 2026 |
| CVE-2026-33703 | UNKNOWN | — | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user … | Apr 10, 2026 |
| CVE-2026-33702 | HIGH | 7.1 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning … | Apr 10, 2026 |