Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11037
Total
752
Critical
3191
High
3530
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40021 | UNKNOWN | — | Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC … | Apr 10, 2026 |
| CVE-2026-35594 | MEDIUM | 6.5 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims … | Apr 10, 2026 |
| CVE-2026-34727 | HIGH | 7.4 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched … | Apr 10, 2026 |
| CVE-2026-34481 | UNKNOWN | — | Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, … | Apr 10, 2026 |
| CVE-2026-34480 | UNKNOWN | — | Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing … | Apr 10, 2026 |
| CVE-2026-34479 | UNKNOWN | — | The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML … | Apr 10, 2026 |
| CVE-2026-34478 | UNKNOWN | — | Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant … | Apr 10, 2026 |
| CVE-2026-34477 | UNKNOWN | — | The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through … | Apr 10, 2026 |
| CVE-2026-29043 | MEDIUM | 5.5 | HDF5 is software for managing data. In 1.14.1-2 and earlier, an attacker who can control an h5 file parsed by HDF5 can trigger a write-based … | Apr 10, 2026 |
| CVE-2026-29002 | HIGH | 7.2 | CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. … | Apr 10, 2026 |
| CVE-2026-23781 | UNKNOWN | — | An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. … | Apr 10, 2026 |
| CVE-2026-36236 | UNKNOWN | — | SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter. | Apr 10, 2026 |
| CVE-2026-36235 | UNKNOWN | — | A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the … | Apr 10, 2026 |
| CVE-2026-36234 | UNKNOWN | — | itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter. | Apr 10, 2026 |
| CVE-2026-36233 | UNKNOWN | — | A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers … | Apr 10, 2026 |
| CVE-2026-36232 | UNKNOWN | — | A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the … | Apr 10, 2026 |
| CVE-2026-31262 | UNKNOWN | — | Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the … | Apr 10, 2026 |
| CVE-2026-29861 | UNKNOWN | — | PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php. | Apr 10, 2026 |
| CVE-2026-23782 | UNKNOWN | — | An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its … | Apr 10, 2026 |
| CVE-2026-23780 | UNKNOWN | — | An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to … | Apr 10, 2026 |
| CVE-2025-44560 | UNKNOWN | — | owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking. | Apr 10, 2026 |
| CVE-2026-6069 | HIGH | 7.5 | NASM’s disasm() function contains a stack based buffer overflow when formatting disassembly output, allowing an attacker triggered out-of-bounds write when `slen` exceeds the buffer capacity. | Apr 10, 2026 |
| CVE-2026-6068 | MEDIUM | 6.5 | NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global … | Apr 10, 2026 |
| CVE-2026-6067 | HIGH | 7.5 | A heap buffer overflow vulnerability exists in the Netwide Assembler (NASM) due to a lack of bounds checking in the obj_directive() function. This vulnerability can … | Apr 10, 2026 |
| CVE-2026-40217 | HIGH | 8.8 | LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI. | Apr 10, 2026 |