Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11202
Total
755
Critical
3234
High
3640
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2023-54358 | MEDIUM | 6.1 | WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers … | Apr 09, 2026 |
| CVE-2026-5976 | CRITICAL | 9.8 | A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing … | Apr 09, 2026 |
| CVE-2026-5975 | CRITICAL | 9.8 | A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such … | Apr 09, 2026 |
| CVE-2026-5974 | HIGH | 7.3 | A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affected element is the function Bash.run in the library metagpt/tools/libs/terminal.py. This manipulation causes os … | Apr 09, 2026 |
| CVE-2026-5973 | HIGH | 7.3 | A vulnerability was found in FoundationAgents MetaGPT up to 0.8.1. Impacted is the function get_mime_type of the file metagpt/utils/common.py. The manipulation results in os command … | Apr 09, 2026 |
| CVE-2026-5972 | HIGH | 7.3 | A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to … | Apr 09, 2026 |
| CVE-2026-5194 | UNKNOWN | — | Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, … | Apr 09, 2026 |
| CVE-2026-5187 | UNKNOWN | — | Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc … | Apr 09, 2026 |
| CVE-2026-4436 | HIGH | 8.6 | A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or … | Apr 09, 2026 |
| CVE-2026-40089 | CRITICAL | 9.9 | Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability … | Apr 09, 2026 |
| CVE-2026-40088 | CRITICAL | 9.6 | PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML … | Apr 09, 2026 |
| CVE-2026-40087 | MEDIUM | 5.3 | LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, … | Apr 09, 2026 |
| CVE-2026-40077 | LOW | 3.5 | Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further … | Apr 09, 2026 |
| CVE-2026-39977 | UNKNOWN | — | flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user … | Apr 09, 2026 |
| CVE-2026-35577 | MEDIUM | 6.8 | Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did … | Apr 09, 2026 |
| CVE-2026-35063 | UNKNOWN | — | OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including … | Apr 09, 2026 |
| CVE-2026-34734 | HIGH | 7.8 | HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a … | Apr 09, 2026 |
| CVE-2026-34500 | MEDIUM | 6.5 | CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects … | Apr 09, 2026 |
| CVE-2026-34487 | UNKNOWN | — | Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue … | Apr 09, 2026 |
| CVE-2026-34486 | UNKNOWN | — | Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache … | Apr 09, 2026 |
| CVE-2026-34483 | UNKNOWN | — | Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 … | Apr 09, 2026 |
| CVE-2026-32990 | UNKNOWN | — | Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 … | Apr 09, 2026 |
| CVE-2026-29923 | UNKNOWN | — | The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to … | Apr 09, 2026 |
| CVE-2026-29146 | UNKNOWN | — | Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 … | Apr 09, 2026 |
| CVE-2026-29145 | UNKNOWN | — | CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects … | Apr 09, 2026 |