Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11346
Total
769
Critical
3260
High
3665
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40035 | CRITICAL | 9.1 | Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read … | Apr 08, 2026 |
| CVE-2026-40032 | HIGH | 7.8 | UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed … | Apr 08, 2026 |
| CVE-2026-40031 | HIGH | 7.8 | MemProcFS before 5.17 contains multiple unsafe library-loading patterns that enable DLL and shared-library hijacking across six attack surfaces, including bare-name LoadLibraryU and dlopen calls without … | Apr 08, 2026 |
| CVE-2026-40030 | HIGH | 7.8 | parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command … | Apr 08, 2026 |
| CVE-2026-40029 | HIGH | 7.8 | parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary … | Apr 08, 2026 |
| CVE-2026-40028 | MEDIUM | 5.4 | Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when … | Apr 08, 2026 |
| CVE-2026-40027 | HIGH | 7.3 | ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from … | Apr 08, 2026 |
| CVE-2026-40026 | MEDIUM | 4.4 | The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields … | Apr 08, 2026 |
| CVE-2026-40025 | MEDIUM | 4.4 | The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without … | Apr 08, 2026 |
| CVE-2026-40024 | HIGH | 7.1 | The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended … | Apr 08, 2026 |
| CVE-2026-39901 | MEDIUM | 5.7 | monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete … | Apr 08, 2026 |
| CVE-2026-5805 | HIGH | 7.3 | A weakness has been identified in code-projects Easy Blog Site up to 1.0. The impacted element is an unknown function of the file /users/contact_us.php. Executing … | Apr 08, 2026 |
| CVE-2026-5803 | MEDIUM | 6.3 | A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the … | Apr 08, 2026 |
| CVE-2026-5451 | MEDIUM | 6.4 | The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-track' shortcode in all versions up to, and including, … | Apr 08, 2026 |
| CVE-2026-5436 | HIGH | 8.1 | The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to … | Apr 08, 2026 |
| CVE-2026-39892 | UNKNOWN | — | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed … | Apr 08, 2026 |
| CVE-2026-39891 | HIGH | 8.8 | PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user … | Apr 08, 2026 |
| CVE-2026-39890 | CRITICAL | 9.8 | PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such … | Apr 08, 2026 |
| CVE-2026-39889 | HIGH | 7.5 | PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() … | Apr 08, 2026 |
| CVE-2026-39888 | CRITICAL | 9.9 | PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a … | Apr 08, 2026 |
| CVE-2026-39885 | HIGH | 7.5 | FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI … | Apr 08, 2026 |
| CVE-2026-39883 | UNKNOWN | — | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path … | Apr 08, 2026 |
| CVE-2026-39882 | MEDIUM | 5.3 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer … | Apr 08, 2026 |
| CVE-2026-39881 | MEDIUM | 5.0 | Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server … | Apr 08, 2026 |
| CVE-2026-39860 | CRITICAL | 9.0 | Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable … | Apr 08, 2026 |