Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11346
Total
769
Critical
3260
High
3665
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-39844 | MEDIUM | 5.9 | NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization … | Apr 08, 2026 |
| CVE-2026-39429 | HIGH | 8.2 | kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly … | Apr 08, 2026 |
| CVE-2026-39416 | UNKNOWN | — | AIL framework is an open-source platform to collect, crawl, process and analyse unstructured data. Prior to 6.8, a stored cross-site scripting (XSS) vulnerability was identified … | Apr 08, 2026 |
| CVE-2026-39415 | UNKNOWN | — | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe … | Apr 08, 2026 |
| CVE-2026-39414 | UNKNOWN | — | MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files … | Apr 08, 2026 |
| CVE-2026-5802 | HIGH | 7.3 | A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument … | Apr 08, 2026 |
| CVE-2026-39880 | MEDIUM | 5.0 | Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows … | Apr 08, 2026 |
| CVE-2026-39864 | MEDIUM | 4.4 | Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.0.5 and 5.8.7, an out-of-bounds read in the auth module of Kamailio … | Apr 08, 2026 |
| CVE-2026-39863 | HIGH | 7.5 | Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio … | Apr 08, 2026 |
| CVE-2026-39862 | UNKNOWN | — | Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments … | Apr 08, 2026 |
| CVE-2026-39859 | UNKNOWN | — | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to … | Apr 08, 2026 |
| CVE-2026-39413 | MEDIUM | 4.2 | LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can … | Apr 08, 2026 |
| CVE-2026-39412 | MEDIUM | 5.3 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing … | Apr 08, 2026 |
| CVE-2026-39411 | MEDIUM | 5.0 | LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts … | Apr 08, 2026 |
| CVE-2026-39362 | UNKNOWN | — | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that … | Apr 08, 2026 |
| CVE-2026-35525 | UNKNOWN | — | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% … | Apr 08, 2026 |
| CVE-2026-35479 | MEDIUM | 6.6 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the … | Apr 08, 2026 |
| CVE-2026-35478 | HIGH | 8.3 | InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to … | Apr 08, 2026 |
| CVE-2026-35477 | MEDIUM | 5.5 | InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the … | Apr 08, 2026 |
| CVE-2026-35476 | HIGH | 7.2 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level … | Apr 08, 2026 |
| CVE-2026-23869 | HIGH | 7.5 | A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, … | Apr 08, 2026 |
| CVE-2026-39851 | UNKNOWN | — | Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses … | Apr 08, 2026 |
| CVE-2026-35455 | HIGH | 7.3 | immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any … | Apr 08, 2026 |
| CVE-2026-35446 | HIGH | 7.7 | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 … | Apr 08, 2026 |
| CVE-2026-35407 | UNKNOWN | — | Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email … | Apr 08, 2026 |