Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11537
Total
770
Critical
3263
High
3665
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-39862 | UNKNOWN | — | Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments … | Apr 08, 2026 |
| CVE-2026-39859 | UNKNOWN | — | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to … | Apr 08, 2026 |
| CVE-2026-39413 | MEDIUM | 4.2 | LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can … | Apr 08, 2026 |
| CVE-2026-39412 | MEDIUM | 5.3 | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing … | Apr 08, 2026 |
| CVE-2026-39411 | MEDIUM | 5.0 | LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts … | Apr 08, 2026 |
| CVE-2026-39362 | UNKNOWN | — | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that … | Apr 08, 2026 |
| CVE-2026-35525 | UNKNOWN | — | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% … | Apr 08, 2026 |
| CVE-2026-35479 | MEDIUM | 6.6 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the … | Apr 08, 2026 |
| CVE-2026-35478 | HIGH | 8.3 | InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to … | Apr 08, 2026 |
| CVE-2026-35477 | MEDIUM | 5.5 | InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the … | Apr 08, 2026 |
| CVE-2026-35476 | HIGH | 7.2 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level … | Apr 08, 2026 |
| CVE-2026-23869 | HIGH | 7.5 | A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, … | Apr 08, 2026 |
| CVE-2026-39851 | UNKNOWN | — | Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses … | Apr 08, 2026 |
| CVE-2026-35455 | HIGH | 7.3 | immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360° panorama viewer allows any … | Apr 08, 2026 |
| CVE-2026-35446 | HIGH | 7.7 | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 … | Apr 08, 2026 |
| CVE-2026-35407 | UNKNOWN | — | Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email … | Apr 08, 2026 |
| CVE-2026-35403 | MEDIUM | 6.5 | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 15.10 to before 27.0.3 … | Apr 08, 2026 |
| CVE-2026-35401 | HIGH | 7.5 | Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in … | Apr 08, 2026 |
| CVE-2026-35400 | LOW | 3.5 | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 … | Apr 08, 2026 |
| CVE-2026-35169 | HIGH | 8.7 | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and … | Apr 08, 2026 |
| CVE-2026-35165 | MEDIUM | 6.3 | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 … | Apr 08, 2026 |
| CVE-2026-34985 | MEDIUM | 6.3 | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 … | Apr 08, 2026 |
| CVE-2026-34837 | UNKNOWN | — | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., … | Apr 08, 2026 |
| CVE-2026-34782 | UNKNOWN | — | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a … | Apr 08, 2026 |
| CVE-2026-34724 | UNKNOWN | — | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent … | Apr 08, 2026 |