Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11702
Total
781
Critical
3315
High
3732
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-35406 | MEDIUM | 6.2 | Aardvark-dns is an authoritative dns server for A/AAAA container records. From 1.16.0 to 1.17.0, a truncated TCP DNS query followed by a connection reset causes … | Apr 07, 2026 |
| CVE-2026-34781 | LOW | 2.8 | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() … | Apr 07, 2026 |
| CVE-2026-34765 | MEDIUM | 6.0 | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls … | Apr 07, 2026 |
| CVE-2026-34582 | UNKNOWN | — | Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message … | Apr 07, 2026 |
| CVE-2026-34580 | UNKNOWN | — | Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store … | Apr 07, 2026 |
| CVE-2026-34371 | MEDIUM | 6.3 | LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. … | Apr 07, 2026 |
| CVE-2026-34079 | UNKNOWN | — | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the … | Apr 07, 2026 |
| CVE-2026-34078 | UNKNOWN | — | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled … | Apr 07, 2026 |
| CVE-2026-31790 | HIGH | 7.5 | Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. … | Apr 07, 2026 |
| CVE-2026-31789 | UNKNOWN | — | Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: … | Apr 07, 2026 |
| CVE-2026-28390 | UNKNOWN | — | Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS … | Apr 07, 2026 |
| CVE-2026-28389 | UNKNOWN | — | Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS … | Apr 07, 2026 |
| CVE-2026-28388 | UNKNOWN | — | Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL … | Apr 07, 2026 |
| CVE-2026-28387 | UNKNOWN | — | Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free … | Apr 07, 2026 |
| CVE-2026-28386 | UNKNOWN | — | Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes … | Apr 07, 2026 |
| CVE-2026-39401 | UNKNOWN | — | Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key … | Apr 07, 2026 |
| CVE-2026-39400 | UNKNOWN | — | Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges … | Apr 07, 2026 |
| CVE-2026-39397 | CRITICAL | 9.4 | @delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local … | Apr 07, 2026 |
| CVE-2026-35533 | HIGH | 7.7 | mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the … | Apr 07, 2026 |
| CVE-2026-34080 | UNKNOWN | — | xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in … | Apr 07, 2026 |
| CVE-2026-34045 | HIGH | 8.2 | Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any … | Apr 07, 2026 |
| CVE-2026-33439 | UNKNOWN | — | Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java … | Apr 07, 2026 |
| CVE-2026-32712 | MEDIUM | 5.4 | Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) … | Apr 07, 2026 |
| CVE-2026-29181 | HIGH | 7.5 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. … | Apr 07, 2026 |
| CVE-2026-27949 | LOW | 2.0 | Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is … | Apr 07, 2026 |