Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11702
Total
781
Critical
3315
High
3732
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-5741 | HIGH | 7.3 | A weakness has been identified in suvarchal docker-mcp-server up to 0.1.0. The impacted element is the function stop_container/remove_container/pull_image of the file src/index.ts of the component … | Apr 07, 2026 |
| CVE-2026-5739 | HIGH | 7.3 | A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. … | Apr 07, 2026 |
| CVE-2026-3566 | UNKNOWN | — | Rejected reason: After further discussion, the issue was determined to not meet the criteria for CVE assignment. | Apr 07, 2026 |
| CVE-2026-39841 | UNKNOWN | — | Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects … | Apr 07, 2026 |
| CVE-2026-39840 | UNKNOWN | — | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows XSS Targeting Non-Script Elements.This issue affects … | Apr 07, 2026 |
| CVE-2026-39839 | UNKNOWN | — | Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects … | Apr 07, 2026 |
| CVE-2026-39838 | UNKNOWN | — | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows XSS Targeting Non-Script Elements.This issue affects … | Apr 07, 2026 |
| CVE-2026-39837 | UNKNOWN | — | Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki … | Apr 07, 2026 |
| CVE-2026-39395 | MEDIUM | 4.3 | Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for … | Apr 07, 2026 |
| CVE-2026-39382 | UNKNOWN | — | dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow … | Apr 07, 2026 |
| CVE-2026-39381 | UNKNOWN | — | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET … | Apr 07, 2026 |
| CVE-2026-39380 | MEDIUM | 5.4 | Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) … | Apr 07, 2026 |
| CVE-2026-39376 | HIGH | 7.5 | FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a … | Apr 07, 2026 |
| CVE-2026-39374 | MEDIUM | 6.5 | Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and … | Apr 07, 2026 |
| CVE-2026-39373 | MEDIUM | 5.3 | JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with … | Apr 07, 2026 |
| CVE-2026-39371 | HIGH | 8.1 | RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their … | Apr 07, 2026 |
| CVE-2026-39370 | HIGH | 7.1 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions … | Apr 07, 2026 |
| CVE-2026-39369 | HIGH | 7.6 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass … | Apr 07, 2026 |
| CVE-2026-39368 | MEDIUM | 6.5 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later … | Apr 07, 2026 |
| CVE-2026-39367 | MEDIUM | 5.4 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and … | Apr 07, 2026 |
| CVE-2026-39366 | MEDIUM | 6.5 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an … | Apr 07, 2026 |
| CVE-2026-39365 | UNKNOWN | — | Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized … | Apr 07, 2026 |
| CVE-2026-39364 | UNKNOWN | — | Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked … | Apr 07, 2026 |
| CVE-2026-39363 | UNKNOWN | — | Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite … | Apr 07, 2026 |
| CVE-2026-39361 | HIGH | 7.7 | OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns … | Apr 07, 2026 |