Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11702
Total
781
Critical
3315
High
3732
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-35614 | UNKNOWN | — | Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk_update. This vulnerability is fixed in 16.14.0 … | Apr 07, 2026 |
| CVE-2026-35613 | MEDIUM | 5.1 | coursevault-preview is a utility for previewing course material files from a configured directory. coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the … | Apr 07, 2026 |
| CVE-2026-35611 | HIGH | 7.5 | Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template … | Apr 07, 2026 |
| CVE-2026-35610 | HIGH | 8.8 | PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an inverted admin check. … | Apr 07, 2026 |
| CVE-2026-35608 | UNKNOWN | — | QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files … | Apr 07, 2026 |
| CVE-2026-35607 | HIGH | 8.1 | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in … | Apr 07, 2026 |
| CVE-2026-35606 | UNKNOWN | — | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in … | Apr 07, 2026 |
| CVE-2026-35605 | UNKNOWN | — | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches() function … | Apr 07, 2026 |
| CVE-2026-35604 | UNKNOWN | — | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin … | Apr 07, 2026 |
| CVE-2026-35592 | MEDIUM | 5.3 | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal … | Apr 07, 2026 |
| CVE-2026-35586 | MEDIUM | 6.8 | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert … | Apr 07, 2026 |
| CVE-2026-35585 | UNKNOWN | — | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook … | Apr 07, 2026 |
| CVE-2026-35584 | UNKNOWN | — | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication … | Apr 07, 2026 |
| CVE-2026-35583 | MEDIUM | 5.3 | Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked … | Apr 07, 2026 |
| CVE-2026-35581 | HIGH | 7.2 | Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the … | Apr 07, 2026 |
| CVE-2026-35580 | CRITICAL | 9.1 | Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated … | Apr 07, 2026 |
| CVE-2026-35578 | UNKNOWN | — | ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, … | Apr 07, 2026 |
| CVE-2026-35574 | HIGH | 7.3 | ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding … | Apr 07, 2026 |
| CVE-2026-35523 | HIGH | 7.5 | Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The … | Apr 07, 2026 |
| CVE-2026-32588 | UNKNOWN | — | Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to … | Apr 07, 2026 |
| CVE-2026-27315 | UNKNOWN | — | Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file … | Apr 07, 2026 |
| CVE-2026-27314 | HIGH | 8.8 | Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity … | Apr 07, 2026 |
| CVE-2026-23696 | CRITICAL | 9.9 | Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject … | Apr 07, 2026 |
| CVE-2026-22683 | HIGH | 8.8 | Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions … | Apr 07, 2026 |
| CVE-2025-70844 | UNKNOWN | — | yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, … | Apr 07, 2026 |