Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12462
Total
832
Critical
3555
High
3875
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-35580 | CRITICAL | 9.1 | Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated … | Apr 07, 2026 |
| CVE-2026-35578 | UNKNOWN | — | ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, … | Apr 07, 2026 |
| CVE-2026-35574 | HIGH | 7.3 | ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding … | Apr 07, 2026 |
| CVE-2026-35523 | HIGH | 7.5 | Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The … | Apr 07, 2026 |
| CVE-2026-32588 | UNKNOWN | — | Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to … | Apr 07, 2026 |
| CVE-2026-27315 | UNKNOWN | — | Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file … | Apr 07, 2026 |
| CVE-2026-27314 | HIGH | 8.8 | Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity … | Apr 07, 2026 |
| CVE-2026-23696 | CRITICAL | 9.9 | Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject … | Apr 07, 2026 |
| CVE-2026-22683 | HIGH | 8.8 | Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions … | Apr 07, 2026 |
| CVE-2025-70844 | UNKNOWN | — | yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, … | Apr 07, 2026 |
| CVE-2025-14944 | MEDIUM | 5.3 | The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing … | Apr 07, 2026 |
| CVE-2025-14821 | HIGH | 7.8 | A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, … | Apr 07, 2026 |
| CVE-2024-36058 | UNKNOWN | — | The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in … | Apr 07, 2026 |
| CVE-2026-5745 | MEDIUM | 5.5 | A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a … | Apr 07, 2026 |
| CVE-2026-5359 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … | Apr 07, 2026 |
| CVE-2026-4931 | UNKNOWN | — | Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost. | Apr 07, 2026 |
| CVE-2026-35571 | MEDIUM | 4.8 | Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme … | Apr 07, 2026 |
| CVE-2026-35567 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without proper integer … | Apr 07, 2026 |
| CVE-2026-35566 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39319. Reason: This candidate is a duplicate of CVE-2026-39319. Notes: All CVE users … | Apr 07, 2026 |
| CVE-2026-35534 | HIGH | 7.6 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as … | Apr 07, 2026 |
| CVE-2026-35526 | HIGH | 7.5 | Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols … | Apr 07, 2026 |
| CVE-2026-35521 | HIGH | 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a … | Apr 07, 2026 |
| CVE-2026-35520 | HIGH | 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a … | Apr 07, 2026 |
| CVE-2026-35519 | HIGH | 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a … | Apr 07, 2026 |
| CVE-2026-35518 | HIGH | 8.8 | FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a … | Apr 07, 2026 |