Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12556
Total
848
Critical
3598
High
3935
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-35409 | HIGH | 7.7 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been … | Apr 06, 2026 |
| CVE-2026-35408 | HIGH | 8.7 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy … | Apr 06, 2026 |
| CVE-2026-35404 | MEDIUM | 4.7 | Open edX Platform enables the authoring and delivery of online learning at any scale. he view_survey endpoint accepts a redirect_url GET parameter that is passed … | Apr 06, 2026 |
| CVE-2026-22675 | MEDIUM | 5.4 | OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious … | Apr 06, 2026 |
| CVE-2026-5683 | MEDIUM | 5.5 | A vulnerability was found in Tenda CX12L 16.03.53.12. Affected by this vulnerability is the function fromP2pListFilter of the file /goform/P2pListFilter. Performing a manipulation of the … | Apr 06, 2026 |
| CVE-2026-35472 | UNKNOWN | — | WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, … | Apr 06, 2026 |
| CVE-2026-35399 | UNKNOWN | — | WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup … | Apr 06, 2026 |
| CVE-2026-35398 | UNKNOWN | — | WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, … | Apr 06, 2026 |
| CVE-2026-35396 | UNKNOWN | — | WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, … | Apr 06, 2026 |
| CVE-2026-35395 | HIGH | 8.8 | WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The … | Apr 06, 2026 |
| CVE-2026-35394 | HIGH | 8.3 | Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's … | Apr 06, 2026 |
| CVE-2026-35393 | CRITICAL | 9.8 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3. | Apr 06, 2026 |
| CVE-2026-35392 | CRITICAL | 9.8 | goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3. | Apr 06, 2026 |
| CVE-2026-35391 | UNKNOWN | — | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of … | Apr 06, 2026 |
| CVE-2026-35390 | UNKNOWN | — | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the … | Apr 06, 2026 |
| CVE-2026-35389 | UNKNOWN | — | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, S/MIME signature verification did not validate the certificate trust chain (checkChain: … | Apr 06, 2026 |
| CVE-2026-35213 | UNKNOWN | — | @hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header … | Apr 06, 2026 |
| CVE-2026-35208 | UNKNOWN | — | lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” … | Apr 06, 2026 |
| CVE-2026-34972 | MEDIUM | 5.0 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls … | Apr 06, 2026 |
| CVE-2025-54601 | HIGH | 7.0 | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor amd Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, … | Apr 06, 2026 |
| CVE-2026-5682 | LOW | 3.7 | A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of … | Apr 06, 2026 |
| CVE-2026-5681 | MEDIUM | 6.3 | A flaw has been found in itsourcecode sanitize or validate this input 1.0. This impacts an unknown function of the file /borrowedequip.php of the component … | Apr 06, 2026 |
| CVE-2026-5679 | MEDIUM | 5.5 | A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the … | Apr 06, 2026 |
| CVE-2026-35459 | UNKNOWN | — | pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix … | Apr 06, 2026 |
| CVE-2026-35203 | HIGH | 7.5 | ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits … | Apr 06, 2026 |