Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12565
Total
848
Critical
3603
High
3938
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-35539 | MEDIUM | 6.1 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must … | Apr 03, 2026 |
| CVE-2026-35538 | LOW | 3.1 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during … | Apr 03, 2026 |
| CVE-2026-5452 | LOW | 3.3 | A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the … | Apr 03, 2026 |
| CVE-2026-35537 | LOW | 3.7 | An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations … | Apr 03, 2026 |
| CVE-2026-35536 | HIGH | 7.2 | In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters. | Apr 03, 2026 |
| CVE-2026-35535 | HIGH | 7.4 | In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not … | Apr 03, 2026 |
| CVE-2026-28815 | HIGH | 7.5 | A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash … | Apr 03, 2026 |
| CVE-2026-35508 | MEDIUM | 5.4 | Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters, | Apr 03, 2026 |
| CVE-2026-35507 | MEDIUM | 6.4 | Shynet before 0.14.0 allows Host header injection in the password reset flow. | Apr 03, 2026 |
| CVE-2026-33107 | CRITICAL | 10.0 | Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. | Apr 03, 2026 |
| CVE-2026-33105 | CRITICAL | 10.0 | Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. | Apr 03, 2026 |
| CVE-2026-32213 | CRITICAL | 10.0 | Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. | Apr 03, 2026 |
| CVE-2026-32211 | CRITICAL | 9.1 | Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network. | Apr 03, 2026 |
| CVE-2026-32173 | HIGH | 8.6 | Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network. | Apr 03, 2026 |
| CVE-2026-26135 | CRITICAL | 9.6 | Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network. | Apr 03, 2026 |
| CVE-2022-4986 | HIGH | 7.5 | Hirschmann EagleSDV version 05.4.01 prior to 05.4.02 contains a denial-of-service vulnerability that causes the device to crash during session establishment when using TLS 1.0 or … | Apr 02, 2026 |
| CVE-2026-35467 | HIGH | 7.5 | The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of … | Apr 02, 2026 |
| CVE-2026-35466 | MEDIUM | 6.1 | XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services | Apr 02, 2026 |
| CVE-2026-30252 | MEDIUM | 6.1 | Multiple reflected cross-site scripting (XSS) vulnerabilities in the login.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the … | Apr 02, 2026 |
| CVE-2026-30251 | MEDIUM | 6.1 | A reflected cross-site scripting (XSS) vulnerability in the login_newpwd.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the … | Apr 02, 2026 |
| CVE-2025-15620 | HIGH | 8.6 | HiOS Switch Platform versions 09.1.00 prior to 09.4.05 and 10.3.01 contains a denial-of-service vulnerability in the web interface that allows remote attackers to reboot the … | Apr 02, 2026 |
| CVE-2024-14033 | HIGH | 7.5 | Hirschmann Industrial IT products (BAT-R, BAT-F, BAT450-F, BAT867-R, BAT867-F, WLC, BAT Controller Virtual) contain a heap overflow vulnerability in the HiLCOS web interface that allows … | Apr 02, 2026 |
| CVE-2026-5420 | LOW | 2.5 | A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file … | Apr 02, 2026 |
| CVE-2026-35383 | MEDIUM | 6.5 | Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to … | Apr 02, 2026 |
| CVE-2026-35053 | UNKNOWN | — | OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId) … | Apr 02, 2026 |