Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12565
Total
848
Critical
3603
High
3938
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-34932 | UNKNOWN | — | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue … | Apr 02, 2026 |
| CVE-2026-34931 | UNKNOWN | — | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these … | Apr 02, 2026 |
| CVE-2026-34848 | MEDIUM | 5.4 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via … | Apr 02, 2026 |
| CVE-2026-34847 | MEDIUM | 4.7 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter … | Apr 02, 2026 |
| CVE-2026-34840 | HIGH | 8.1 | OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's SAML SSO implementation (App/FeatureSet/Identity/Utils/SSO.ts) has decoupled signature verification and identity extraction. isSignatureValid() … | Apr 02, 2026 |
| CVE-2026-34838 | CRITICAL | 9.9 | Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to … | Apr 02, 2026 |
| CVE-2026-34834 | UNKNOWN | — | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity() function contained logic that returned true if no … | Apr 02, 2026 |
| CVE-2026-34833 | UNKNOWN | — | Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password … | Apr 02, 2026 |
| CVE-2026-34832 | MEDIUM | 6.5 | Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that … | Apr 02, 2026 |
| CVE-2026-34825 | UNKNOWN | — | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw … | Apr 02, 2026 |
| CVE-2026-34762 | LOW | 2.7 | Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, the PUT /api/v1/subscriber/{imsi} API accepts an IMSI identifier from both the … | Apr 02, 2026 |
| CVE-2026-34761 | MEDIUM | 5.8 | Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, Ella Core panics when processing a NGAP handover failure message. An … | Apr 02, 2026 |
| CVE-2026-34760 | MEDIUM | 5.9 | vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for … | Apr 02, 2026 |
| CVE-2024-14034 | CRITICAL | 9.8 | Hirschmann HiEOS devices versions prior to 01.1.00 contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative … | Apr 02, 2026 |
| CVE-2023-7343 | HIGH | 7.8 | HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to … | Apr 02, 2026 |
| CVE-2026-5429 | HIGH | 7.8 | Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute … | Apr 02, 2026 |
| CVE-2026-5418 | HIGH | 7.3 | A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation … | Apr 02, 2026 |
| CVE-2026-5417 | MEDIUM | 4.7 | A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. … | Apr 02, 2026 |
| CVE-2026-34759 | UNKNOWN | — | OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in … | Apr 02, 2026 |
| CVE-2026-34758 | CRITICAL | 9.1 | OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse … | Apr 02, 2026 |
| CVE-2026-34752 | UNKNOWN | — | Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This … | Apr 02, 2026 |
| CVE-2026-34745 | CRITICAL | 9.1 | Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not … | Apr 02, 2026 |
| CVE-2026-34743 | UNKNOWN | — | XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no … | Apr 02, 2026 |
| CVE-2026-34742 | UNKNOWN | — | The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection … | Apr 02, 2026 |
| CVE-2026-34736 | MEDIUM | 5.3 | Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated … | Apr 02, 2026 |