Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12565
Total
848
Critical
3603
High
3938
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-34835 | MEDIUM | 4.8 | Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using … | Apr 02, 2026 |
| CVE-2026-34828 | HIGH | 7.1 | listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated … | Apr 02, 2026 |
| CVE-2026-34827 | HIGH | 7.5 | Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such … | Apr 02, 2026 |
| CVE-2026-34725 | HIGH | 8.2 | DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are … | Apr 02, 2026 |
| CVE-2026-34717 | CRITICAL | 9.9 | OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses … | Apr 02, 2026 |
| CVE-2026-34715 | MEDIUM | 5.3 | ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP … | Apr 02, 2026 |
| CVE-2026-34610 | MEDIUM | 5.9 | The leancrypto library is a cryptographic library that exclusively contains only PQC-resistant cryptographic algorithms. Prior to version 1.7.1, lc_x509_extract_name_segment() casts size_t vlen to uint8_t when … | Apr 02, 2026 |
| CVE-2026-34608 | MEDIUM | 4.9 | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ's webhook_inproc.c, the hook_work_cb() function processes nng messages by parsing … | Apr 02, 2026 |
| CVE-2026-34606 | UNKNOWN | — | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was … | Apr 02, 2026 |
| CVE-2026-34601 | HIGH | 7.5 | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior … | Apr 02, 2026 |
| CVE-2026-34598 | UNKNOWN | — | YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A … | Apr 02, 2026 |
| CVE-2026-34593 | UNKNOWN | — | Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for … | Apr 02, 2026 |
| CVE-2026-34591 | UNKNOWN | — | Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to … | Apr 02, 2026 |
| CVE-2026-34590 | MEDIUM | 5.4 | Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url … | Apr 02, 2026 |
| CVE-2026-34584 | MEDIUM | 5.4 | listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in … | Apr 02, 2026 |
| CVE-2026-34577 | HIGH | 8.6 | Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and … | Apr 02, 2026 |
| CVE-2026-34576 | UNKNOWN | — | Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using … | Apr 02, 2026 |
| CVE-2026-34526 | MEDIUM | 5.0 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. … | Apr 02, 2026 |
| CVE-2026-34524 | HIGH | 8.3 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. … | Apr 02, 2026 |
| CVE-2026-34523 | MEDIUM | 5.3 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. … | Apr 02, 2026 |
| CVE-2026-34522 | HIGH | 8.1 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. … | Apr 02, 2026 |
| CVE-2026-34124 | UNKNOWN | — | A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw … | Apr 02, 2026 |
| CVE-2026-34122 | UNKNOWN | — | A stack-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within a configuration handling component due to insufficient input validation. An attacker can … | Apr 02, 2026 |
| CVE-2026-34121 | UNKNOWN | — | An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and … | Apr 02, 2026 |
| CVE-2026-34120 | UNKNOWN | — | A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the asynchronous parsing of local video stream content due to insufficient alignment … | Apr 02, 2026 |