Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12600
Total
849
Critical
3629
High
3944
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-34807 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/incoming.cgi. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34806 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/snat.cgi. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34805 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/dnat.cgi. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34804 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the dscp parameter to /manage/qos/rules/. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34803 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the name parameter to /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34802 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark user ham spam parameter to /cgi-bin/salearn.cgi. An authenticated attacker can inject … | Apr 02, 2026 |
| CVE-2026-34801 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dhcp/fixed_leases/. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34800 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the NAME parameter to /cgi-bin/uplinkeditor.cgi. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34799 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dnsmasq/hosts/. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34798 | MEDIUM | 6.4 | Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/routing.cgi. An authenticated attacker can inject arbitrary JavaScript that … | Apr 02, 2026 |
| CVE-2026-34797 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_smtp.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34796 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_openvpn.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34795 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_log.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34794 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34793 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_firewall.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34792 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_clamav.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34791 | HIGH | 8.8 | Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_proxy.cgi. The DATE parameter value is … | Apr 02, 2026 |
| CVE-2026-34790 | HIGH | 7.1 | Endian Firewall version 3.3.25 and prior allow authenticated users to delete arbitrary files via directory traversal in the remove ARCHIVE parameter to /cgi-bin/backup.cgi. The remove … | Apr 02, 2026 |
| CVE-2026-34729 | MEDIUM | 6.1 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes(). This issue … | Apr 02, 2026 |
| CVE-2026-34728 | HIGH | 8.7 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove … | Apr 02, 2026 |
| CVE-2026-33641 | HIGH | 7.8 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed … | Apr 02, 2026 |
| CVE-2026-33544 | HIGH | 7.7 | Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens … | Apr 02, 2026 |
| CVE-2026-33533 | UNKNOWN | — | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: … | Apr 02, 2026 |
| CVE-2026-32871 | UNKNOWN | — | FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients … | Apr 02, 2026 |
| CVE-2026-32629 | UNKNOWN | — | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that … | Apr 02, 2026 |