Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12600
Total
849
Critical
3629
High
3944
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-4829 | MEDIUM | 5.4 | Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, … | Apr 01, 2026 |
| CVE-2026-4828 | HIGH | 8.2 | Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via … | Apr 01, 2026 |
| CVE-2026-35099 | HIGH | 7.4 | Lakeside SysTrack Agent 11 before 11.5.0.15 has a race condition with resultant local privilege escalation to SYSTEM. The fixed versions are 11.2.1.28, 11.3.0.38, 11.4.0.24, and … | Apr 01, 2026 |
| CVE-2026-34510 | MEDIUM | 5.3 | OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can … | Apr 01, 2026 |
| CVE-2026-31027 | CRITICAL | 9.8 | TOTOlink A3600R v5.9c.4959 contains a buffer overflow vulnerability in the setAppEasyWizardConfig interface of /lib/cste_modules/app.so. The vulnerability occurs because the rootSsid parameter is not properly validated … | Apr 01, 2026 |
| CVE-2025-67807 | MEDIUM | 4.7 | The login mechanism of Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise … | Apr 01, 2026 |
| CVE-2025-67806 | LOW | 3.7 | The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise … | Apr 01, 2026 |
| CVE-2025-67805 | MEDIUM | 5.9 | A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and … | Apr 01, 2026 |
| CVE-2026-30573 | HIGH | 7.5 | A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0. The vulnerability is located in the add-sales.php file. The application fails to validate … | Apr 01, 2026 |
| CVE-2026-30526 | MEDIUM | 6.1 | A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg … | Apr 01, 2026 |
| CVE-2026-30523 | MEDIUM | 6.5 | A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to the lack of proper input validation. The application allows administrators to define … | Apr 01, 2026 |
| CVE-2026-30292 | HIGH | 8.4 | An arbitrary file overwrite vulnerability in Docudepot PDF Reader: PDF Viewer APP v1.0.34 allows attackers to overwrite critical internal files via the file import process, … | Apr 01, 2026 |
| CVE-2026-30291 | HIGH | 8.4 | An arbitrary file overwrite vulnerability in Ora Tools PDF Reader ' Reader & Editor APPv4.3.5 allows attackers to overwrite critical internal files via the file … | Apr 01, 2026 |
| CVE-2026-29598 | MEDIUM | 5.4 | Multiple stored cross-site scripting (XSS) vulnerabilities in the submit_add_user.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allow attackers to execute arbitrary web scripts or HTML … | Apr 01, 2026 |
| CVE-2025-13535 | MEDIUM | 6.4 | The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, … | Apr 01, 2026 |
| CVE-2026-5271 | UNKNOWN | — | pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a … | Apr 01, 2026 |
| CVE-2026-3877 | UNKNOWN | — | A reflected cross-site scripting (XSS) vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if … | Apr 01, 2026 |
| CVE-2026-35094 | LOW | 3.3 | A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. … | Apr 01, 2026 |
| CVE-2026-35093 | HIGH | 8.8 | A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories … | Apr 01, 2026 |
| CVE-2026-35092 | HIGH | 7.5 | A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User … | Apr 01, 2026 |
| CVE-2026-35091 | HIGH | 8.2 | A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check … | Apr 01, 2026 |
| CVE-2026-34999 | MEDIUM | 5.3 | OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot … | Apr 01, 2026 |
| CVE-2026-34430 | HIGH | 8.8 | ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the … | Apr 01, 2026 |
| CVE-2026-30522 | MEDIUM | 6.5 | A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with … | Apr 01, 2026 |
| CVE-2026-30289 | HIGH | 8.4 | An arbitrary file overwrite vulnerability in Tinybeans Private Family Album App v5.9.5-prod allows attackers to overwrite critical internal files via the file import process, leading … | Apr 01, 2026 |