Export limit exceeded: 345785 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345785 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-6819 | 2026-04-21 | 8.8 High | ||
| HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system. | ||||
| CVE-2026-6443 | 2 Essentialplugin, Wordpress | 2 Accordion And Accordion Slider, Wordpress | 2026-04-21 | 9.8 Critical |
| All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites. | ||||
| CVE-2026-5928 | 1 The Gnu C Library | 1 Glibc | 2026-04-21 | 7.5 High |
| Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. | ||||
| CVE-2026-5450 | 1 The Gnu C Library | 1 Glibc | 2026-04-21 | 9.8 Critical |
| Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. | ||||
| CVE-2026-5358 | 1 The Gnu C Library | 1 Glibc | 2026-04-21 | 9.1 Critical |
| The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an attacker to spoof a crafted response to a UDP request generated by this function and overwrite neighboring static data in the requesting application. NIS support is obsolete and has been deprecated in the GNU C Library since version 2.26 and is only maintained for legacy usage. Applications should port away from NIS to more modern identity and access management services. | ||||
| CVE-2026-41320 | 2026-04-21 | 6.5 Medium | ||
| Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available. | ||||
| CVE-2026-40908 | 2026-04-21 | 5.3 Medium | ||
| WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available. | ||||
| CVE-2026-40903 | 2026-04-21 | 9.1 Critical | ||
| goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6. | ||||
| CVE-2026-40889 | 2026-04-21 | 6.5 Medium | ||
| Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available. | ||||
| CVE-2026-40888 | 2026-04-21 | N/A | ||
| Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available. | ||||
| CVE-2026-40887 | 2026-04-21 | 9.1 Critical | ||
| Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth. | ||||
| CVE-2026-40884 | 2026-04-21 | 9.8 Critical | ||
| goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6. | ||||
| CVE-2026-40880 | 2026-04-21 | N/A | ||
| ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but invalid for H+2 and then mining that transaction in a block at height H+2, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This vulnerability is fixed in zebrad version 4.3.1 and zebra-consensus version 5.0.2. | ||||
| CVE-2026-40879 | 2026-04-21 | 7.5 High | ||
| Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19. | ||||
| CVE-2026-40878 | 2026-04-21 | N/A | ||
| mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability. | ||||
| CVE-2025-4517 | 2 Python, Redhat | 7 Cpython, Enterprise Linux, Rhel Aus and 4 more | 2026-04-21 | 9.4 Critical |
| Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. | ||||
| CVE-2026-40876 | 2026-04-21 | N/A | ||
| goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6. | ||||
| CVE-2026-40874 | 2026-04-21 | N/A | ||
| mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability. | ||||
| CVE-2026-40873 | 2026-04-21 | N/A | ||
| mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability. | ||||
| CVE-2026-40872 | 2026-04-21 | N/A | ||
| mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability. | ||||