Search

Search Results (367102 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-4370 1 Canonical 1 Juju 2026-04-08 10 Critical
A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.
CVE-2024-2955 2 Fedoraproject, Wireshark 2 Fedora, Wireshark 2026-04-08 7.8 High
T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet injection or crafted capture file
CVE-2026-4656 2026-04-07 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2026-20632 1 Apple 1 Macos 2026-04-07 5.3 Medium
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.
CVE-2026-28844 1 Apple 1 Macos 2026-04-07 6.5 Medium
A file access issue was addressed with improved input validation. This issue is fixed in macOS Tahoe 26.4. An attacker may gain access to protected parts of the file system.
CVE-2026-35540 1 Roundcube 1 Webmail 2026-04-07 5.4 Medium
An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts.
CVE-2026-35545 1 Roundcube 1 Webmail 2026-04-07 5.3 Medium
An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke.
CVE-2026-3566 2026-04-07 N/A
After further discussion, the issue was determined to not meet the criteria for CVE assignment.
CVE-2026-34510 1 Openclaw 1 Openclaw 2026-04-07 5.3 Medium
OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file targets that are treated as local content, bypassing intended access restrictions.
CVE-2026-3989 1 Sglang 1 Sglang 2026-04-07 7.8 High
SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.
CVE-2026-3060 2 Lmsys, Sglang 2 Sglang, Sglang 2026-04-07 9.8 Critical
SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication.
CVE-2026-3059 2 Lmsys, Sglang 2 Sglang, Sglang 2026-04-07 9.8 Critical
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.
CVE-2026-35566 2026-04-07 N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39319. Reason: This candidate is a duplicate of CVE-2026-39319. Notes: All CVE users should reference CVE-2026-39319 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.
CVE-2021-38289 1 Novastar 1 Novaicare 2026-04-07 8.8 High
An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts. NOTE: As of April 2026, the vendor has officially decommissioned the affected legacy endpoints and associated services. The vulnerability is mitigated as the functional logic is no longer operational and the URLs have been removed from production.
CVE-2026-5691 1 Totolink 2 A7100ru, A7100ru Firmware 2026-04-07 7.3 High
A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setFirewallType of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument firewallType leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
CVE-2026-5359 2026-04-07 N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2026-5681 1 Itsourcecode 1 Sanitize Or Validate This Input 2026-04-07 6.3 Medium
A flaw has been found in itsourcecode sanitize or validate this input 1.0. This impacts an unknown function of the file /borrowedequip.php of the component Parameter Handler. This manipulation of the argument emp_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
CVE-2025-70973 1 Scadabr 1 Scadabr 2026-04-07 4.8 Medium
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session.
CVE-2026-5666 1 Code-projects 1 Online Fir System 2026-04-07 5.3 Medium
A vulnerability was detected in code-projects Online FIR System 1.0. Affected by this issue is some unknown functionality of the file /complaints.sql of the component SQL Database Backup File Handler. The manipulation results in insecure storage of sensitive information. The attack may be performed from remote. The exploit is now public and may be used.
CVE-2026-5672 1 Code-projects 1 Simple It Discussion Forum 2026-04-07 7.3 High
A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0. Affected by this issue is some unknown functionality of the file /edit-category.php of the component Parameter Handler. The manipulation of the argument cat_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.