Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.3 MEDIUM
CVE-2024-58343 — Vision Helpdesk Deserialization Vulnerability

Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id.

Remote | Information Disclosure
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
0.0 NA
CVE-2026-40255 — @adonisjs/http-server has an Open Redirect vulnerability

AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions pr…

| Server-Side Request Forgery
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.1 HIGH
CVE-2026-41113 — Sagredo Qmail TLS Quit Remote Code Execution Vulnerability

sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

Remote | Injection
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.8 HIGH
CVE-2026-40308 — My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied argument…

Remote | Injection
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
6.9 MEDIUM
CVE-2026-40249 — free5gc UDR fail-open request handling in PolicyDataSubsToNotifySubsIdPut may allow unint…

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/pol…

Remote | Misconfiguration
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.7 HIGH
CVE-2026-40248 — free5gc UDR improper path validation allows unauthenticated creation and modification of …

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether th…

Remote | Authorization
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.7 HIGH
CVE-2026-40247 — free5gc UDR improper path validation allows unauthenticated access to Traffic Influence S…

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence Subscriptions checks whether the influenceId…

Remote | Information Disclosure
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.7 HIGH
CVE-2026-40246 — free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence…

free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence Subscriptions checks whether the influenceI…

Remote | Authorization
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
7.5 HIGH
CVE-2026-40170 — ngtcp2 has a qlog transport parameter serialization stack buffer overflow

ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack bu…

Remote | Memory Corruption
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.7 HIGH
CVE-2026-39313 — MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service vi…

mcp-framework is a framework for building Model Context Protocol (MCP) servers. In versions 0.2.21 and below, the readRequestBody() function in the HTTP transport concatenates request body chunks int…

Remote | Denial of Service
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.7 HIGH
CVE-2026-35469 — SpdyStream: DOS on CRI

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocat…

Remote | Memory Corruption
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
4.9 MEDIUM
CVE-2026-34164 — Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService

Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox…

Remote | Information Disclosure
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
4.8 MEDIUM
CVE-2026-33472 — Cryptomator Hub OAuth token exchange HTTP downgrade via getAuthority() scheme confusion (…

Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass t…

Remote | Authentication
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
0.0 NA
CVE-2026-40253 — openCryptoki: Memory safety vulnerabilities in BER/DER decoders in asn1.c

openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library (asn1.c) accept a raw pointer but n…

| Memory Corruption
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
7.5 HIGH
CVE-2026-40901 — DataEase: Quartz Deserialization → Remote Code Execution

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerT…

Remote | Injection
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.7 HIGH
CVE-2026-40900 — DataEase has SQL Injection via Stacked Queries

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplie…

Remote | Injection
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.3 HIGH
CVE-2026-40899 — DataEase has an Arbitrary File Read Vulnerability

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mys…

Remote | Path Traversal
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.6 HIGH
CVE-2026-33207 — DataEase SQL Injection Vulnerability

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql …

Remote | Injection
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
8.6 HIGH
CVE-2026-33122 — DataEase has SQL Injection via Datasource Management

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definitio…

Remote | Injection
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
7.1 HIGH
CVE-2025-54502 — AMD APCB SMM Driver Privilege Escalation Vulnerability

Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resulti…

| Memory Corruption
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
Showing 20 of 6542 Results