CVE Database

110968+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-33656
9.1 CRITICAL

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an …

Apr 22, 2026
CVE-2026-6019

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the …

Apr 22, 2026
CVE-2026-3673
5.4 MEDIUM

An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are …

Apr 22, 2026
CVE-2026-34066
5.3 MEDIUM

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within …

Apr 22, 2026
CVE-2026-34065
7.5 HIGH

nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a …

Apr 22, 2026
CVE-2026-34064
5.3 MEDIUM

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs …

Apr 22, 2026
CVE-2026-34063
7.5 HIGH

Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes …

Apr 22, 2026
CVE-2026-34062
5.3 MEDIUM

nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer …

Apr 22, 2026
CVE-2026-33471
9.6 CRITICAL

nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each …

Apr 22, 2026
CVE-2026-41469
5.2 MEDIUM

Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template …

Apr 22, 2026
CVE-2026-41468
8.7 HIGH

Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these …

Apr 22, 2026
CVE-2026-41459
5.3 MEDIUM

Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the …

Apr 22, 2026
CVE-2026-34415
9.8 CRITICAL

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 …

Apr 22, 2026
CVE-2026-34414
7.1 HIGH

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in …

Apr 22, 2026
CVE-2026-34413
8.6 HIGH

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated …

Apr 22, 2026
CVE-2026-28950
6.2 MEDIUM

A logging issue was addressed with improved data redaction. This issue is fixed in iOS 15.8.8 and iPadOS 15.8.8, iOS 16.7.16 and iPadOS 16.7.16, iOS …

Apr 22, 2026
CVE-2026-26354
8.1 HIGH

Dell PowerProtect Data Domain with Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release …

Apr 22, 2026
CVE-2026-6515
5.4 MEDIUM

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have …

Apr 22, 2026
CVE-2026-5816
8.0 HIGH

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated …

Apr 22, 2026
CVE-2026-5377
4.3 MEDIUM

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles …

Apr 22, 2026
CVE-2026-5262
8.0 HIGH

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain …

Apr 22, 2026
CVE-2026-4922
8.1 HIGH

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have …

Apr 22, 2026
CVE-2026-3254
3.5 LOW

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user …

Apr 22, 2026
CVE-2026-35382

Rejected reason: Voluntarily withdrawn

Apr 22, 2026
CVE-2026-35381
3.3 LOW

A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-delimited) flag when using the -z (null-terminated) and …

Apr 22, 2026
CVE-2026-35380
5.5 MEDIUM

A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as …

Apr 22, 2026
CVE-2026-35379
3.3 LOW

A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly …

Apr 22, 2026
CVE-2026-35378
3.3 LOW

A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the …

Apr 22, 2026
CVE-2026-35377
3.3 LOW

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S (split-string) option. In …

Apr 22, 2026
CVE-2026-35376
4.5 MEDIUM

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh …

Apr 22, 2026
CVE-2026-35375
3.3 LOW

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The …

Apr 22, 2026
CVE-2026-35374
6.3 MEDIUM

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity …

Apr 22, 2026
CVE-2026-35373
3.3 LOW

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms …

Apr 22, 2026
CVE-2026-35372
5.0 MEDIUM

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) …

Apr 22, 2026
CVE-2026-35371
3.3 LOW

The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly …

Apr 22, 2026
CVE-2026-35370
4.4 MEDIUM

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID …

Apr 22, 2026
CVE-2026-35369
5.5 MEDIUM

An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal (SIGTERM) to …

Apr 22, 2026
CVE-2026-35368
7.8 HIGH

A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering …

Apr 22, 2026
CVE-2026-35367
3.3 LOW

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, …

Apr 22, 2026
CVE-2026-35366
4.4 MEDIUM

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the …

Apr 22, 2026
CVE-2026-35365
6.6 MEDIUM

The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands …

Apr 22, 2026
CVE-2026-35364
6.3 MEDIUM

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before …

Apr 22, 2026
CVE-2026-35363
5.6 MEDIUM

A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly …

Apr 22, 2026
CVE-2026-35362
3.6 LOW

The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. …

Apr 22, 2026
CVE-2026-35361
3.4 LOW

The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the …

Apr 22, 2026
CVE-2026-35360
6.3 MEDIUM

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing …

Apr 22, 2026
CVE-2026-35359
4.7 MEDIUM

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a …

Apr 22, 2026
CVE-2026-35358
4.4 MEDIUM

The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats character and block device nodes as stream sources rather than preserving them. …

Apr 22, 2026
CVE-2026-35357
4.7 MEDIUM

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before …

Apr 22, 2026
CVE-2026-35356
6.3 MEDIUM

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and …

Apr 22, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.