Total
344720 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-26171 | 1 Microsoft | 1 .net | 2026-04-14 | 7.5 High |
| Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network. | ||||
| CVE-2026-32088 | 1 Microsoft | 11 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 8 more | 2026-04-14 | 6.1 Medium |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Biometric Service allows an unauthorized attacker to bypass a security feature with a physical attack. | ||||
| CVE-2026-32712 | 1 Opensourcepos | 2 Open Source Point Of Sale, Opensourcepos | 2026-04-14 | 5.4 Medium |
| Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3. | ||||
| CVE-2026-29181 | 1 Opentelemetry | 2 Opentelemetry, Opentelemetry-go | 2026-04-14 | 7.5 High |
| OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0. | ||||
| CVE-2026-27949 | 2 Makeplane, Plane | 2 Plane, Plane | 2026-04-14 | 2 Low |
| Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0. | ||||
| CVE-2026-39322 | 2 Polarlearn, Polarnl | 2 Polarlearn, Polarlearn | 2026-04-14 | 8.8 High |
| PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, POST /api/v1/auth/sign-in creates a valid session for banned accounts before verifying the supplied password. That session is then accepted across authenticated /api routes, enabling account data access and authenticated actions as the banned user. | ||||
| CVE-2026-34353 | 1 Ocaml | 1 Ocaml | 2026-04-14 | 5.9 Medium |
| In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed. | ||||
| CVE-2026-33166 | 2 Allure-framework, Qameta | 2 Allure2, Allure Report | 2026-04-14 | 8.6 High |
| Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue. | ||||
| CVE-2026-32887 | 2 Effect Project, Effectful | 2 Effect, Effect | 2026-04-14 | 7.4 High |
| Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue. | ||||
| CVE-2026-32178 | 1 Microsoft | 2 .net, Visual Studio 2022 | 2026-04-14 | 7.5 High |
| Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-32181 | 1 Microsoft | 9 Windows 10 21h2, Windows 10 22h2, Windows 11 23h2 and 6 more | 2026-04-14 | 5.5 Medium |
| Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally. | ||||
| CVE-2026-32203 | 1 Microsoft | 2 .net, Visual Studio 2022 | 2026-04-14 | 7.5 High |
| Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network. | ||||
| CVE-2026-21331 | 2026-04-14 | 6.1 Medium | ||
| Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed. | ||||
| CVE-2026-33155 | 2 Qluster, Seperman | 2 Deepdiff, Deepdiff | 2026-04-14 | 7.5 High |
| DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2. | ||||
| CVE-2026-33154 | 1 Dynaconf | 1 Dynaconf | 2026-04-14 | 7.5 High |
| dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13. | ||||
| CVE-2026-33151 | 1 Socket | 2 Socket.io, Socket.io-parser | 2026-04-14 | 7.5 High |
| Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6. | ||||
| CVE-2026-34628 | 2026-04-14 | 7.8 High | ||
| InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-33144 | 1 Gpac | 1 Gpac | 2026-04-14 | 5.8 Medium |
| GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36. | ||||
| CVE-2026-5756 | 2026-04-14 | N/A | ||
| Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception, or disruption of testing services. | ||||
| CVE-2026-5754 | 2026-04-14 | N/A | ||
| Reflected Cross-Site Scripting (XSS) Vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious activities. | ||||