CVEs from 2026
Total
13,308
critical
critical 1,106
high
high 3,922
medium
medium 3,982
low
low 414
% Critical
8.3%
% with KEV
0.4%
% with exploit
0.5%
Top products
- chrome 299
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 221
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-41368 | medium | 6.5 | 6.5 | 1mo ago | OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using … | |
| CVE-2026-41363 | medium | 6.5 | 6.5 | 1mo ago | OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image | |
| CVE-2026-41465 | medium | 6.5 | 6.5 | 1mo ago | ProjeQtor versions 7.0 through 12.4.3 contain a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal seque… | |
| CVE-2026-41081 | medium | 6.5 | 6.5 | 1mo ago | Apache Storm's Improper Handling of TLS Client Authentication Failure Leads to Anonymous Principal Assignment | |
| CVE-2026-42255 | medium | 6.5 | 6.5 | 1mo ago | Technitium DNS Server before 15.0 allows DNS traffic amplification via cyclic name server delegation. | |
| CVE-2026-41481 | medium | 6.5 | 6.5 | 1mo ago | LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using valid… | |
| CVE-2026-6968 | medium | 6.5 | 6.5 | 1mo ago | Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute… | |
| CVE-2026-6967 | medium | 6.5 | 6.5 | 1mo ago | awslabs/tough is Missing Delegated Metadata Validation | |
| CVE-2026-6966 | medium | 6.5 | 6.5 | 1mo ago | awslabs/tough Delegated Roles have a Signature Threshold Bypass | |
| CVE-2026-41427 | medium | 6.5 | 6.5 | 1mo ago | OAuth 2.1 Provider: Unprivileged users can register OAuth clients | |
| CVE-2026-42041 | medium | 6.5 | 6.5 | 1mo ago | Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy | |
| CVE-2026-42202 | medium | 6.5 | 6.5 | 1mo ago | nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields | |
| CVE-2026-5265 | medium | 6.5 | 6.5 | 1mo ago | When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total leng… | |
| CVE-2026-41340 | medium | 6.5 | 6.5 | 1mo ago | OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exp… | |
| CVE-2026-41334 | medium | 6.5 | 6.5 | 1mo ago | OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized … | |
| CVE-2026-41908 | medium | 6.5 | 6.5 | 1mo ago | OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization | |
| CVE-2026-5926 | medium | 6.5 | 6.5 | 1mo ago | IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Acce… | |
| CVE-2026-41314 | medium | 6.5 | 6.5 | 1mo ago | pypdf: Manipulated FlateDecode image dimensions can exhaust RAM | |
| CVE-2026-6355 | medium | 6.5 | 6.5 | 1mo ago | A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to u… | |
| CVE-2026-31192 | medium | 6.5 | 6.5 | 1mo ago | Insufficient validation of Chrome extension identifiers in Raindrop.io Bookmark Manager Web App 5.6.76.0 allows attackers to obtain sensitive user data via a crafted request. | |
| CVE-2026-6834 | medium | 6.5 | 6.5 | 1mo ago | The a+HRD developed by aEnrich has a Missing Authorization vulnerability, allowing authenticated remote attackers to arbitrarily read database contents through a specific API method. | |
| CVE-2026-6833 | medium | 6.5 | 6.5 | 1mo ago | The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | |
| CVE-2026-40924 | medium | 6.5 | 6.5 | 1mo ago | Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion | |
| CVE-2026-41320 | medium | 6.5 | 6.5 | 1mo ago | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, al… | |
| CVE-2026-40889 | medium | 6.5 | 6.5 | 1mo ago | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Ver… | |
| CVE-2026-40888 | medium | 6.5 | 6.5 | 1mo ago | Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting… | |
| CVE-2026-40161 | medium | 6.5 | 6.5 | 1mo ago | Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL | |
| CVE-2026-30452 | medium | 6.5 | 6.5 | 1mo ago | Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher… | |
| CVE-2026-25542 | medium | 6.5 | 6.5 | 1mo ago | Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching | |
| CVE-2026-39396 | medium | 6.5 | 6.5 | 1mo ago | OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS) | |
| CVE-2026-6588 | medium | 6.5 | 6.5 | 1mo ago | A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API … | |
| CVE-2026-6579 | medium | 6.5 | 6.5 | 1mo ago | A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing a… | |
| CVE-2026-40346 | medium | 6.5 | 6.5 | 1mo ago | NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins | |
| CVE-2026-40293 | medium | 6.5 | 6.5 | 1mo ago | OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response | |
| CVE-2026-33569 | medium | 6.5 | 6.5 | 1mo ago | Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device. | |
| CVE-2026-23777 | medium | 6.5 | 6.5 | 1mo ago | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.1… | |
| CVE-2026-41313 | medium | 6.5 | 6.5 | 1mo ago | pypdf: Possible long runtimes for wrong size values in incremental mode | |
| CVE-2026-41312 | medium | 6.5 | 6.5 | 1mo ago | pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM | |
| CVE-2026-3861 | medium | 6.5 | 6.5 | 1mo ago | LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards whe… | |
| CVE-2026-6364 | medium | 6.5 | 6.5 | 1mo ago | Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security se… | |
| CVE-2026-20081 | medium | 6.5 | 6.5 | 1mo ago | Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attack… | |
| CVE-2026-20078 | medium | 6.5 | 6.5 | 1mo ago | Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attack… | |
| CVE-2026-20061 | medium | 6.5 | 6.5 | 1mo ago | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit… | |
| CVE-2026-23653 | medium | 6.5 | 6.5 | 1mo ago | Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network. | |
| CVE-2026-38533 | medium | 6.5 | 6.5 | 1mo ago | An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and acco… | |
| CVE-2026-22576 | medium | 6.5 | 6.5 | 1mo ago | A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all v… | |
| CVE-2026-22574 | medium | 6.5 | 6.5 | 1mo ago | A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all v… | |
| CVE-2026-22573 | medium | 6.5 | 6.5 | 1mo ago | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all… | |
| CVE-2026-21742 | medium | 6.5 | 6.5 | 1mo ago | A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3… | |
| CVE-2026-34264 | medium | 6.5 | 6.5 | 2mo ago | During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the… | |
| CVE-2026-27679 | medium | 6.5 | 6.5 | 2mo ago | Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without prop… | |
| CVE-2026-31280 | medium | 6.5 | 6.5 | 2mo ago | An issue in the Bluetooth RFCOMM service of Parani M10 Motorcycle Intercom v2.1.3 allows unauthorized attackers to cause a Denial of Service (DoS) via supplying crafted RFCOMM frames. | |
| CVE-2026-6111 | medium | 6.5 | 6.5 | 2mo ago | MetaGPT affected by server-side request forgery in metagpt/utils/common.py | |
| CVE-2026-5412 | medium | 6.5 | 6.5 | 2mo ago | Juju: CloudSpec method leaking cloud credentials | |
| CVE-2026-5460 | medium | 6.5 | 6.5 | 2mo ago | A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handling path of TLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the in… | |
| CVE-2026-5778 | medium | 6.5 | 6.5 | 2mo ago | Integer underflow in wolfSSL packet sniffer <= 5.9.0 allows an attacker to cause a program crash in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication… | |
| CVE-2026-5263 | medium | 6.5 | 6.5 | 2mo ago | URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf cert… | |
| CVE-2026-5329 | medium | 6.5 | 6.5 | 2mo ago | Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an au… | |
| CVE-2026-5919 | medium | 6.5 | 6.5 | 2mo ago | Insufficient validation of untrusted input in WebSockets in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a … | |
| CVE-2026-2377 | medium | 6.5 | 6.5 | 2mo ago | A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially crafted web address (URL). This allows the application's backend to make arbitrary… | |
| CVE-2026-39651 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a t… | |
| CVE-2026-39641 | medium | 6.5 | 6.5 | 2mo ago | Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.This issue affects Blackfyre: from n/a through <= 2.5.4. | |
| CVE-2026-39639 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include C… | |
| CVE-2026-39633 | medium | 6.5 | 6.5 | 2mo ago | Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Car Rental grandcarrental allows Cross Site Request Forgery.This issue affects Grand Car Rental: from n/a through <= 3.6.9. | |
| CVE-2026-39488 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in SureCart SureCart surecart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SureCart: from n/a through <= 4.0.2. | |
| CVE-2026-35454 | medium | 6.5 | 6.5 | 2mo ago | Code Extension Marketplace: Zip Slip Path Traversal | |
| CVE-2026-34061 | medium | 6.5 | 6.5 | 2mo ago | nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an elected validator proposer can send an ele… | |
| CVE-2026-25773 | medium | 6.5 | 6.5 | 2mo ago | Focalboard doesn't sanitize category IDs before incorporating them into dynamic SQL statements | |
| CVE-2026-35038 | medium | 6.5 | 6.5 | 2mo ago | Signal K Server: Arbitrary Prototype Read via `from` Field Bypass | |
| CVE-2026-5330 | medium | 6.5 | 6.5 | 2mo ago | A vulnerability was found in SourceCodester/mayuri_k Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_user of the component… | |
| CVE-2026-5316 | medium | 6.5 | 6.5 | 2mo ago | A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is p… | |
| CVE-2026-4964 | medium | 6.5 | 6.5 | 2mo ago | A security vulnerability has been detected in letta-ai letta 0.16.4. This vulnerability affects the function _convert_message_create_to_message of the file letta/helpers/message_helper.py of the comp… | |
| CVE-2026-4958 | medium | 6.5 | 6.5 | 2mo ago | A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.on_connect/ReplayServer.send_data of the file XAgentServer/application/websockets/replayer.py of the com… | |
| CVE-2026-33693 | medium | 6.5 | 6.5 | 2mo ago | Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() | |
| CVE-2026-4825 | medium | 6.5 | 6.5 | 2mo ago | A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown part of the file /update_sales.php of the component HTTP GET Parameter Handler. The manipulation of… | |
| CVE-2026-32541 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in Premmerce Premmerce Redirect Manager premmerce-redirect-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premm… | |
| CVE-2026-32535 | medium | 6.5 | 6.5 | 2mo ago | Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS … | |
| CVE-2026-32533 | medium | 6.5 | 6.5 | 2mo ago | Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: f… | |
| CVE-2026-32527 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in CRM Perks WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-insightly allows Exploiting Incorrectly Configured Access Control … | |
| CVE-2026-32514 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in Anton Voytenko Petitioner petitioner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Petitioner: from n/a through <= … | |
| CVE-2026-32483 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Emai… | |
| CVE-2026-27046 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StoreCustomizer: from n/a through… | |
| CVE-2026-25469 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill – WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Via… | |
| CVE-2026-25465 | medium | 6.5 | 6.5 | 2mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople CP Multi View Event Calendar cp-multi-view-calendar allows Stored XSS.This issue affe… | |
| CVE-2026-25455 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerce woocommerce-products-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affect… | |
| CVE-2026-25454 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through <= 4.4.1. | |
| CVE-2026-25430 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Se… | |
| CVE-2026-25390 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n… | |
| CVE-2026-25365 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in Özgür KARALAR Kargo Takip kargo-takip-turkiye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kargo Takip: from n/a t… | |
| CVE-2026-25339 | medium | 6.5 | 6.5 | 2mo ago | Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms:… | |
| CVE-2026-25327 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects … | |
| CVE-2026-25034 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: fr… | |
| CVE-2026-24987 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in activity-log.com WP System Log winterlock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP System Log: from n/a thr… | |
| CVE-2026-24376 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from … | |
| CVE-2026-23972 | medium | 6.5 | 6.5 | 2mo ago | Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.Thi… | |
| CVE-2026-3119 | medium | 6.5 | 6.5 | 2mo ago | Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction sig… | |
| CVE-2026-28863 | medium | 6.5 | 6.5 | 2mo ago | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to fingerprint the user. | |
| CVE-2026-20657 | medium | 6.5 | 6.5 | 2mo ago | A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Ta… | |
| CVE-2026-33658 | medium | 6.5 | 6.5 | 2mo ago | Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests | |
| CVE-2026-4778 | medium | 6.5 | 6.5 | 2mo ago | A weakness has been identified in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file update_category.php of the component HTTP GET Parameter Handler. T… |