Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
WordPress plugins account for four of Thursday's 19 critical vulnerabilities, with CVE-2026-1830, CVE-2026-3296, CVE-2026-2942, and CVE-2026-4003 all scoring CVSS 9.8. Critical disclosures dropped 30% from Wednesday's 27, while high-priority CVEs held steady at 100. CVE-2026-39888 (CVSS 9.9) in Microsoft Teams represents the highest-scored finding, alongside CVE-2026-3535 (CVSS 9.8) in Google Web Fonts and CVE-2026-34179 (CVSS 9.1) in Canon LXD systems. Three vulnerabilities are confirmed actively exploited β Ivanti EPMM (CVE-2026-1340), Google Dawn (CVE-2026-5281), and TrueConf Client (CVE-2026-3502), each rated CVSS 9.5. Patch availability stands at zero percent across all 119 disclosed CVEs, making network-level mitigations and access restrictions the primary defensive option.
CVE-2026-39888 (CVSS 9.9) in Microsoft Teams is Thursday's highest-scored vulnerability, with a second Teams flaw (CVE-2026-39890, CVSS 9.8) also disclosed
19 critical CVEs disclosed, down 30% from Wednesday's 27 β WordPress plugins represent four of the critical findings
100 high-priority CVEs, unchanged from the prior day, bringing total disclosures to 119
Remote code execution and authentication bypass patterns appear across WordPress, Google Web Fonts, and Canon LXD products
Zero patches are currently available for any disclosed vulnerability, requiring compensating controls across all affected systems
Three actively exploited vulnerabilities confirmed in Ivanti EPMM, Google Dawn, and TrueConf Client, all rated CVSS 9.5
Immediate action: Prioritize restricting network access to Ivanti EPMM, Google Dawn, and TrueConf Client instances given confirmed active exploitation. WordPress administrators should audit and disable affected plugins until patches become available, and Teams deployments should be monitored for anomalous activity. With zero patches available across all 119 CVEs, implement network segmentation and enhanced logging as interim controls.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2026-1340
9.5π
IvantiEndpoint Manager Mobile (EPMM)
β° Federal Deadline:April 10, 2026(2 days remaining)
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-5281
9.5π
GoogleDawn
β° Federal Deadline:April 14, 2026(6 days remaining)
A use-after-free vulnerability exists in the Dawn component of Google Chrome. This flaw allows attackers to potentially execute arbitrary code or cause a denial-of-service via a crafted HTML page.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-3502
9.5
TrueConfClient
β° Federal Deadline:April 15, 2026(7 days remaining)
TrueConf Client Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-3535
9.8π
GoogleWeb Fonts
The Google Web Fonts GDPR plugin for WordPress is vulnerable to unauthenticated arbitrary file upload via the `DSGVOGWPdownloadGoogleFonts()` function, potentially leading to remote code execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1830
9.8π
WordPressis vulnerable
The Quick Playground plugin for WordPress contains an RCE vulnerability due to insufficient authorization on REST API endpoints, allowing unauthenticated file uploads.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-3296
9.8π
WordPressis vulnerable
The Everest Forms WordPress plugin is vulnerable to PHP Object Injection via unsafe deserialization of user-supplied form metadata.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-39888
9.9π
Teamssystem
PraisonAI versions prior to 1.5.115 contain a sandbox escape vulnerability in its Python code execution tool, allowing arbitrary code execution.
CVSS Base9.9
β
CRSSelect profile
CVE-2026-39890
9.8π
Teamssystem
PraisonAI versions prior to 4.5.115 are vulnerable to RCE via insecure YAML parsing, allowing execution of arbitrary JavaScript.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-2942
9.8π
WordPressis vulnerable
The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, enabling potential Remote Code Execution.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-39860
9π
Linuxand other
A symlink following vulnerability in the Nix package manager allows users to overwrite files and escalate privileges to root in multi-user installations.
CVSS Base9
β
CRSSelect profile
CVE-2026-4003
9.8π
WordPressis vulnerable
The Users manager β PN WordPress plugin contains a privilege escalation flaw allowing unauthenticated attackers to modify arbitrary user metadata.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-34179
9.1π
CanonLXD
Canonical LXD versions 4.12 through 6.7 contain a privilege escalation vulnerability where restricted TLS certificate users can elevate to cluster admin.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-40035
9.1π
InforUnfurl
Unfurl contains an improper input validation vulnerability in configuration parsing that enables Flask debug mode by default, potentially leading to remote code execution.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-34177
9.1π
CanonLXD
An incomplete denylist in Canonical LXD allows a restricted project user to inject AppArmor and QEMU configurations, facilitating privilege escalation to host root.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-5850
9.8π
TotolinkA7100RU
The Totolink A7100RU contains an OS command injection vulnerability in the setVpnPassCfg function, allowing remote attackers to execute arbitrary system commands via the pptpPassThru parameter.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5851
9.8π
TotolinkA7100RU
The Totolink A7100RU is susceptible to remote OS command injection via the setUPnPCfg function, specifically through the enable parameter in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5852
9.8π
TotolinkA7100RU
The Totolink A7100RU allows remote OS command injection via the setIptvCfg function by manipulating the igmpVer argument in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5853
9.8π
TotolinkA7100RU
The Totolink A7100RU is vulnerable to remote OS command injection via the setIpv6LanCfg function, exploitable through the addrPrefixLen argument in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5854
9.8π
TotolinkA7100RU
The Totolink A7100RU is susceptible to remote OS command injection via the setWiFiEasyCfg function, specifically through the merge argument in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1346
9.3π
IBMVerify Identity
IBM Verify Identity and Security Verify Access products contain a privilege escalation vulnerability allowing locally authenticated users to gain root access.
CVSS Base9.3
β
CRSSelect profile
CVE-2026-34178
9.1π
ArchLXD
A backup import validation flaw in Canonical LXD allows authenticated remote attackers to bypass project restrictions and achieve full host compromise.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-25776
9.8π
Movable TypeMovable Type
Six Apart Movable Type contains a code injection vulnerability that allows an authenticated attacker to execute arbitrary Perl scripts on the server.
CVSS Base9.8
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2026-35554
8.7
producerKafka Java
A race condition in the Apache Kafka Java producer clientβs buffer pool management can cause messages to be silently delivered to incorrect topics
CVSS Base8.7
β
CRSSelect profile
CVE-2026-23818
8.8
HPMultiple Products
A vulnerability has been identified in the graphical user interface (GUI) of HPE Aruba Networking Private 5G Core On-Prem that could allow an attacker to abuse an open redirect vulnerability in the login flow using a crafted URL
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3499
8.8
WordPressis vulnerable
The Product Feed PRO for WooCommerce by AdTribes β Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39891
8.8
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-4326
8.8
WordPressis vulnerable
The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-27314
8.8
ApacheCassandra
Privilege escalationΒ in Apache Cassandra 5
CVSS Base8.8
β
CRSSelect profile
CVE-2026-3243
8.8
WordPressis vulnerable
The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39307
8.1
teamsMultiple Products
PraisonAI is a multi-agent teams system
CVSS Base8.1
β
CRSSelect profile
CVE-2026-5436
8.1
WordPressis vulnerable
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39318
8.8
HPfile contains
ChurchCRM is an open-source church management system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39319
8.8
HPin ChurchCRM
ChurchCRM is an open-source church management system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39326
8.8
HPin ChurchCRM
ChurchCRM is an open-source church management system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39327
8.8
HPin ChurchCRM
ChurchCRM is an open-source church management system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39329
8.8
HPin ChurchCRM
ChurchCRM is an open-source church management system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39330
8.8
HPin ChurchCRM
ChurchCRM is an open-source church management system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39334
8.8
HPin ChurchCRM
ChurchCRM is an open-source church management system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-32864
7.8
InforMultiple Products
There is a memory corruption vulnerability due to an out-of-bounds read in mgcore_SH_25_3!aligned_free() in NI LabVIEW
CVSS Base7.8
β
CRSSelect profile
CVE-2026-39332
8.7
HPallows any
ChurchCRM is an open-source church management system
CVSS Base8.7
β
CRSSelect profile
CVE-2026-39333
8.7
HPendpoint reflects
ChurchCRM is an open-source church management system
CVSS Base8.7
β
CRSSelect profile
CVE-2026-39384
7.6
HPMultiple Products
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework
CVSS Base7.6
β
CRSSelect profile
CVE-2026-39429
8.2
Kubernetesand container
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads
CVSS Base8.2
β
CRSSelect profile
CVE-2026-28261
7.8
DellElastic Cloud
Dell Elastic Cloud Storage, version 3
CVSS Base7.8
β
CRSSelect profile
CVE-2026-4498
7.7
ArchRBAC scope
Execution with Unnecessary Privileges (CWE-250) in Kibanaβs Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122)
CVSS Base7.7
β
CRSSelect profile
CVE-2026-35534
7.6
HPdue to
ChurchCRM is an open-source church management system
CVSS Base7.6
β
CRSSelect profile
CVE-2026-39369
7.6
HPallowed an
WWBN AVideo is an open source video platform
CVSS Base7.6
β
CRSSelect profile
CVE-2026-35517
8.8
upstreamMultiple Products
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35518
8.8
DNSMultiple Products
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35519
8.8
DNSMultiple Products
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35520
8.8
DHCPMultiple Products
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35521
8.8
DHCPMultiple Products
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35169
8.7
Archand Imaging
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research
CVSS Base8.7
β
CRSSelect profile
CVE-2026-34045
8.2
KubernetesMultiple Products
Podman Desktop is a graphical tool for developing on containers and Kubernetes
CVSS Base8.2
β
CRSSelect profile
CVE-2026-39340
8.1
HPMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39341
8.1
HPMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8.1
β
CRSSelect profile
CVE-2026-35446
7.7
Archand Imaging
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research
CVSS Base7.7
β
CRSSelect profile
CVE-2026-35463
8.8
downloadMultiple Products
pyLoad is a free and open-source download manager written in Python
CVSS Base8.8
β
CRSSelect profile
CVE-2026-33466
8.1
ArchMultiple Products
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139)
CVSS Base8.1
β
CRSSelect profile
CVE-2026-3357
8.8
IBMLangflow Desktop
IBM Langflow Desktop 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5815
8.8
D-LinkDIR
A vulnerability was detected in D-Link DIR-645 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5830
8.8
TendaAC15
A vulnerability was identified in Tenda AC15 15
CVSS Base8.8
β
CRSSelect profile
CVE-2025-14821
7.8
InforMultiple Products
A flaw was found in libssh
CVSS Base7.8
β
CRSSelect profile
CVE-2026-35533
7.7
TerraformMultiple Products
mise manages dev tools like node, python, cmake, and terraform
CVSS Base7.7
β
CRSSelect profile
CVE-2026-1342
8.5
IBMVerify Identity
IBM Verify Identity Access Container 11
CVSS Base8.5
β
CRSSelect profile
CVE-2026-5173
8.5
versionshas remediated
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16
CVSS Base8.5
β
CRSSelect profile
CVE-2026-35464
7.5
downloadMultiple Products
pyLoad is a free and open-source download manager written in Python
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35611
7.5
UnknownMultiple Products
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library
CVSS Base7.5
β
CRSSelect profile
CVE-2026-4788
8.4
IBMTivoli Netcool
IBM Tivoli Netcool Impact 7
CVSS Base8.4
β
CRSSelect profile
CVE-2026-4740
8.2
RedAdvanced Cluster
A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM)
CVSS Base8.2
β
CRSSelect profile
CVE-2025-24818
8
Archapplication
Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application
CVSS Base8
β
CRSSelect profile
CVE-2026-39361
7.7
AWSIMDSv1
OpenObserve is a cloud-native observability platform
CVSS Base7.7
β
CRSSelect profile
CVE-2026-24146
7.5
NVIDIATriton Inference
NVIDIA Triton Inference Server contains a vulnerability where insufficient input validation and a large number of outputs could cause a server crash
CVSS Base7.5
β
CRSSelect profile
CVE-2026-24173
7.5
NVIDIATriton Inference
NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request to the server
CVSS Base7.5
β
CRSSelect profile
CVE-2026-24174
7.5
NVIDIATriton Inference
NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request to the server
CVSS Base7.5
β
CRSSelect profile
CVE-2026-24175
7.5
NVIDIATriton Inference
NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server
CVSS Base7.5
β
CRSSelect profile
CVE-2026-24913
8.8
MATCHAMultiple Products
SQL Injection vulnerability exists in MATCHA INVOICE 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-31842
7.5
TinyproxyMultiple Products
Tinyproxy through 1
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35526
7.5
StrawberryMultiple Products
Strawberry GraphQL is a library for creating GraphQL APIs
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35523
7.5
StrawberryMultiple Products
Strawberry GraphQL is a library for creating GraphQL APIs
CVSS Base7.5
β
CRSSelect profile
CVE-2026-39312
7.5
UnknownMultiple Products
SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program
CVSS Base7.5
β
CRSSelect profile
CVE-2026-24660
8.1
UnknownMultiple Products
A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw Commit d20315b
ChurchCRM is an open-source church management system
CVSS Base8.9
β
CRSSelect profile
CVE-2026-5732
8.8
IncorrectMultiple Products
Incorrect boundary conditions, integer overflow in the Graphics: Text component
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5733
8.8
IncorrectMultiple Products
Incorrect boundary conditions in the Graphics: WebGPU component
CVSS Base8.8
β
CRSSelect profile
CVE-2026-22683
8.8
WindmillMultiple Products
Windmill versions 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35610
8.8
UnknownMultiple Products
PolarLearn is a free and open-source learning program
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35576
8.7
UnknownMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8.7
β
CRSSelect profile
CVE-2026-35478
8.3
UnknownMultiple Products
InvenTree is an Open Source Inventory Management System
CVSS Base8.3
β
CRSSelect profile
CVE-2026-35457
8.2
UnknownMultiple Products
libp2p-rust is the official rust language Implementation of the libp2p networking stack
CVSS Base8.2
β
CRSSelect profile
CVE-2026-5208
8.2
UnknownMultiple Products
Command injection in alerts in CoolerControl/coolercontrold <4
CVSS Base8.2
β
CRSSelect profile
CVE-2026-20884
8.1
LibRawMultiple Products
An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2
CVSS Base8.1
β
CRSSelect profile
CVE-2026-24450
8.1
LibRawMultiple Products
An integer overflow vulnerability exists in the uncompressed_fp_dng_load_raw functionality of LibRaw Commit 8dc68e2
CVSS Base8.1
β
CRSSelect profile
CVE-2026-5373
8.1
UnknownMultiple Products
An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved
CVSS Base8.1
β
CRSSelect profile
CVE-2026-35488
8.1
TandoorMultiple Products
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists
CVSS Base8.1
β
CRSSelect profile
CVE-2026-35607
8.1
FileMultiple Products
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39331
8.1
UnknownMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39344
8.1
UnknownMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39371
8.1
UnknownMultiple Products
RedwoodSDK is a server-first React framework
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39393
8.1
ArchMultiple Products
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39394
8.1
ArchMultiple Products
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support
CVSS Base8.1
β
CRSSelect profile
CVE-2025-24817
8
NokiaMultiple Products
Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application
CVSS Base8
β
CRSSelect profile
CVE-2026-35575
8
adminMultiple Products
ChurchCRM is an open-source church management system
CVSS Base8
β
CRSSelect profile
CVE-2026-32860
7.8
InforMultiple Products
There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW
CVSS Base7.8
β
CRSSelect profile
CVE-2026-32861
7.8
InforMultiple Products
There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW
CVSS Base7.8
β
CRSSelect profile
CVE-2026-32862
7.8
InforMultiple Products
There is a memory corruption vulnerability due to an out-of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW
CVSS Base7.8
β
CRSSelect profile
CVE-2026-32863
7.8
InforMultiple Products
There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW
CVSS Base7.8
β
CRSSelect profile
CVE-2026-27806
7.8
UnknownMultiple Products
Fleet is open source device management software
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40029
7.8
parseusbsMultiple Products
parseusbs before 1
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40030
7.8
parseusbsMultiple Products
parseusbs before 1
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40031
7.8
IBMMultiple Products
MemProcFS before 5
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40032
7.8
placeholderMultiple Products
UAC (Unix-like Artifacts Collector) before 3
CVSS Base7.8
β
CRSSelect profile
CVE-2026-33461
7.7
InforMultiple Products
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122)
CVSS Base7.7
β
CRSSelect profile
CVE-2026-5301
7.6
StoredMultiple Products
Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4
CVSS Base7.6
β
CRSSelect profile
CVE-2026-33034
7.5
discoveredMultiple Products
An issue was discovered in 6
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35405
7.5
UnknownMultiple Products
libp2p-rust is the official rust language Implementation of the libp2p networking stack
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35485
7.5
loadMultiple Products
text-generation-webui is an open-source web interface for running Large Language Models
CVSS Base7.5
β
CRSSelect profile
CVE-2026-3902
7.5
discoveredMultiple Products
An issue was discovered in 6
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35486
7.5
UnknownMultiple Products
text-generation-webui is an open-source web interface for running Large Language Models
CVSS Base7.5
β
CRSSelect profile
CVE-2026-39356
7.5
UnknownMultiple Products
Drizzle is a modern TypeScript ORM
CVSS Base7.5
β
CRSSelect profile
CVE-2026-39376
7.5
UnknownMultiple Products
FastFeedParser is a high performance RSS, Atom and RDF parser