Export limit exceeded: 26325 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (26325 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-28492 1 Filebrowser 1 Filebrowser 2026-04-17 6.5 Medium
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.
CVE-2026-29046 2 Maximmasiutin, Ritlabs 2 Tinyweb, Tinyweb 2026-04-17 8.2 High
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.
CVE-2026-28675 1 Opensift 1 Opensift 2026-04-17 5.3 Medium
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, some endpoints returned raw exception strings to clients. Additionally, login token material was exposed in UI/rendered responses and token rotation output. This issue has been patched in version 1.6.3-alpha.
CVE-2026-30233 1 Olivetin 1 Olivetin 2026-04-17 6.5 Medium
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.
CVE-2026-30829 2 Bluewave-labs, Bluewavelabs 2 Checkmate, Checkmate 2026-04-17 5.3 Medium
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0.
CVE-2026-27796 2 Homarr, Homarr-labs 2 Homarr, Homarr 2026-04-17 5.3 Medium
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service URLs, integration names, and service types. This issue has been patched in version 1.54.0.
CVE-2026-24713 1 Apache 1 Iotdb 2026-04-17 9.8 Critical
Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
CVE-2026-34518 2 Aio-libs, Aiohttp 2 Aiohttp, Aiohttp 2026-04-17 5.3 Medium
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4.
CVE-2026-39889 2 Mervinpraison, Praison 2 Praisonai, Praisonai 2026-04-17 7.5 High
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health. This vulnerability is fixed in 4.5.115.
CVE-2016-8747 2 Apache, Netapp 3 Tomcat, Oncommand Insight, Oncommand Shift 2026-04-16 7.5 High
An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request.
CVE-2026-31262 1 Altenar 2 Sportsbook, Sportsbook Software Platform 2026-04-16 6.1 Medium
Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter
CVE-2026-29133 1 Seppmail 2 Secure Email Gateway, Seppmail Secure Email Gateway 2026-04-16 9.1 Critical
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload PGP keys with UIDs that do not match their email address.
CVE-2026-29135 1 Seppmail 2 Secure Email Gateway, Seppmail Secure Email Gateway 2026-04-16 7.5 High
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization.
CVE-2026-29137 1 Seppmail 2 Secure Email Gateway, Seppmail Secure Email Gateway 2026-04-16 5.3 Medium
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to hide security tags from users by crafting a long subject.
CVE-2026-29144 1 Seppmail 2 Secure Email Gateway, Seppmail Secure Email Gateway 2026-04-16 5.3 Medium
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to bypass subject sanitization and forge security tags using Unicode lookalike characters.
CVE-2026-29141 1 Seppmail 2 Secure Email Gateway, Seppmail Secure Email Gateway 2026-04-16 5.3 Medium
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to bypass subject sanitization and forge tags such as [signed OK].
CVE-2026-29143 1 Seppmail 2 Secure Email Gateway, Seppmail Secure Email Gateway 2026-04-16 9.1 Critical
SEPPmail Secure Email Gateway before version 15.0.3 does not properly authenticate the inner message of S/MIME-encrypted MIME entities, allowing an attacker to control trusted headers.
CVE-2026-20823 1 Microsoft 18 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 15 more 2026-04-16 5.5 Medium
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
CVE-2026-20827 1 Microsoft 18 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 15 more 2026-04-16 5.5 Medium
Exposure of sensitive information to an unauthorized actor in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to disclose information locally.
CVE-2026-20838 1 Microsoft 10 Windows 11 23h2, Windows 11 23h2, Windows 11 24h2 and 7 more 2026-04-16 5.5 Medium
Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally.