The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVD legal disclaimer.
-
CVE-2026-25125 - October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax... read CVE-2026-25125
Published: April 14, 2026; 5:16:25 PM -0400 -
CVE-2026-34177 - Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machine... read CVE-2026-34177
Published: April 09, 2026; 6:16:21 AM -0400 -
CVE-2026-34178 - In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never ... read CVE-2026-34178
Published: April 09, 2026; 6:16:21 AM -0400 -
CVE-2026-34179 - In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing... read CVE-2026-34179
Published: April 09, 2026; 6:16:21 AM -0400 -
CVE-2026-5774 - Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.
Published: April 10, 2026; 9:16:46 AM -0400V3.1: 6.4 MEDIUM
-
CVE-2026-34950 - fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT ... read CVE-2026-34950
Published: April 06, 2026; 12:16:38 PM -0400 -
CVE-2026-34969 - Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser ... read CVE-2026-34969
Published: April 06, 2026; 12:16:38 PM -0400V3.1: 7.5 HIGH
-
CVE-2026-40260 - pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This... read CVE-2026-40260
Published: April 16, 2026; 9:17:39 PM -0400V3.1: 5.3 MEDIUM
-
CVE-2026-40253 - openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library (asn1.c) accept a raw pointer but no buffer length parameter, and trust attacker-co... read CVE-2026-40253
Published: April 16, 2026; 7:16:33 PM -0400V3.1: 6.1 MEDIUM
-
CVE-2026-40193 - maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search filters and DN strings via strings.ReplaceAll() ... read CVE-2026-40193
Published: April 15, 2026; 8:16:28 PM -0400 -
CVE-2026-34982 - Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are miss... read CVE-2026-34982
Published: April 06, 2026; 12:16:38 PM -0400 -
CVE-2026-5704 - A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially a... read CVE-2026-5704
Published: April 06, 2026; 12:16:42 PM -0400V3.1: 5.5 MEDIUM
-
CVE-2026-40192 - Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause un... read CVE-2026-40192
Published: April 15, 2026; 7:16:10 PM -0400V3.1: 7.5 HIGH
-
CVE-2026-40179 - Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and la... read CVE-2026-40179
Published: April 15, 2026; 7:16:09 PM -0400V3.1: 6.1 MEDIUM
-
CVE-2026-34841 - Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote... read CVE-2026-34841
Published: April 06, 2026; 1:17:10 PM -0400 -
CVE-2026-22615 - Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This... read CVE-2026-22615
Published: April 16, 2026; 1:16:14 AM -0400V3.1: 7.2 HIGH
-
CVE-2026-22616 - Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which i... read CVE-2026-22616
Published: April 16, 2026; 1:16:14 AM -0400V3.1: 7.5 HIGH
-
CVE-2026-22617 - Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest v... read CVE-2026-22617
Published: April 16, 2026; 2:16:08 AM -0400V3.1: 7.4 HIGH
-
CVE-2026-22618 - A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the lat... read CVE-2026-22618
Published: April 16, 2026; 2:16:10 AM -0400V3.1: 7.1 HIGH
-
CVE-2026-22619 - Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest ve... read CVE-2026-22619
Published: April 16, 2026; 2:16:10 AM -0400V3.1: 9.9 CRITICAL