NVD

Icon for New NVD Communications and Status Updates Page

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Legal Disclaimer:

Here is where you can read the NVD legal disclaimer.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

CVE-2026-34625 - Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the ... read CVE-2026-34625
Published: April 14, 2026; 3:16:38 PM -0400

V3.1: 5.4 MEDIUM
CVE-2026-34624 - Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the ... read CVE-2026-34624
Published: April 14, 2026; 3:16:38 PM -0400

V3.1: 5.4 MEDIUM
CVE-2026-34623 - Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the ... read CVE-2026-34623
Published: April 14, 2026; 3:16:37 PM -0400

V3.1: 5.4 MEDIUM
CVE-2026-35642 - OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events... read CVE-2026-35642
Published: April 09, 2026; 6:16:33 PM -0400

V3.1: 4.3 MEDIUM
CVE-2026-27289 - Photoshop Desktop versions 27.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability ... read CVE-2026-27289
Published: April 14, 2026; 4:16:34 PM -0400

V3.1: 7.8 HIGH
CVE-2026-34618 - Illustrator versions 30.2, 29.8.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a vic... read CVE-2026-34618
Published: April 14, 2026; 4:16:47 PM -0400

V3.1: 7.8 HIGH
CVE-2026-27287 - InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to ... read CVE-2026-27287
Published: April 14, 2026; 5:16:25 PM -0400

V3.1: 7.8 HIGH
CVE-2026-34631 - InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim m... read CVE-2026-34631
Published: April 14, 2026; 6:16:31 PM -0400

V3.1: 7.8 HIGH
CVE-2026-5439 - A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a sm... read CVE-2026-5439
Published: April 09, 2026; 11:16:15 AM -0400
CVE-2026-5438 - A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A spe... read CVE-2026-5438
Published: April 09, 2026; 11:16:15 AM -0400
CVE-2026-39414 - MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than availa... read CVE-2026-39414
Published: April 08, 2026; 5:16:58 PM -0400

V3.1: 6.5 MEDIUM
CVE-2026-35645 - OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion wi... read CVE-2026-35645
Published: April 09, 2026; 6:16:34 PM -0400

V3.1: 8.8 HIGH
CVE-2026-39416 - AIL framework is an open-source platform to collect, crawl, process and analyse unstructured data. Prior to 6.8, a stored cross-site scripting (XSS) vulnerability was identified in the modal item preview functionality. When item content longer tha... read CVE-2026-39416
Published: April 08, 2026; 5:16:59 PM -0400

V3.1: 6.1 MEDIUM
CVE-2026-39429 - kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place... read CVE-2026-39429
Published: April 08, 2026; 5:16:59 PM -0400

V3.1: 9.1 CRITICAL
CVE-2026-5437 - An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not... read CVE-2026-5437
Published: April 09, 2026; 11:16:15 AM -0400
CVE-2026-39844 - NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications ... read CVE-2026-39844
Published: April 08, 2026; 5:16:59 PM -0400

V3.1: 7.5 HIGH
CVE-2026-40162 - Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write a... read CVE-2026-40162
Published: April 10, 2026; 2:16:46 PM -0400
CVE-2026-39885 - FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL... read CVE-2026-39885
Published: April 08, 2026; 5:17:00 PM -0400
CVE-2026-40100 - FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=tr... read CVE-2026-40100
Published: April 10, 2026; 1:17:12 PM -0400
CVE-2026-40074 - SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP ... read CVE-2026-40074
Published: April 10, 2026; 1:17:12 PM -0400

V3.1: 7.5 HIGH

Created September 20, 2022 , Updated August 27, 2024

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Legal Disclaimer: