9.8

CVSS3.1

CVE-2026-6264 - Critical Security fix for the Talend JobServer and Talend Runtime

A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client autโ€ฆ

๐Ÿ“… Published: April 14, 2026, 1:49 a.m. ๐Ÿ”„ Last Modified: April 14, 2026, 2:03 a.m.

7.1

CVSS4.0

CVE-2026-34984 - External Secrets Operator has DNS exfiltration via getHostByName in its v2 template engine

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig's TxtFuncMap() butโ€ฆ

๐Ÿ“… Published: April 14, 2026, 1:48 a.m. ๐Ÿ”„ Last Modified: April 14, 2026, 1:48 a.m.

4.3

CVSS3.1

CVE-2026-34225 - Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.7.2 and below contain a Blind Server Side Request Forgery in the functionality that allows editing an image via a prompt. The affected function performs a GET request to a user-provided URLโ€ฆ

๐Ÿ“… Published: April 14, 2026, 1:39 a.m. ๐Ÿ”„ Last Modified: April 14, 2026, 1:39 a.m.

5.1

CVSS4.0

CVE-2026-39426 - MaxKB: Stored XSS via Unsanitized iframe_render Parsing

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <iframe_render> tags from LLM responses or Application Prologue configurations, bypassing standard Markโ€ฆ

๐Ÿ“… Published: April 14, 2026, 1:25 a.m. ๐Ÿ”„ Last Modified: April 14, 2026, 1:25 a.m.

7.5

CVSS3.1

CVE-2026-4352 - JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via '_cct_search' Parameter

The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitizaโ€ฆ

๐Ÿ“… Published: April 14, 2026, 1:25 a.m. ๐Ÿ”„ Last Modified: April 14, 2026, 1:25 a.m.

9.1

CVSS3.1

CVE-2026-4365 - LearnPress <= 4.3.2.8 - Missing Authorization to Unauthenticated Arbitrary Quiz Answer Deletion

The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to, and including, 4.3.2.8. The plugin exposes a `wp_rest` nonce in public frontend HTML (`lpData`) to unauthenticated visiโ€ฆ

๐Ÿ“… Published: April 14, 2026, 1:24 a.m. ๐Ÿ”„ Last Modified: April 14, 2026, 1:24 a.m.

5.1

CVSS4.0

CVE-2026-39425 - MaxKB: Stored XSS via Unsanitized html_rander Tags in Markdown Rendering

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject arbitrary HTML and JavaScript into the Application prologue (Opening Remarks) field by wrapping malicious payloads in <htโ€ฆ

๐Ÿ“… Published: April 14, 2026, 1:18 a.m. ๐Ÿ”„ Last Modified: April 14, 2026, 1:18 a.m.

3.1

CVSS3.1

CVE-2026-39419 - MaxKB: Sandbox Result Validation Bypass via Tool Output Spoofing

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged resultโ€ฆ

๐Ÿ“… Published: April 14, 2026, 1:03 a.m. ๐Ÿ”„ Last Modified: April 14, 2026, 1:03 a.m.

5.3

CVSS4.0

CVE-2026-39424 - MaxKB has CSV Injection in its Application Chat Export Functionality

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file (.xlsx) via the /admin/api/workspace/{worโ€ฆ

๐Ÿ“… Published: April 14, 2026, 12:56 a.m. ๐Ÿ”„ Last Modified: April 14, 2026, 12:56 a.m.

6.9

CVSS4.0

CVE-2026-39423 - Stored XSS via Eval Injection in EchartsRander Component

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with the AI chat interface to execute arbitrary JavaScript in the browsers of other users, including admโ€ฆ

๐Ÿ“… Published: April 14, 2026, 12:28 a.m. ๐Ÿ”„ Last Modified: April 14, 2026, 12:28 a.m.
Total resulsts: 344245
Page 2 of 34,425
ยซ previous page ยป next page
Filters