Apr 23, 2026 · updated 19:27 UTC
Act Now
CRITICAL · 10.0
Patched
LIVE · vuln.today
CVE-2026-41679
· Authentication Bypass
Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 2026
Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 2026.416.0) via authentication bypass through a six-step API call chain. The attack requires no credentials, no user inter
● LIVE
vuln.today · Apr 23
threat 2.0
CRITICAL · 9.3
SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplie
CVE-2026-41460
·Authentication Bypass
unpatched
CRITICAL · 9.1
Remote code execution in Froxlor server administration software versions prior to 2
CVE-2026-41229
·PHP
patched
CRITICAL · 9.9
Authenticated customers can achieve remote code execution in Froxlor server administration software versions prior to 2
CVE-2026-41228
·PHP
patched
CRITICAL · 9.0
Remote code execution in Luanti 5
CVE-2026-41196
·RCE
patched
CRITICAL · 9.9
In hackage-server, user-controlled metadata from .cabal files are rendered into HTML
href attributes without proper sanitization, enabling s
CVE-2026-40472
·XSS
unpatched
CRITICAL · 9.6
hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to
CVE-2026-40471
·CSRF
unpatched
A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via
vuln.today · CVE-2026-40470
CRITICAL · 9.9
Act Now
unpatched
-
Remote code execution in FunnelFormsPro WordPress plugin (versions up to 3vuln.today · CVE-2026-39440CRITICAL · 9.9 Act Now
-
In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account tvuln.today · CVE-2026-29198CRITICAL · 9.8 Act Now
-
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTPvuln.today · CVE-2026-23751CRITICAL · 9.3 Act Now PoC
-
SQL injection in Borg SPM 2007 allows unauthenticated remote attackers to execute arbitrary SQL commands via network requests, enabling compvuln.today · CVE-2026-6887CRITICAL · 9.3 Act Now
-
Authentication bypass in Borg SPM 2007 allows remote unauthenticated attackers to impersonate any user and gain complete system access withovuln.today · CVE-2026-6886CRITICAL · 9.3 Act Now
-
Remote code execution in Borg SPM 2007 allows unauthenticated attackers to upload and execute web shell backdoors via unrestricted file uplovuln.today · CVE-2026-6885CRITICAL · 9.3 Act Now
-
A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the Evuln.today · CVE-2026-6074CRITICAL · 9.3 Act Now
Latest
-
Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication, allowing attackers tCVE-2026-32201KEV
-
Prototype pollution in Adobe Acrobat Reader versions 24CVE-2026-346218.6 KEV
-
Remote code execution in Apache ActiveMQ Classic versions before 5CVE-2026-341978.8 KEV
-
Remote code execution in Fortinet FortiClientEMS versions 7CVE-2026-356169.8 KEV
-
Remote code execution in Google Chrome prior to version 146CVE-2026-52818.8 KEV
-
Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missingCVE-2026-35027.8 KEV