# Top 50 CVEs — April 2026 & March 2026

_50 vulnerabilities_

| CVE ID | CVSS | Severity | CWE | KEV | EPSS | VAP | Published | Description |
|--------|------|----------|-----|-----|------|-----|-----------|-------------|
| [CVE-2026-29058](https://nvd.nist.gov/vuln/detail/CVE-2026-29058) | 9.8 | CRITICAL | CWE-78 | No | 50.9% | 8.39 | 2026-03-06 | AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS... |
| [CVE-2026-3055](https://nvd.nist.gov/vuln/detail/CVE-2026-3055) | 9.3 | CRITICAL | CWE-125 | Yes | 53.8% | 8.12 | 2026-03-23 | Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory ove... |
| [CVE-2026-1492](https://nvd.nist.gov/vuln/detail/CVE-2026-1492) | 9.8 | CRITICAL | CWE-269 | No | 39.0% | 8.03 | 2026-03-03 | The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restrict... |
| [CVE-2026-28289](https://nvd.nist.gov/vuln/detail/CVE-2026-28289) | 10.0 | CRITICAL | CWE-434 | No | 22.3% | 7.67 | 2026-03-03 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-... |
| [CVE-2026-35616](https://nvd.nist.gov/vuln/detail/CVE-2026-35616) | 9.8 | CRITICAL | CWE-284 | Yes | 25.3% | 7.62 | 2026-04-04 | A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated atta... |
| [CVE-2026-33478](https://nvd.nist.gov/vuln/detail/CVE-2026-33478) | 10.0 | CRITICAL | CWE-78 | No | 20.6% | 7.62 | 2026-03-23 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's... |
| [CVE-2026-28501](https://nvd.nist.gov/vuln/detail/CVE-2026-28501) | 9.8 | CRITICAL | CWE-89 | No | 20.9% | 7.49 | 2026-03-06 | WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exis... |
| [CVE-2026-4257](https://nvd.nist.gov/vuln/detail/CVE-2026-4257) | 9.8 | CRITICAL | CWE-94 | No | 19.6% | 7.45 | 2026-03-30 | The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Rem... |
| [CVE-2026-3584](https://nvd.nist.gov/vuln/detail/CVE-2026-3584) | 9.8 | CRITICAL | CWE-94 | No | 17.1% | 7.37 | 2026-03-20 | The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 v... |
| [CVE-2026-27971](https://nvd.nist.gov/vuln/detail/CVE-2026-27971) | 9.2 | CRITICAL | CWE-502 | No | 30.0% | 7.34 | 2026-03-03 | Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization... |
| [CVE-2026-33634](https://nvd.nist.gov/vuln/detail/CVE-2026-33634) | 9.4 | CRITICAL | CWE-506 | Yes | 21.2% | 7.21 | 2026-03-23 | Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy... |
| [CVE-2026-2699](https://nvd.nist.gov/vuln/detail/CVE-2026-2699) | 9.8 | CRITICAL | CWE-284 | No | 9.9% | 7.16 | 2026-04-02 | Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted config... |
| [CVE-2026-34156](https://nvd.nist.gov/vuln/detail/CVE-2026-34156) | 9.9 | CRITICAL | CWE-913 | No | 7.2% | 7.15 | 2026-03-31 | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior t... |
| [CVE-2026-28775](https://nvd.nist.gov/vuln/detail/CVE-2026-28775) | 10.0 | CRITICAL | CWE-1188 | No | 0.9% | 7.03 | 2026-03-04 | An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting Cor... |
| [CVE-2026-2743](https://nvd.nist.gov/vuln/detail/CVE-2026-2743) | 10.0 | CRITICAL | CWE-22 | No | 0.6% | 7.02 | 2026-03-05 | Arbitrary File Write via Path Traversal upload to Remote Code Execution in SeppMail User Web Interface. The affected fea... |
| [CVE-2026-0848](https://nvd.nist.gov/vuln/detail/CVE-2026-0848) | 10.0 | CRITICAL | CWE-20 | No | 0.5% | 7.02 | 2026-03-05 | NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegment... |
| [CVE-2026-30302](https://nvd.nist.gov/vuln/detail/CVE-2026-30302) | 10.0 | CRITICAL | CWE-78 | No | 0.5% | 7.01 | 2026-03-27 | The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whiteli... |
| [CVE-2026-40175](https://nvd.nist.gov/vuln/detail/CVE-2026-40175) | 10.0 | CRITICAL | CWE-113 | No | 0.4% | 7.01 | 2026-04-10 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulner... |
| [CVE-2026-24898](https://nvd.nist.gov/vuln/detail/CVE-2026-24898) | 10.0 | CRITICAL | CWE-287 | No | 0.3% | 7.01 | 2026-03-03 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0,... |
| [CVE-2026-39337](https://nvd.nist.gov/vuln/detail/CVE-2026-39337) | 10.0 | CRITICAL | CWE-94 | No | 0.3% | 7.01 | 2026-04-07 | ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution... |
| [CVE-2026-31957](https://nvd.nist.gov/vuln/detail/CVE-2026-31957) | 10.0 | CRITICAL | CWE-1188 | No | 0.3% | 7.01 | 2026-03-11 | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelbl... |
| [CVE-2026-21628](https://nvd.nist.gov/vuln/detail/CVE-2026-21628) | 10.0 | CRITICAL | CWE-434 | No | 0.3% | 7.01 | 2026-03-05 | A improperly secured file management feature allows uploads of dangerous data types for unauthenticated users, leading t... |
| [CVE-2025-15379](https://nvd.nist.gov/vuln/detail/CVE-2025-15379) | 10.0 | CRITICAL | CWE-77 | No | 0.2% | 7.01 | 2026-03-30 | A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_... |
| [CVE-2026-3611](https://nvd.nist.gov/vuln/detail/CVE-2026-3611) | 10.0 | CRITICAL | CWE-306 | No | 0.2% | 7.01 | 2026-03-12 | The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-... |
| [CVE-2026-34208](https://nvd.nist.gov/vuln/detail/CVE-2026-34208) | 10.0 | CRITICAL | CWE-693 | No | 0.2% | 7.01 | 2026-04-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for... |
| [CVE-2026-34162](https://nvd.nist.gov/vuln/detail/CVE-2026-34162) | 10.0 | CRITICAL | CWE-306 | No | 0.2% | 7.00 | 2026-03-31 | FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/... |
| [CVE-2026-32871](https://nvd.nist.gov/vuln/detail/CVE-2026-32871) | 10.0 | CRITICAL | CWE-918 | No | 0.2% | 7.00 | 2026-04-02 | FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP expos... |
| [CVE-2026-3587](https://nvd.nist.gov/vuln/detail/CVE-2026-3587) | 10.0 | CRITICAL | CWE-912 | No | 0.1% | 7.00 | 2026-03-23 | An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, l... |
| [CVE-2026-31852](https://nvd.nist.gov/vuln/detail/CVE-2026-31852) | 10.0 | CRITICAL | CWE-269 | No | 0.1% | 7.00 | 2026-03-11 | Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulner... |
| [CVE-2026-34938](https://nvd.nist.gov/vuln/detail/CVE-2026-34938) | 10.0 | CRITICAL | CWE-693 | No | 0.1% | 7.00 | 2026-04-03 | PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-contr... |
| [CVE-2026-32169](https://nvd.nist.gov/vuln/detail/CVE-2026-32169) | 10.0 | CRITICAL | CWE-918 | No | 0.1% | 7.00 | 2026-03-19 | Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a net... |
| [CVE-2026-32186](https://nvd.nist.gov/vuln/detail/CVE-2026-32186) | 10.0 | CRITICAL | CWE-918 | No | 0.1% | 7.00 | 2026-04-03 | Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a networ... |
| [CVE-2026-33494](https://nvd.nist.gov/vuln/detail/CVE-2026-33494) | 10.0 | CRITICAL | CWE-23 | No | 0.1% | 7.00 | 2026-03-26 | ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based o... |
| [CVE-2026-4370](https://nvd.nist.gov/vuln/detail/CVE-2026-4370) | 10.0 | CRITICAL | CWE-295 | No | 0.1% | 7.00 | 2026-04-01 | A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the inter... |
| [CVE-2026-27897](https://nvd.nist.gov/vuln/detail/CVE-2026-27897) | 10.0 | CRITICAL | CWE-22 | No | 0.1% | 7.00 | 2026-03-11 | Vociferous provides cross-platform, offline speech-to-text with local AI refinement. Prior to 4.4.2, the vulnerability e... |
| [CVE-2025-54328](https://nvd.nist.gov/vuln/detail/CVE-2025-54328) | 10.0 | CRITICAL | CWE-121 | No | 0.1% | 7.00 | 2026-04-06 | An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 21... |
| [CVE-2026-26954](https://nvd.nist.gov/vuln/detail/CVE-2026-26954) | 10.0 | CRITICAL | CWE-94 | No | 0.1% | 7.00 | 2026-03-13 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, whic... |
| [CVE-2026-28353](https://nvd.nist.gov/vuln/detail/CVE-2026-28353) | 10.0 | CRITICAL | CWE-506 | No | 0.1% | 7.00 | 2026-03-05 | Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.... |
| [CVE-2026-30966](https://nvd.nist.gov/vuln/detail/CVE-2026-30966) | 10.0 | CRITICAL | CWE-284 | No | 0.1% | 7.00 | 2026-03-10 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-a... |
| [CVE-2026-34976](https://nvd.nist.gov/vuln/detail/CVE-2026-34976) | 10.0 | CRITICAL | CWE-862 | No | 0.0% | 7.00 | 2026-04-06 | Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from... |
| [CVE-2026-33107](https://nvd.nist.gov/vuln/detail/CVE-2026-33107) | 10.0 | CRITICAL | CWE-918 | No | 0.0% | 7.00 | 2026-04-03 | Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a netw... |
| [CVE-2026-33105](https://nvd.nist.gov/vuln/detail/CVE-2026-33105) | 10.0 | CRITICAL | CWE-285 | No | 0.0% | 7.00 | 2026-04-03 | Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over... |
| [CVE-2026-32213](https://nvd.nist.gov/vuln/detail/CVE-2026-32213) | 10.0 | CRITICAL | CWE-285 | No | 0.0% | 7.00 | 2026-04-03 | Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. |
| [CVE-2026-22557](https://nvd.nist.gov/vuln/detail/CVE-2026-22557) | 10.0 | CRITICAL | CWE-22 | No | 0.0% | 7.00 | 2026-03-19 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network App... |
| [CVE-2026-4689](https://nvd.nist.gov/vuln/detail/CVE-2026-4689) | 10.0 | CRITICAL | CWE-190 | No | 0.0% | 7.00 | 2026-03-24 | Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fix... |
| [CVE-2026-4692](https://nvd.nist.gov/vuln/detail/CVE-2026-4692) | 10.0 | CRITICAL | NVD-CWE-noinfo | No | 0.0% | 7.00 | 2026-03-24 | Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34,... |
| [CVE-2026-33054](https://nvd.nist.gov/vuln/detail/CVE-2026-33054) | 10.0 | CRITICAL | CWE-22 | No | 0.0% | 7.00 | 2026-03-20 | Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Pat... |
| [CVE-2026-4688](https://nvd.nist.gov/vuln/detail/CVE-2026-4688) | 10.0 | CRITICAL | CWE-416 | No | 0.0% | 7.00 | 2026-03-24 | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 14... |
| [CVE-2026-0124](https://nvd.nist.gov/vuln/detail/CVE-2026-0124) | 10.0 | CRITICAL | CWE-787 | No | 0.0% | 7.00 | 2026-03-10 | There is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege... |
| [CVE-2025-48611](https://nvd.nist.gov/vuln/detail/CVE-2025-48611) | 10.0 | CRITICAL | CWE-120 | No | 0.0% | 7.00 | 2026-03-10 | In DeviceId of DeviceId.java, there is a possible desync in persistence due to a missing bounds check. This could lead t... |