Common Vulnerabilities and Exposures (CVE)

CVE-2026-6951

Apr 25, 2026 05:00:05 UTC

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equi...

CVE-2023-5933

Apr 25, 2026 04:05:38 UTC

An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests.

CVE-2023-3922

Apr 25, 2026 04:05:19 UTC

An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons o...

CVE-2023-3920

Apr 25, 2026 04:05:14 UTC

An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork...

CVE-2026-42035

Apr 25, 2026 03:55:59 UTC

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into...

CVE-2026-42033

Apr 25, 2026 03:55:57 UTC

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silent...

CVE-2026-41166

Apr 25, 2026 03:55:56 UTC

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. Th...

CVE-2026-41044

Apr 25, 2026 03:55:54 UTC

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a...

CVE-2026-40466

Apr 25, 2026 03:55:53 UTC

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding ...

CVE-2026-32210

Apr 25, 2026 03:55:52 UTC

Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.

CVE-2026-33102

Apr 25, 2026 03:55:51 UTC

Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.

CVE-2026-33819

Apr 25, 2026 03:55:50 UTC

Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.

CVE-2026-24303

Apr 25, 2026 03:55:48 UTC

Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.

CVE-2026-32172

Apr 25, 2026 03:55:47 UTC

Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.

CVE-2026-41134

Apr 25, 2026 03:55:46 UTC

Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter...