Patch Tuesday — April 2026

2026-04-14 · 1097 CVEs

CVEs published or modified the week of 2026-04-14, partitioned by vendor.

Microsoft (225 CVEs)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33824Critical9.82026-04-14Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.
CVE-2026-6296Critical9.62026-04-15Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-27303Critical9.62026-04-14Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34615Critical9.32026-04-14Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27246Critical9.32026-04-14Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability.
CVE-2026-27245Critical9.32026-04-14Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
CVE-2026-27243Critical9.32026-04-14Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
CVE-2026-26149Critical9.02026-04-14Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network.
CVE-2026-6318High8.82026-04-15Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-6317High8.82026-04-15Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
CVE-2026-6316High8.82026-04-15Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-6307High8.82026-04-15Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-6306High8.82026-04-15Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.
CVE-2026-6305High8.82026-04-15Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.
CVE-2026-6303High8.82026-04-15Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-6302High8.82026-04-15Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-6301High8.82026-04-15Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-6300High8.82026-04-15Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-6299High8.82026-04-15Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
CVE-2026-33120High8.82026-04-14Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network.
CVE-2026-32225High8.82026-04-14Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-32171High8.82026-04-14Insufficiently protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
CVE-2026-32157High8.82026-04-14Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
CVE-2026-26178High8.82026-04-14Integer size truncation in Windows Advanced Rasterization Platform (WARP) allows an unauthorized attacker to elevate privileges locally.
CVE-2026-26167High8.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
CVE-2026-34617High8.72026-04-14Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation.
CVE-2026-27928High8.72026-04-14Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-27290High8.62026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user.
CVE-2026-34622High8.62026-04-14Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code exe…
CVE-2026-33115High8.42026-04-14Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-33114High8.42026-04-14Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-32221High8.42026-04-14Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code locally.
CVE-2026-32190High8.42026-04-14Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-32162High8.42026-04-14Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally.
CVE-2026-32091High8.42026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.
CVE-2025-69627High8.42026-04-13Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc().
CVE-2026-6314High8.32026-04-15Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-6311High8.32026-04-15Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-6310High8.32026-04-15Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-6309High8.32026-04-15Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-6304High8.32026-04-15Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-6297High8.32026-04-15Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-33827High8.12026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network.
CVE-2026-33826High8.02026-04-14Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.
CVE-2026-27912High8.02026-04-14Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an adjacent network.
CVE-2026-33414High7.82026-04-14Podman is a tool for managing OCI containers and pods.
CVE-2026-27298High7.82026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27297High7.82026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27296High7.82026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27295High7.82026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27294High7.82026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.
CVE-2026-27293High7.82026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27292High7.82026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34631High7.82026-04-14InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27287High7.82026-04-14InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.
CVE-2026-34630High7.82026-04-14Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34618High7.82026-04-14Illustrator versions 30.2, 29.8.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27313High7.82026-04-14Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27312High7.82026-04-14Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27311High7.82026-04-14Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27310High7.82026-04-14Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-33825High7.8KEV2026-04-14Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.
CVE-2026-33101High7.82026-04-14Use after free in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally.
CVE-2026-33098High7.82026-04-14Use after free in Windows Container Isolation FS Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2026-33095High7.82026-04-14Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-32222High7.82026-04-14Untrusted pointer dereference in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.
CVE-2026-32200High7.82026-04-14Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
CVE-2026-32199High7.82026-04-14Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-32198High7.82026-04-14Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-32197High7.82026-04-14Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-32192High7.82026-04-14Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-32189High7.82026-04-14Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-32184High7.82026-04-14Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.
CVE-2026-32183High7.82026-04-14Improper neutralization of special elements used in a command ('command injection') in Windows Snipping Tool allows an unauthorized attacker to execute code locally.
CVE-2026-32168High7.82026-04-14Improper input validation in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-32165High7.82026-04-14Use after free in Windows User Interface Core allows an authorized attacker to elevate privileges locally.
CVE-2026-32164High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.
CVE-2026-32163High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.
CVE-2026-32160High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
CVE-2026-32159High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
CVE-2026-32158High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
CVE-2026-32155High7.82026-04-14Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
CVE-2026-32154High7.82026-04-14Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
CVE-2026-32153High7.82026-04-14Use after free in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally.
CVE-2026-32152High7.82026-04-14Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
CVE-2026-32090High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.
CVE-2026-32089High7.82026-04-14Use after free in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.
CVE-2026-32078High7.82026-04-14Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2026-32077High7.82026-04-14Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.
CVE-2026-32076High7.82026-04-14Out-of-bounds read in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally.
CVE-2026-32074High7.82026-04-14Double free in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2026-32069High7.82026-04-14Double free in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2026-27927High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2026-27924High7.82026-04-14Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
CVE-2026-27923High7.82026-04-14Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
CVE-2026-27920High7.82026-04-14Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.
CVE-2026-27919High7.82026-04-14Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.
CVE-2026-27918High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally.
CVE-2026-27916High7.82026-04-14Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.
CVE-2026-27915High7.82026-04-14Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.
CVE-2026-27914High7.82026-04-14Improper access control in Microsoft Management Console allows an authorized attacker to elevate privileges locally.
CVE-2026-27911High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.
CVE-2026-27910High7.82026-04-14Improper handling of insufficient permissions or privileges in Windows Installer allows an authorized attacker to elevate privileges locally.
CVE-2026-27909High7.82026-04-14Use after free in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally.
CVE-2026-27907High7.82026-04-14Integer underflow (wrap or wraparound) in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally.
CVE-2026-26184High7.82026-04-14Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2026-26183High7.82026-04-14Improper access control in Windows RPC API allows an authorized attacker to elevate privileges locally.
CVE-2026-26181High7.82026-04-14Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
CVE-2026-26180High7.82026-04-14Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2026-26179High7.82026-04-14Double free in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2026-26176High7.82026-04-14Heap-based buffer overflow in Windows Client Side Caching driver (csc.sys) allows an authorized attacker to elevate privileges locally.
CVE-2026-26172High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
CVE-2026-26170High7.82026-04-14Improper input validation in Microsoft PowerShell allows an authorized attacker to elevate privileges locally.
CVE-2026-26168High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-26163High7.82026-04-14Double free in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2026-26162High7.82026-04-14Access of resource using incompatible type ('type confusion') in Windows OLE allows an authorized attacker to elevate privileges locally.
CVE-2026-26161High7.82026-04-14Untrusted pointer dereference in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally.
CVE-2026-26160High7.82026-04-14Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an authorized attacker to elevate privileges locally.
CVE-2026-26159High7.82026-04-14Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an authorized attacker to elevate privileges locally.
CVE-2026-26156High7.82026-04-14Heap-based buffer overflow in Windows Hyper-V allows an unauthorized attacker to execute code locally.
CVE-2026-26153High7.82026-04-14Out-of-bounds read in Windows Encrypting File System (EFS) allows an authorized attacker to elevate privileges locally.
CVE-2026-26143High7.82026-04-14Improper input validation in Microsoft PowerShell allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-23657High7.82026-04-14Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-20930High7.82026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
CVE-2026-27284High7.82026-04-14InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.
CVE-2026-27283High7.82026-04-14InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27238High7.82026-04-14InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27913High7.72026-04-14Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-6308High7.52026-04-15Out of bounds read in Media in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page.
CVE-2026-33116High7.52026-04-14Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.
CVE-2026-33096High7.52026-04-14Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to deny service over a network.
CVE-2026-32203High7.52026-04-14Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network.
CVE-2026-32178High7.52026-04-14Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-32071High7.52026-04-14Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.
CVE-2026-26171High7.52026-04-14Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.
CVE-2026-26154High7.52026-04-14Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.
CVE-2026-23666High7.52026-04-14Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network.
CVE-2025-69624High7.52026-04-13Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert().
CVE-2025-66769High7.52026-04-13A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet.
CVE-2026-32156High7.42026-04-14Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to execute code locally.
CVE-2026-35603High7.32026-04-17Claude Code is an agentic coding tool.
CVE-2026-32149High7.32026-04-14Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally.
CVE-2026-32188High7.12026-04-14Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2026-26151High7.12026-04-14Insufficient ui warning of dangerous operations in Windows Remote Desktop allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-33104High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.
CVE-2026-33100High7.02026-04-14Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-33099High7.02026-04-14Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-32224High7.02026-04-14Use after free in Windows Server Update Service allows an authorized attacker to elevate privileges locally.
CVE-2026-32219High7.02026-04-14Double free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
CVE-2026-32195High7.02026-04-14Stack-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2026-32150High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.
CVE-2026-32093High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.
CVE-2026-32087High7.02026-04-14Heap-based buffer overflow in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.
CVE-2026-32086High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.
CVE-2026-32083High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.
CVE-2026-32082High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.
CVE-2026-32080High7.02026-04-14Use after free in Windows WalletService allows an authorized attacker to elevate privileges locally.
CVE-2026-32075High7.02026-04-14Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.
CVE-2026-32073High7.02026-04-14Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-32070High7.02026-04-14Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
CVE-2026-32068High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.
CVE-2026-27929High7.02026-04-14Time-of-check time-of-use (toctou) race condition in Windows LUAFV allows an authorized attacker to elevate privileges locally.
CVE-2026-27926High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2026-27922High7.02026-04-14Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-27921High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
CVE-2026-27917High7.02026-04-14Use after free in Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) allows an authorized attacker to elevate privileges locally.
CVE-2026-27908High7.02026-04-14Use after free in Windows TDI Translation Driver (tdx.sys) allows an authorized attacker to elevate privileges locally.
CVE-2026-26182High7.02026-04-14Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-26177High7.02026-04-14Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-26174High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Server Update Service allows an authorized attacker to elevate privileges locally.
CVE-2026-26173High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-26166High7.02026-04-14Double free in Windows Shell allows an authorized attacker to elevate privileges locally.
CVE-2026-26165High7.02026-04-14Use after free in Windows Shell allows an authorized attacker to elevate privileges locally.
CVE-2026-26152High7.02026-04-14Insecure storage of sensitive information in Windows Cryptographic Services allows an authorized attacker to elevate privileges locally.
CVE-2026-25184High7.02026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Applocker Filter Driver (applockerfltr.sys) allows an authorized attacker to elevate privileges locally.
CVE-2026-32223Medium6.82026-04-14Heap-based buffer overflow in Windows USB Print Driver allows an unauthorized attacker to elevate privileges with a physical attack.
CVE-2026-32176Medium6.72026-04-14Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
CVE-2026-32167Medium6.72026-04-14Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
CVE-2026-0390Medium6.72026-04-14Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.
CVE-2026-32201Medium6.5KEV2026-04-14Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-32151Medium6.52026-04-14Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information over a network.
CVE-2026-27925Medium6.52026-04-14Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to disclose information over an adjacent network.
CVE-2026-26155Medium6.52026-04-14Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability
CVE-2026-27299Medium6.32026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read.
CVE-2026-34626Medium6.32026-04-14Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file sys…
CVE-2026-32072Medium6.22026-04-14Improper authentication in Windows Active Directory allows an unauthorized attacker to perform spoofing locally.
CVE-2026-34614Medium6.12026-04-14Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
CVE-2026-33822Medium6.12026-04-14Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CVE-2026-32196Medium6.12026-04-14Improper neutralization of input during web page generation ('cross-site scripting') in Windows Admin Center allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-32088Medium6.12026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Biometric Service allows an unauthorized attacker to bypass a security feature with a physical attack.
CVE-2026-26169Medium6.12026-04-14Buffer over-read in Windows Kernel Memory allows an authorized attacker to disclose information locally.
CVE-2026-21331Medium6.12026-04-14Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.
CVE-2026-32226Medium5.92026-04-14Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network.
CVE-2026-23670Medium5.72026-04-14Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally.
CVE-2026-23653Medium5.72026-04-14Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network.
CVE-2026-27301Medium5.52026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure.
CVE-2026-27300Medium5.52026-04-14Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could lead to memory exposure.
CVE-2026-27222Medium5.52026-04-14Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Divide By Zero vulnerability that could lead to application denial-of-service.
CVE-2026-33103Medium5.52026-04-14Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally.
CVE-2026-32218Medium5.52026-04-14Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
CVE-2026-32217Medium5.52026-04-14Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
CVE-2026-32216Medium5.52026-04-14Null pointer dereference in Windows Redirected Drive Buffering allows an authorized attacker to deny service locally.
CVE-2026-32215Medium5.52026-04-14Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
CVE-2026-32214Medium5.52026-04-14Improper access control in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
CVE-2026-32212Medium5.52026-04-14Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
CVE-2026-32181Medium5.52026-04-14Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally.
CVE-2026-32085Medium5.52026-04-14Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an authorized attacker to disclose information locally.
CVE-2026-32084Medium5.52026-04-14Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
CVE-2026-32081Medium5.52026-04-14Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
CVE-2026-32079Medium5.52026-04-14Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
CVE-2026-27931Medium5.52026-04-14Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose information locally.
CVE-2026-27930Medium5.52026-04-14Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose information locally.
CVE-2026-20806Medium5.52026-04-14Access of resource using incompatible type ('type confusion') in Windows COM allows an authorized attacker to disclose information locally.
CVE-2026-27286Medium5.52026-04-14InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure.
CVE-2026-27285Medium5.52026-04-14InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to application denial-of-service.
CVE-2026-26175Medium4.62026-04-14Use of uninitialized resource in Windows Boot Manager allows an unauthorized attacker to bypass a security feature with a physical attack.
CVE-2026-20945Medium4.62026-04-14Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-20928Medium4.62026-04-14Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack.
CVE-2026-32220Medium4.42026-04-14Improper access control in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally.
CVE-2026-27906Medium4.42026-04-14Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally.
CVE-2026-6298Medium4.32026-04-15Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2026-33829Medium4.32026-04-14Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-32202Medium4.3KEV2026-04-14Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-6313Low3.12026-04-15Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
CVE-2026-6312Low3.12026-04-15Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

Other vendors (872 CVEs across 319 vendors)

N/a · 94 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-38526Critical9.92026-04-14An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2026-37749Critical9.82026-04-17A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php.
CVE-2026-37345Critical9.82026-04-16SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php.
CVE-2026-37340Critical9.82026-04-16SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/edit_music.php.
CVE-2026-37339Critical9.82026-04-16SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_genre.php.
CVE-2026-30993Critical9.82026-04-15Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php.
CVE-2026-30625Critical9.82026-04-15Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality.
CVE-2025-70023Critical9.82026-04-14An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.
CVE-2025-65135Critical9.82026-04-14In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter.
CVE-2025-65133Critical9.82026-04-14A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580.
CVE-2025-63939Critical9.82026-04-14Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter.
CVE-2025-61260Critical9.82026-04-14A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files.
CVE-2026-31049Critical9.82026-04-14An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field
CVE-2026-31048Critical9.82026-04-13An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message.
CVE-2026-31283Critical9.82026-04-13In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address.
CVE-2026-31282Critical9.82026-04-13Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control.
CVE-2026-37338Critical9.42026-04-16SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php.
CVE-2026-37347Critical9.12026-04-16SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php.
CVE-2026-38529High8.82026-04-14A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a craf…
CVE-2025-51414High8.82026-04-13In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.
CVE-2026-30995High8.62026-04-15Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.
CVE-2026-30617High8.62026-04-15LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling.
CVE-2026-38527High8.52026-04-14A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.
CVE-2024-53412High8.42026-04-15Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field
CVE-2026-30461High8.32026-04-15Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
CVE-2026-38532High8.12026-04-14A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other user…
CVE-2026-38530High8.12026-04-14A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users vi…
CVE-2026-30615High8.02026-04-15A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system.
CVE-2026-31281High8.02026-04-13Totara LMS v19.1.5 and before is vulnerable to HTML Injection.
CVE-2026-31317High7.52026-04-17Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file
CVE-2026-30656High7.52026-04-16A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option.
CVE-2026-30996High7.52026-04-15An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET request.
CVE-2026-30994High7.52026-04-15Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.
CVE-2025-67841High7.52026-04-15Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue.
CVE-2026-30364High7.52026-04-15CentSDR commit e40795 was discovered to contain a stack overflow in the "Thread1" function.
CVE-2026-37337High7.32026-04-16SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php.
CVE-2026-37336High7.32026-04-16SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php.
CVE-2026-30616High7.32026-04-15Jaaz 1.0.30 contains a remote code execution vulnerability in its MCP STDIO command execution handling.
CVE-2026-36948High7.32026-04-13Sourcecodester Online Thesis Archiving System v1.0 is vulnerale to SQL injection in the file /otas/view_archive.php.
CVE-2026-37344High7.22026-04-16SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_location.php.
CVE-2026-37343High7.22026-04-16SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_user.php.
CVE-2026-37342High7.22026-04-16SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/view_parked_details.php.
CVE-2026-37341High7.22026-04-16SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_category.php.
CVE-2026-30459High7.12026-04-16An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.
CVE-2026-38528High7.12026-04-14Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.
CVE-2026-37100Medium6.52026-04-16An issue in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar firmware 2.40 (Mobile App: Sound Bar Remote / version: 2.40) allows remote attackers within BLE radio range to connect without authentication via…
CVE-2026-38533Medium6.52026-04-14An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin user…
CVE-2026-30480Medium6.52026-04-14A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the n…
CVE-2026-31280Medium6.52026-04-13An issue in the Bluetooth RFCOMM service of Parani M10 Motorcycle Intercom v2.1.3 allows unauthorized attackers to cause a Denial of Service (DoS) via supplying crafted RFCOMM frames.
CVE-2026-6215Medium6.32026-04-13A weakness has been identified in DbGate up to 7.1.4.
CVE-2026-29628Medium6.22026-04-13A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file.
CVE-2026-5160Medium6.12026-04-15Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization.
CVE-2025-65136Medium6.12026-04-14In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter.
CVE-2025-65134Medium6.12026-04-14In manikandan580 School-management-system 1.0, a reflected cross-site scripting (XSS) vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter.
CVE-2025-65132Medium6.12026-04-14alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter.
CVE-2026-26460Medium6.12026-04-13A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0.
CVE-2025-70795Medium5.52026-04-17STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation.
CVE-2025-70936Medium5.42026-04-13Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module.
CVE-2025-63743Medium5.42026-04-13Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via…
CVE-2026-6491Medium5.32026-04-17A security vulnerability has been detected in libvips up to 8.18.2.
CVE-2026-37346Medium4.72026-04-16SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=.
CVE-2026-6220Medium4.72026-04-13A vulnerability was identified in HummerRisk up to 1.5.0.
CVE-2025-69893Medium4.62026-04-14A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets.
CVE-2026-6486Low3.52026-04-17A vulnerability was detected in classroombookings up to 2.17.0.
CVE-2026-6216Low3.52026-04-13A security vulnerability has been detected in DbGate up to 7.1.4.
CVE-2026-37602Low2.72026-04-14SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.
CVE-2026-37601Low2.72026-04-14SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php.
CVE-2026-37600Low2.72026-04-14SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php.
CVE-2026-37598Low2.72026-04-14SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings.
CVE-2026-37597Low2.72026-04-14SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php.
CVE-2026-37596Low2.72026-04-14SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php.
CVE-2026-37595Low2.72026-04-14SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_employee.php.
CVE-2026-37594Low2.72026-04-14SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php.
CVE-2026-37593Low2.72026-04-14SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_att.php.
CVE-2026-37592Low2.72026-04-14Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL in the file /storage/admin/maintenance/manage_pricing.php.
CVE-2026-37591Low2.72026-04-14Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL injection in the file /storage/admin/tenants/view_details.php.
CVE-2026-37590Low2.72026-04-14SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/rents/manage_rent.php.
CVE-2026-37589Low2.72026-04-14SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/maintenance/manage_storage_unit.php.
CVE-2026-36952Low2.72026-04-13Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php.
CVE-2026-36950Low2.72026-04-13Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in /otas/projects_per_department.php.
CVE-2026-36938Low2.72026-04-13Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in /orms/admin/rooms/view_room.php.
CVE-2026-36937Low2.72026-04-13Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in /orms/admin/reservations/view_details.php.
CVE-2026-36945Low2.72026-04-13Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/clients/manage_client.php
CVE-2026-36944Low2.72026-04-13Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerale to SQL injection in the file/rsms/admin/repairs/view_details.php.
CVE-2026-36943Low2.72026-04-13Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/repairs/manage_repair.php.
CVE-2026-36942Low2.72026-04-13Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in the file /orms/admin/activities/manage_activity.php.
CVE-2026-36941Low2.72026-04-13Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL Injection in the file /orms/admin/rooms/manage_room.php.
CVE-2026-36947Low2.72026-04-13Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL Injection in the file /rsms/admin/services/view_service.php.
CVE-2026-36946Low2.72026-04-13Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/inquiries/view_details.php.
CVE-2026-36923Low2.72026-04-13Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the file /cms/admin/bookings/view_booking.php.
CVE-2026-36922Low2.72026-04-13Sourcecodester Cab Management System v1.0 is vulnerable to SQL injection in the file /cms/admin/categories/view_category.php.
CVE-2026-36874Low2.72026-04-13Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php.
CVE-2026-36873Low2.72026-04-13Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_admin.php.
CVE-2026-36872Low2.72026-04-13Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_book.php.

Fortinet · 27 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39813Critical9.82026-04-14A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via specially crafted HTTP requests.
CVE-2026-39808Critical9.82026-04-14A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector h…
CVE-2026-39815High8.82026-04-14A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests
CVE-2026-22828High8.12026-04-14A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically craft…
CVE-2026-23708High7.52026-04-14A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated att…
CVE-2026-40688High7.22026-04-14An out-of-bounds write vulnerability [CWE-787] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow a remote privileged attacker to execute arbitrary code or command…
CVE-2025-61848High7.22026-04-14An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all v…
CVE-2026-39814Medium6.72026-04-14A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.1 through 7.4.12, FortiWeb 7.2.7 through 7.2.12, FortiWeb 7.0.10 through 7.0.12 may allow attacker to execute unau…
CVE-2026-39809Medium6.72026-04-14A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5, FortiClientEMS 7.2.0 through 7.2.12, FortiClientEMS 7.0 all versions may allow attacker to…
CVE-2026-25691Medium6.72026-04-14A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSa…
CVE-2026-22573Medium6.52026-04-14An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versio…
CVE-2026-22155Medium6.52026-04-14A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6…
CVE-2025-53847Medium6.52026-04-14A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiOS 6.2.9 through…
CVE-2026-39810Medium6.02026-04-14A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump.
CVE-2025-68649Medium6.02026-04-14An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all version…
CVE-2025-61624Medium6.02026-04-14An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4…
CVE-2026-21742Medium5.72026-04-14A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6…
CVE-2025-61886Medium5.42026-04-14An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox PaaS 5.0.0 through 5.0.4 may allow an attacker to perfo…
CVE-2024-23104Medium5.42026-04-14An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0 all versions, FortiVoice 7.0.0 through…
CVE-2026-39811Medium4.92026-04-14A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow attacker to denial of service…
CVE-2026-39812Medium4.82026-04-14A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox PaaS 5.0.0 thr…
CVE-2026-22154Medium4.62026-04-14An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 a…
CVE-2026-22576Medium4.32026-04-14A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 thro…
CVE-2025-59809Medium4.32026-04-14A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all ve…
CVE-2026-22574Medium4.12026-04-14A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 thro…
CVE-2026-27316Low2.72026-04-14A insufficiently protected credentials vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4 all versions, FortiSandbox PaaS 5.0.1 through 5.0.5 may allow an authenticathed administrator to read LDAP server credentia…
CVE-2026-21741Low2.42026-04-14An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may allow a remote privileged attacker with s…

Dell · 21 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-23853High8.42026-04-17Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a use o…
CVE-2025-36568High7.82026-04-17Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an insufficiently protected cr…
CVE-2026-23775High7.62026-04-17Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of sensitive information into log file vu…
CVE-2026-23772High7.32026-04-16Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, contain(s) an Improper Privilege Management vulnerability.
CVE-2026-23776High7.22026-04-17Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60, contain(s) an I…
CVE-2026-23778High7.22026-04-17Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a comma…
CVE-2026-35153Medium6.72026-04-17Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of argument delimiters in a command…
CVE-2026-35074Medium6.72026-04-17Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS Co…
CVE-2026-35073Medium6.72026-04-17Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS co…
CVE-2026-35072Medium6.72026-04-17Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS co…
CVE-2026-23779Medium6.72026-04-17Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a comma…
CVE-2025-46641Medium6.62026-04-17Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper authentication vulnerability.
CVE-2025-46607Medium6.62026-04-17Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper authentication vulnerability.
CVE-2025-43937Medium6.62026-04-16Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability.
CVE-2025-46606Medium6.22026-04-17Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability.
CVE-2025-46605Medium6.22026-04-17Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability.
CVE-2026-28263Medium5.92026-04-17Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a cross…
CVE-2025-36579Medium5.12026-04-16Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability.
CVE-2025-43935Medium4.42026-04-16Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource shutdown or release vulnerability.
CVE-2026-23777Medium4.32026-04-17Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an expo…
CVE-2025-43883Medium4.12026-04-16Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper check for unusual or exceptional conditions vulnerability.

Huawei · 20 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34865Critical9.12026-04-13Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
CVE-2026-34853High7.72026-04-13Permission bypass vulnerability in the LBS module.
CVE-2026-34856High7.32026-04-13UAF vulnerability in the communication module.
CVE-2026-28553Medium6.92026-04-13Vulnerability of improper permission control in the theme setting module.
CVE-2026-34864Medium6.82026-04-13Boundary-unlimited vulnerability in the application read module.
CVE-2026-34863Medium6.72026-04-13Out-of-bounds write vulnerability in the file system.
CVE-2026-34862Medium6.32026-04-13Race condition vulnerability in the power consumption statistics module.
CVE-2026-34861Medium6.32026-04-13Race condition vulnerability in the thermal management module.
CVE-2026-34852Medium6.12026-04-13Stack overflow vulnerability in the media platform.
CVE-2026-34859Medium5.92026-04-13UAF vulnerability in the kernel module.
CVE-2026-34855Medium5.72026-04-13Out-of-bounds write vulnerability in the kernel module.
CVE-2026-34854Medium5.72026-04-13UAF vulnerability in the kernel module.
CVE-2026-34867Medium5.62026-04-13Double free vulnerability in the multi-mode input system.
CVE-2026-34866Medium5.12026-04-13Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
CVE-2026-34857Medium4.72026-04-13UAF vulnerability in the communication module.
CVE-2026-34858Medium4.12026-04-13UAF vulnerability in the communication module.
CVE-2026-34860Medium4.12026-04-13Access control vulnerability in the memo module.
CVE-2026-34849Low2.52026-04-13UAF vulnerability in the screen management module.
CVE-2026-34851Low2.22026-04-13Race condition vulnerability in the event notification module.
CVE-2026-34850Low1.92026-04-13Race condition vulnerability in the notification service.

Adobe · 18 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-27304Critical9.32026-04-14ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27305High8.62026-04-14ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read.
CVE-2026-27306High8.42026-04-14ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34632High8.22026-04-15Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user.
CVE-2026-27289High7.82026-04-14Photoshop Desktop versions 27.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.
CVE-2026-34629High7.82026-04-14InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34628High7.82026-04-14InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34627High7.82026-04-14InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-27291High7.82026-04-14InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34619High7.72026-04-14ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass.
CVE-2026-27282High7.52026-04-14ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass.
CVE-2026-27258Medium5.52026-04-14DNG SDK versions 1.7.1 2502 and earlier are affected by an out-of-bounds write vulnerability that could lead to application denial-of-service.
CVE-2026-34625Medium5.42026-04-14Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability.
CVE-2026-34624Medium5.42026-04-14Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability.
CVE-2026-34623Medium5.42026-04-14Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability.
CVE-2026-27288Medium5.42026-04-14Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability.
CVE-2026-27308Low2.42026-04-14ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service.
CVE-2026-27307Low2.42026-04-14ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service.

Code-projects · 18 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6183High7.32026-04-13A security flaw has been discovered in code-projects Simple Content Management System 1.0.
CVE-2026-6182High7.32026-04-13A vulnerability was identified in code-projects Simple Content Management System 1.0.
CVE-2026-6167High7.32026-04-13A vulnerability was detected in code-projects Faculty Management System 1.0.
CVE-2026-6166High7.32026-04-13A security vulnerability has been detected in code-projects Vehicle Showroom Management System 1.0.
CVE-2026-6165High7.32026-04-13A weakness has been identified in code-projects Vehicle Showroom Management System 1.0.
CVE-2026-6164High7.32026-04-13A security flaw has been discovered in code-projects Lost and Found Thing Management 1.0.
CVE-2026-6163High7.32026-04-13A vulnerability was identified in code-projects Lost and Found Thing Management 1.0.
CVE-2026-6161High7.32026-04-13A vulnerability was determined in code-projects Simple ChatBox up to 1.0.
CVE-2026-6153High7.32026-04-13A vulnerability was identified in code-projects Vehicle Showroom Management System 1.0.
CVE-2026-6152High7.32026-04-13A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0.
CVE-2026-6151High7.32026-04-13A vulnerability was found in code-projects Vehicle Showroom Management System 1.0.
CVE-2026-6149High7.32026-04-13A flaw has been found in code-projects Vehicle Showroom Management System 1.0.
CVE-2026-6148High7.32026-04-13A vulnerability was detected in code-projects Vehicle Showroom Management System 1.0.
CVE-2026-6202Medium6.32026-04-13A security flaw has been discovered in code-projects Easy Blog Site 1.0.
CVE-2026-6160Medium5.32026-04-13A vulnerability was found in code-projects Simple ChatBox 1.0.
CVE-2026-6159Medium4.32026-04-13A vulnerability has been found in code-projects Simple ChatBox up to 1.0.
CVE-2026-6150Medium4.32026-04-13A vulnerability has been found in code-projects Simple Laundry System 1.0.
CVE-2026-6184Low2.42026-04-13A weakness has been identified in code-projects Simple Content Management System 1.0.

Samsung · 18 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-25208High8.12026-04-13Integer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.
CVE-2026-25207High7.42026-04-13Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.
CVE-2026-25205High7.42026-04-13Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows out-of-bounds write.This issue affects Escargot:commit hash  97e8115ab1110bc502b4b5e4a0c689a71520d335 .
CVE-2026-40446Medium6.92026-04-13Access of resource using incompatible type ('type confusion') vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.
CVE-2026-21011Medium6.82026-04-13Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock.
CVE-2026-21009Medium6.82026-04-13Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning.
CVE-2026-21007Medium6.82026-04-13Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Knox Guard.
CVE-2026-21003Medium6.82026-04-13Improper input validation in data related to network restrictions prior to SMR Apr-2026 Release 1 allows physical attackers to bypass the restrictions.
CVE-2026-25206Medium6.72026-04-13Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.
CVE-2026-21010Medium6.62026-04-13Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows local attackers to trigger privileged functions.
CVE-2026-21008Medium6.52026-04-13Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information.
CVE-2026-25209Medium6.52026-04-13Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.
CVE-2026-25204Medium6.22026-04-13Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort.
CVE-2026-21013Medium5.52026-04-13Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information.
CVE-2026-40447Medium5.12026-04-13Integer overflow or wraparound vulnerability in Samsung Open Source Escargot allows undefined behavior.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.
CVE-2026-21012Low3.32026-04-13External control of file name in AODManager prior to SMR Apr-2026 Release 1 allows privileged local attacker to create file with system privilege.
CVE-2026-21014Low2.82026-04-13Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data.
CVE-2026-21006Low2.42026-04-13Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows physical attackers to access to hidden notification contents.

Cisco · 15 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-20186Critical9.92026-04-15A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.
CVE-2026-20180Critical9.92026-04-15A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.
CVE-2026-20147Critical9.92026-04-15A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.
CVE-2026-20184Critical9.82026-04-15A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of…
CVE-2026-20081Medium6.52026-04-15Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker&nbsp;to download arbitrary files from an affected system.
CVE-2026-20078Medium6.52026-04-15Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker&nbsp;to download arbitrary files from an affected system.
CVE-2026-20170Medium6.12026-04-15A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks.
CVE-2026-20059Medium6.12026-04-15A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web…
CVE-2026-20136Medium6.02026-04-15A vulnerability in the&nbsp;CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on…
CVE-2026-20161Medium5.52026-04-15A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to impr…
CVE-2026-20152Medium5.32026-04-15A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to im…
CVE-2026-20148Medium4.92026-04-15A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system and read arbitrary files.
CVE-2026-20132Medium4.82026-04-15Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative&nbsp;write privileges to conduct a stored cross-site scripting (XSS) a…
CVE-2026-20060Medium4.72026-04-15A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP r…
CVE-2026-20061Medium4.32026-04-15A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device.

Linux · 15 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-31414Critical9.82026-04-13In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name.
CVE-2026-31419High7.82026-04-13In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clone…
CVE-2026-31417High7.52026-04-13In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow.
CVE-2026-31426High7.02026-04-13In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware platforms, it has already started th…
CVE-2026-31428Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put(…
CVE-2026-31427Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat…
CVE-2026-31425Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_…
CVE-2026-31424Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Weiming Shi says: xt_match and xt_target structs registered with NFPROTO_UNSPEC…
CVE-2026-31423Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() m2sm() converts a u32 slope to a u64 scaled value.
CVE-2026-31422Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass.
CVE-2026-31421Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL pointer dereference on shared blocks The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle.
CVE-2026-31420Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: bridge: mrp: reject zero test interval to avoid OOM panic br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without val…
CVE-2026-31418Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtype_del mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zer…
CVE-2026-31416Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: account for netlink header size This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the att…
CVE-2026-31415Medium5.52026-04-13In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : <quote> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data p…

Apache · 13 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-31908Critical9.12026-04-14Header injection vulnerability in Apache APISIX.
CVE-2026-33858High8.82026-04-13Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code.
CVE-2026-35337High8.82026-04-13Deserialization of Untrusted Data vulnerability in Apache Storm.
CVE-2025-54550High8.12026-04-15The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of…
CVE-2026-31987High7.52026-04-16JWT Tokens used by tasks were exposed in logs.
CVE-2026-30778High7.52026-04-15The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
CVE-2026-31923High7.52026-04-14Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
CVE-2025-66236High7.52026-04-13Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow.
CVE-2026-34476High7.12026-04-13Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.
CVE-2026-25219Medium6.52026-04-15The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker.
CVE-2026-35565Medium5.42026-04-13Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream nam…
CVE-2026-31924Medium5.32026-04-14Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
CVE-2026-33929Medium4.32026-04-14Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.

Anviz · 12 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-35546Critical9.82026-04-17Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads.
CVE-2026-40066High8.82026-04-17Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded.
CVE-2026-35682High8.82026-04-17Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access.
CVE-2026-40434High8.12026-04-17Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic.
CVE-2026-32324High7.72026-04-17Anviz CX7 Firmware is  vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at scale.
CVE-2026-40461High7.52026-04-17Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate later compromise.
CVE-2026-32650High7.52026-04-17Anviz CrossChex Standard is vulnerable when an attacker manipulates the TDS7 PreLogin to disable encryption, causing database credentials to be sent in plaintext and enabling unauthorized database access.
CVE-2026-33569Medium6.52026-04-17Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device.
CVE-2026-35061Medium5.32026-04-17Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery.
CVE-2026-33093Medium5.32026-04-17Anviz CX7 Firmware is vulnerable to an unauthenticated POST to the device that captures a photo with the front facing camera, exposing visual information about the deployment environment.
CVE-2026-32648Medium5.32026-04-17Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug configuration details (e.g., SSH/RTTY status), assisting attackers in reconnaissance against the device.
CVE-2026-31927Medium4.92026-04-17Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug‑setting changes

Imagemagick · 12 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33908High7.52026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-33901High7.52026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-40312Medium6.22026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-40169Medium6.22026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-33900Medium5.92026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-40311Medium5.52026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-40310Medium5.52026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-40183Medium5.52026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-33905Medium5.52026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-33902Medium5.52026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-33899Medium5.32026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.
CVE-2026-34238Medium5.12026-04-13ImageMagick is free and open-source software used for editing and manipulating digital images.

Sap_se · 12 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-27681Critical9.92026-04-14Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data.
CVE-2026-34256High7.12026-04-14Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without autho…
CVE-2026-34261Medium6.52026-04-14Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their int…
CVE-2026-27678Medium6.52026-04-14Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization.
CVE-2026-27677Medium6.52026-04-14Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization.
CVE-2026-0512Medium6.12026-04-14Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of mal…
CVE-2026-27673Medium4.92026-04-14Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Conf…
CVE-2026-27676Medium4.32026-04-14Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization.
CVE-2026-27672Medium4.32026-04-14The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information.
CVE-2026-24318Medium4.22026-04-14Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session.
CVE-2026-27683Medium4.12026-04-14SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs.
CVE-2026-27675Low2.02026-04-14SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands.

1panel-dev · 11 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39421Medium6.32026-04-14MaxKB is an open-source AI assistant for enterprise.
CVE-2026-39420Medium6.32026-04-14MaxKB is an open-source AI assistant for enterprise.
CVE-2026-39426Medium5.42026-04-14MaxKB is an open-source AI assistant for enterprise.
CVE-2026-39425Medium5.42026-04-14MaxKB is an open-source AI assistant for enterprise.
CVE-2026-39423Medium5.42026-04-14MaxKB is an open-source AI assistant for enterprise.
CVE-2026-39422Medium5.42026-04-14MaxKB is an open-source AI assistant for enterprise.
CVE-2026-39418Medium5.02026-04-14MaxKB is an open-source AI assistant for enterprise.
CVE-2026-39424Medium4.72026-04-14MaxKB is an open-source AI assistant for enterprise.
CVE-2026-39417Medium4.62026-04-14MaxKB is an open-source AI assistant for enterprise.
CVE-2025-15632Low3.52026-04-13A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2.
CVE-2026-39419Low3.12026-04-14MaxKB is an open-source AI assistant for enterprise.
CVESeverityCVSSKEVPublishedSummary
CVE-2026-6195Critical9.82026-04-13A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024.
CVE-2026-6156Critical9.82026-04-13A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024.
CVE-2026-6155Critical9.82026-04-13A weakness has been identified in Totolink A7100RU 7.4cu.2313.
CVE-2026-6154Critical9.82026-04-13A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024.
CVE-2026-6140Critical9.82026-04-13A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024.
CVE-2026-6139Critical9.82026-04-13A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024.
CVE-2026-6138Critical9.82026-04-13A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024.
CVE-2026-6194High8.82026-04-13A weakness has been identified in Totolink A3002MU B20211125.1046.
CVE-2026-6168High8.82026-04-13A flaw has been found in TOTOLINK A7000R up to 9.1.0u.6115.
CVE-2026-6157High8.82026-04-13A vulnerability was detected in Totolink A800R 4.1.2cu.5137_B20200730.
CVE-2026-6158High7.32026-04-13A flaw has been found in Totolink N300RH 6.1c.1353_B20190305.

Weblate · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34393High8.82026-04-15Weblate is a web based localization tool.
CVE-2026-33435High8.02026-04-15Weblate is a web based localization tool.
CVE-2026-34242High7.72026-04-15Weblate is a web based localization tool.
CVE-2026-33220Medium6.82026-04-15Weblate is a web based localization tool.
CVE-2026-40256Medium5.02026-04-15Weblate is a web based localization tool.
CVE-2026-34244Medium5.02026-04-15Weblate is a web based localization tool.
CVE-2026-33440Medium5.02026-04-15Weblate is a web based localization tool.
CVE-2026-33214Medium4.32026-04-15Weblate is a web based localization tool.
CVE-2026-39845Medium4.12026-04-15Weblate is a web based localization tool.
CVE-2026-33212Low3.12026-04-15Weblate is a web based localization tool.

Dataease · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33122Critical9.82026-04-16DataEase is an open-source data visualization and analytics platform.
CVE-2026-33082Critical9.82026-04-16DataEase is an open source data visualization analysis tool.
CVE-2026-40901High8.82026-04-16DataEase is an open-source data visualization and analytics platform.
CVE-2026-40900High8.82026-04-16DataEase is an open-source data visualization and analytics platform.
CVE-2026-33207High8.82026-04-16DataEase is an open-source data visualization and analytics platform.
CVE-2026-33121High8.82026-04-16DataEase is an open-source data visualization and analytics platform.
CVE-2026-33084High8.82026-04-16DataEase is an open-source data visualization and analytics platform.
CVE-2026-33083High8.82026-04-16DataEase is an open-source data visualization and analytics platform.
CVE-2026-40899Medium6.52026-04-16DataEase is an open-source data visualization and analytics platform.

Firebirdsql · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40342Critical9.92026-04-17Firebird is an open-source relational database management system.
CVE-2026-28224High8.22026-04-17Firebird is an open-source relational database management system.
CVE-2026-27890High8.22026-04-17Firebird is an open-source relational database management system.
CVE-2025-65104High7.92026-04-17Firebird is an open-source relational database management system.
CVE-2026-35215High7.52026-04-17Firebird is an open-source relational database management system.
CVE-2026-34232High7.52026-04-17Firebird is an open-source relational database management system.
CVE-2026-33337High7.52026-04-17Firebird is an open-source relational database management system.
CVE-2026-28212High7.52026-04-17Firebird is an open-source relational database management system.
CVE-2026-28214Medium6.52026-04-17Firebird is an open-source relational database management system.

Google · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6363High8.82026-04-15Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
CVE-2026-6360High8.82026-04-15Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.
CVE-2026-6359High8.82026-04-15Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page.
CVE-2026-6358High8.82026-04-15Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2026-6315High8.82026-04-15Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page.
CVE-2026-6361High8.32026-04-15Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file.
CVE-2026-6319High7.52026-04-15Use after free in Payments in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page.
CVE-2026-6364Medium6.52026-04-15Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file.
CVE-2026-6362Medium4.32026-04-15Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file.

Artica · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34186High8.82026-04-13Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields.
CVE-2026-30813High8.82026-04-13Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via module search.
CVE-2026-30809High8.82026-04-13Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug.
CVE-2026-30806High8.82026-04-13Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report.
CVE-2026-34188High7.22026-04-13Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution.
CVE-2026-30804High7.22026-04-13Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload.
CVE-2026-30811Medium6.52026-04-13Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint.
CVE-2026-30812Medium5.42026-04-13Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments.

Chamilo · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40291High8.82026-04-14Chamilo LMS is an open-source learning management system.
CVE-2026-35196High8.82026-04-14Chamilo LMS is an open-source learning management system.
CVE-2026-34160High8.62026-04-14Chamilo LMS is an open-source learning management system.
CVE-2026-33715High7.22026-04-14Chamilo LMS is an open-source learning management system.
CVE-2026-33714High7.22026-04-14Chamilo is an open-source learning management system (LMS).
CVE-2026-34602High7.12026-04-14Chamilo LMS is an open-source learning management system.
CVE-2026-34370Medium6.52026-04-14Chamilo LMS is an open-source learning management system.
CVE-2026-34161Medium5.42026-04-14Chamilo LMS is an open-source learning management system.

Fastify · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6270Critical9.12026-04-16@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances.
CVE-2026-33808Critical9.12026-04-15Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled.
CVE-2026-33807Critical9.12026-04-15@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins.
CVE-2026-33805High8.62026-04-15@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders.
CVE-2026-33806High7.52026-04-15Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header.
CVE-2026-33804High7.42026-04-16@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled.
CVE-2026-6414Medium5.92026-04-16@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters.
CVE-2026-6410Medium5.32026-04-16@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option.

Neutrinolabs · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33689Critical9.12026-04-17xrdp is an open source RDP server.
CVE-2026-33516Critical9.12026-04-17xrdp is an open source RDP server.
CVE-2026-35512High8.82026-04-17xrdp is an open source RDP server.
CVE-2026-32107High8.82026-04-17xrdp is an open source RDP server.
CVE-2026-32623High8.12026-04-17xrdp is an open source RDP server.
CVE-2026-32105High7.72026-04-17xrdp is an open source RDP server.
CVE-2026-32624Medium6.52026-04-17xrdp is an open source RDP server.
CVE-2026-33145Medium6.32026-04-17xrdp is an open source RDP server.

Schneider Electric · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2405Medium6.52026-04-14CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests.
CVE-2026-2399Medium6.12026-04-14CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload.
CVE-2026-2404Medium5.32026-04-14CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload.
CVE-2026-2402Medium5.32026-04-14CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials…
CVE-2026-2401Medium5.02026-04-14CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker.
CVE-2026-2403Medium4.32026-04-14CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists that could cause Event and Data Log truncation impacting log integrity when a Web Admin user alters the POST /logsettings request payload.
CVE-2026-2400Medium4.32026-04-14CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.
CVE-2026-48322026-04-14CWE-798 Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to sensitive device information when an unauthenticated attacker is able to interrogate the SNMP port.

Tenda · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6200High8.82026-04-13A vulnerability was determined in Tenda F456 1.0.0.5.
CVE-2026-6199High8.82026-04-13A vulnerability was found in Tenda F456 1.0.0.5.
CVE-2026-6198High8.82026-04-13A vulnerability has been found in Tenda F456 1.0.0.5.
CVE-2026-6197High8.82026-04-13A flaw has been found in Tenda F456 1.0.0.5.
CVE-2026-6196High8.82026-04-13A vulnerability was detected in Tenda F456 1.0.0.5.
CVE-2026-6137High8.82026-04-13A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958.
CVE-2026-6136High8.82026-04-13A security vulnerability has been detected in Tenda F451 1.0.0.7_cn_svn7958.
CVE-2026-6135High8.82026-04-13A weakness has been identified in Tenda F451 1.0.0.7_cn_svn7958.

Red Hat · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6388Critical9.12026-04-15A flaw was found in ArgoCD Image Updater.
CVE-2026-6507High7.52026-04-17A flaw was found in dnsmasq.
CVE-2026-37980Medium6.92026-04-14A flaw was found in Keycloak, specifically in the organization selection login page.
CVE-2026-6385Medium6.52026-04-15A flaw was found in FFmpeg.
CVE-2026-6245Medium5.52026-04-15A flaw was found in the System Security Services Daemon (SSSD).
CVE-2026-6383Medium5.42026-04-15A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic.
CVE-2026-6494Medium5.32026-04-17A flaw was found in the AAP MCP server.

Apostrophecms · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-35569High8.72026-04-15ApostropheCMS is an open-source Node.js content management system.
CVE-2026-40186Medium6.12026-04-15ApostropheCMS is an open-source Node.js content management system.
CVE-2026-33889Medium5.42026-04-15ApostropheCMS is an open-source Node.js content management system.
CVE-2026-39857Medium5.32026-04-15ApostropheCMS is an open-source Node.js content management system.
CVE-2026-33888Medium5.32026-04-15ApostropheCMS is an open-source Node.js content management system.
CVE-2026-33877Low3.72026-04-15ApostropheCMS is an open-source Node.js content management system.

Gimp · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6384High7.32026-04-15A flaw was found in gimp.
CVE-2026-40919Medium6.12026-04-15A flaw was found in GIMP.
CVE-2026-40918Medium5.52026-04-15A flaw was found in GIMP.
CVE-2026-40915Medium5.52026-04-15A flaw was found in GIMP.
CVE-2026-40917Medium5.02026-04-15A flaw was found in GIMP.
CVE-2026-40916Medium5.02026-04-15A flaw was found in GIMP.

Jqlang · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-32316High8.22026-04-13jq is a command-line JSON processor.
CVE-2026-40164High7.52026-04-14jq is a command-line JSON processor.
CVE-2026-39979Medium6.52026-04-13jq is a command-line JSON processor.
CVE-2026-33947Medium6.22026-04-13jq is a command-line JSON processor.
CVE-2026-39956Medium6.12026-04-13jq is a command-line JSON processor.
CVE-2026-33948Medium5.32026-04-14jq is a command-line JSON processor.

Pachno · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40044Critical9.82026-04-13Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files.
CVE-2026-40042Critical9.82026-04-13Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper.
CVE-2026-40040High8.82026-04-13Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint.
CVE-2026-40038High7.22026-04-13Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters.
CVE-2026-40039Medium6.52026-04-13Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the return_to parameter.
CVE-2026-40041Medium4.32026-04-13Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints.

Wso2 · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-2374High7.52026-04-16The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities.
CVE-2025-6024Medium6.12026-04-16The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
CVE-2024-10242Medium6.12026-04-16The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response.
CVE-2025-12624Medium6.02026-04-16Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server.
CVE-2024-4867Medium5.42026-04-16The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding.
CVE-2024-8010Low3.52026-04-16The component accepts XML input through the publisher without disabling external entity resolution.

Eaton · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-22619High7.82026-04-16Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the l…
CVE-2026-22616Medium6.52026-04-16Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP…
CVE-2026-22615Medium6.02026-04-16Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command executi…
CVE-2026-22618Medium5.92026-04-16A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in…
CVE-2026-22617Medium5.72026-04-16Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the…

Free5gc · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40248High7.52026-04-16free5GC is an open-source implementation of the 5G core network.
CVE-2026-40247High7.52026-04-16free5GC is an open-source implementation of the 5G core network.
CVE-2026-40246High7.52026-04-16free5GC is an open-source implementation of the 5G core network.
CVE-2026-40245High7.52026-04-16Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks.
CVE-2026-40249Medium5.32026-04-16free5GC is an open-source implementation of the 5G core network.

Hkuds · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40502High8.82026-04-16OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remo…
CVE-2026-40516High8.32026-04-17OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper…
CVE-2026-35589High8.02026-04-14nanobot is a personal AI assistant.
CVE-2026-40515High7.52026-04-17OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker.
CVE-2026-40503Medium6.52026-04-16OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command.

Labredescefetrj · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40285High8.82026-04-17WeGIA is a web manager for charitable institutions.
CVE-2026-40286High7.52026-04-17WeGIA is a web manager for charitable institutions.
CVE-2026-40284Medium6.82026-04-17WeGIA is a web manager for charitable institutions.
CVE-2026-40283Medium6.82026-04-17WeGIA is a web manager for charitable institutions.
CVE-2026-402822026-04-17WeGIA is a web manager for charitable institutions.

Legion Of The Bouncy Castle Inc. · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5598High7.52026-04-15Covert timing channel vulnerability in Legion of the Bouncy Castle Inc.
CVE-2026-5588High7.52026-04-15Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc.
CVE-2026-3505High7.52026-04-15Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc.
CVE-2025-14813High7.52026-04-15: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc.
CVE-2026-0636Medium6.52026-04-15Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc.

Lenovo · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4145High7.82026-04-15During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix that could allow a local authenticated user to perform arbitrary code execution with elevated privileges.
CVE-2026-4134High7.32026-04-15During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges.
CVE-2026-0827High7.12026-04-15During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticate…
CVE-2026-1636Medium6.72026-04-15A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge that, under certain conditions, could allow a local authenticated user to execute code with elevated privileges.
CVE-2026-4135Medium6.62026-04-15During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to perform an arbitrary file write with elevated privileges.

Mervinpraison · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40315Critical9.82026-04-14PraisonAI is a multi-agent teams system.
CVE-2026-40288Critical9.82026-04-14PraisonAI is a multi-agent teams system.
CVE-2026-40313Critical9.12026-04-14PraisonAI is a multi-agent teams system.
CVE-2026-40289Critical9.12026-04-14PraisonAI is a multi-agent teams system.
CVE-2026-40287High8.42026-04-14PraisonAI is a multi-agent teams system.

Octobercms · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-24907Medium5.42026-04-14October is a Content Management System (CMS) and web platform.
CVE-2026-24906Medium5.42026-04-14October is a Content Management System (CMS) and web platform.
CVE-2026-25125Medium4.92026-04-14October is a Content Management System (CMS) and web platform.
CVE-2026-22692Medium4.92026-04-14October is a Content Management System (CMS) and web platform.
CVE-2026-25133Medium4.82026-04-14October is a Content Management System (CMS) and web platform.

Saitoha · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33023High7.82026-04-14libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel.
CVE-2026-33021High7.32026-04-14libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel.
CVE-2026-33020High7.12026-04-14libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel.
CVE-2026-33019High7.12026-04-14libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel.
CVE-2026-33018High7.02026-04-14libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel.

Sap · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34264Medium6.52026-04-14During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages.
CVE-2026-27679Medium6.52026-04-14Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization.
CVE-2026-34257Medium6.12026-04-14Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker.
CVE-2026-27674Medium6.12026-04-14Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled…
CVE-2026-34262Medium5.02026-04-14Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer

Siemens · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-27668High8.82026-04-14A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8).
CVE-2026-25654High8.82026-04-14A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3).
CVE-2026-24032High7.32026-04-14A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3 with UMC).
CVE-2026-33892High7.12026-04-14A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 < V1.15.17), Industrial Edge Management Pro V2 (All versions >= V2.0.0 < V2.1.1), Industrial Edge Management Virtual (All versions >= V2.2.0 <…
CVE-2025-40745Low3.72026-04-14A vulnerability has been identified in Siemens Software Center (All versions < V3.5.8.2), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Simcenter STAR-CCM+ (All versions < V2602), Solid Edge SE2025…

Ubiquiti Inc · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-22564Critical9.82026-04-13An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 …
CVE-2026-22563Critical9.82026-04-13A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network.
CVE-2026-22562Critical9.82026-04-13A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE).
CVE-2026-22566High7.52026-04-13An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Po…
CVE-2026-22565High7.52026-04-13An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio…

B3log · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40322Critical9.02026-04-16SiYuan is an open-source personal knowledge management system.
CVE-2026-40318High8.52026-04-16SiYuan is an open-source personal knowledge management system.
CVE-2026-40259High8.12026-04-16SiYuan is an open-source personal knowledge management system.
CVE-2026-40922Medium5.42026-04-17SiYuan is an open-source personal knowledge management system.

Docmost · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34213Medium5.42026-04-14Docmost is open-source collaborative wiki and documentation software.
CVE-2026-34212Medium5.42026-04-14Docmost is open-source collaborative wiki and documentation software.
CVE-2026-33193Medium4.62026-04-14Docmost is open-source collaborative wiki and documentation software.
CVE-2026-33146Medium4.32026-04-14Docmost is open-source collaborative wiki and documentation software.

Espocrm · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33740Medium5.42026-04-13EspoCRM is an open source customer relationship management application.
CVE-2026-33657Medium4.62026-04-13EspoCRM is an open source customer relationship management application.
CVE-2026-33534Medium4.32026-04-13EspoCRM is an open source customer relationship management application.
CVE-2026-33659Low3.52026-04-13EspoCRM is an open source customer relationship management application.

Ffmpeg · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-30999High7.52026-04-13A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2026-30998High7.52026-04-13An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file.
CVE-2026-30997High7.52026-04-13An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2026-40962Medium4.92026-04-16FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.

Grafana · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-41118Critical9.12026-04-15Pyroscope is an open-source continuous profiling database.
CVE-2025-12141Medium6.52026-04-15In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Write…
CVE-2026-21726Medium5.32026-04-15The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Su…
CVE-2026-21727Low3.32026-04-15--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana sever…

Hashicorp · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3605High8.12026-04-17An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service.
CVE-2026-5807High7.52026-04-17Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot.
CVE-2026-4525High7.52026-04-17If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend.
CVE-2026-5052Medium5.32026-04-17Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges.

Jellyfin · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-35031Critical9.92026-04-14Jellyfin is an open source self hosted media server.
CVE-2026-35033Critical9.12026-04-14Jellyfin is an open source self hosted media server.
CVE-2026-35032High8.12026-04-14Jellyfin is an open source self hosted media server.
CVE-2026-35034Medium6.52026-04-14Jellyfin is an open source self hosted media server.

Splunk · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-20205High7.22026-04-15In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text…
CVE-2026-20204High7.12026-04-15In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold…
CVE-2026-20202Medium6.62026-04-15In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains th…
CVE-2026-20203Medium4.32026-04-15In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold…

Amd · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-54502High7.52026-04-16Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resulting in arbitrary code execution.
CVE-2025-545102026-04-16A missing lock verification in AMD Secure Processor (ASP) firmware may permit a locally authenticated attacker with administrative privileges to alter MMIO routing on some Zen 5-based products, potentially compromising guest system integri…
CVE-2023-205852026-04-16Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest…

Autodesk · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4369High7.12026-04-14A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop applic…
CVE-2026-4345High7.12026-04-14A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application.
CVE-2026-4344High7.12026-04-14A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application.

Craftcms · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-322722026-04-13Craft Commerce is an ecommerce platform for Craft CMS.
CVE-2026-322712026-04-13Craft Commerce is an ecommerce platform for Craft CMS.
CVE-2026-322702026-04-13Craft Commerce is an ecommerce platform for Craft CMS.

Cubecart · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34018Critical9.82026-04-17An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product.
CVE-2026-21719High7.22026-04-17An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command.
CVE-2026-35496Low2.72026-04-17A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible.

Dnnsoftware · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40321High8.02026-04-17DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem.
CVE-2026-40306Medium6.52026-04-17DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem.
CVE-2026-40305Medium4.32026-04-17DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem.

Enchant97 · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40262High8.72026-04-17Note Mark is an open-source note-taking application.
CVE-2026-40265Medium5.92026-04-17Note Mark is an open-source note-taking application.
CVE-2026-40263Low3.72026-04-17Note Mark is an open-source note-taking application.

Imprintnext · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3596Critical9.82026-04-16The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.2.
CVE-2026-3599High7.52026-04-16The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and…
CVE-2026-3595Medium5.32026-04-16The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2.

Mattermost · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-28741Medium6.82026-04-15Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by…
CVE-2026-3590Medium6.52026-04-15Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish…
CVE-2026-27769Low2.72026-04-15Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed…

Netfoundry · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40303High7.52026-04-17zrok is software for sharing web services, files, and network resources.
CVE-2026-40302Medium6.12026-04-17zrok is software for sharing web services, files, and network resources.
CVE-2026-40304Medium5.32026-04-17zrok is software for sharing web services, files, and network resources.

Palo Alto Networks · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-02342026-04-13An improper verification of cryptographic signature vulnerability exists in Cortex XSOAR and Cortex XSIAM platforms during integration of Microsoft Teams that enables an unauthenticated user to access and modify protected resources.
CVE-2026-02332026-04-13A certificate validation vulnerability in Palo Alto Networks Autonomous Digital Experience Manager on Windows allows an unauthenticated attacker with adjacent network access to execute arbitrary code with NT AUTHORITY\SYSTEM privileges.
CVE-2026-02322026-04-13A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.

Python Software Foundation · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6100High8.12026-04-13Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used.
CVE-2026-4786High7.12026-04-13Mitgation of CVE-2026-4519 was incomplete.
CVE-2026-57132026-04-14The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that proce…

Querymine · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6490High7.32026-04-17A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593.
CVE-2026-6489Medium6.32026-04-17A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593.
CVE-2026-6488Medium6.32026-04-17A vulnerability was identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593.

Radare · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40527High7.82026-04-17radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names.
CVE-2026-40499High7.82026-04-15radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field.
CVE-2026-41015High7.42026-04-16radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP.

Sourcecodester · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6189High7.32026-04-13A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0.
CVE-2026-6188High7.32026-04-13A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0.
CVE-2026-6187High7.32026-04-13A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0.

Sparxsystems · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-15625Critical9.82026-04-17Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.
CVE-2025-15624High7.52026-04-17Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd.
CVE-2025-15623High7.52026-04-17Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd.

Themeum · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6080Medium6.52026-04-17The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8.
CVE-2026-40740Medium5.42026-04-15Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.
CVE-2026-5502Medium5.32026-04-17The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8.

10web · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4388High7.22026-04-14The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40.
CVE-2026-3330Medium4.92026-04-17The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40.

Aandrew-me · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6219Medium5.32026-04-13A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2.
CVE-2026-6218Medium4.32026-04-13A vulnerability was found in aandrew-me ytDownloader up to 3.20.2.

Ascensio · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41030Medium6.22026-04-16In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.
CVE-2026-41034Medium5.02026-04-16ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.

Asus · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34282026-04-16A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use (TOC-TOU) durin…
CVE-2026-18802026-04-16An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources during the validation phase, permitting a lo…

Composer · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40261High8.82026-04-15Composer is a dependency manager for PHP.
CVE-2026-40176High7.82026-04-15Composer is a dependency manager for PHP.

Faridsaniee · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4091Medium6.12026-04-15The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0.
CVE-2026-3995Medium4.42026-04-16The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0.

Fastgpt · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40351Critical9.82026-04-17FastGPT is an AI Agent building platform.
CVE-2026-40352High8.82026-04-17FastGPT is an AI Agent building platform.

Giskard · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40320High7.82026-04-17Giskard is an open-source testing framework for AI models.
CVE-2026-40319Medium5.52026-04-17Giskard is an open-source testing framework for AI models.

Glenwpcoder · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5718High8.12026-04-17The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7.
CVE-2026-5710High7.52026-04-17The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6.

Itsourcecode · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6191Medium6.32026-04-13A vulnerability was determined in itsourcecode Construction Management System 1.0.
CVE-2026-6190Medium6.32026-04-13A vulnerability was found in itsourcecode Construction Management System 1.0.

Ivanti · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4913Medium5.72026-04-14Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled.
CVE-2026-4914Medium5.42026-04-14Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required.

Janobe · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-36920Low2.72026-04-13Sourcecodester Online Reviewer System v1.0 is vulnerable to SQL Injection in the file /system/system/admins/assessments/examproper/questions-view.php.
CVE-2026-36919Low2.72026-04-13Sourcecodester Online Reviewer System v1.0 is vulnerale to SQL Injection in the file /system/system/admins/assessments/examproper/exam-update.php.

Jconti · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5050High7.52026-04-16The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signa…
CVE-2026-6439Medium4.42026-04-17The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.1.

Jetbrains · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33392High7.22026-04-17In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
CVE-2026-41153Medium5.82026-04-17In JetBrains Junie before 252.549.29 command execution was possible via malicious project file

Kimai · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40479Medium5.42026-04-17Kimai is an open-source time tracking application.
CVE-2026-40486Medium4.32026-04-17Kimai is an open-source time tracking application.

Librenms · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6204High7.22026-04-13LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature.
CVE-2026-2728Medium4.82026-04-13LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page.

Livemesh · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1620High8.82026-04-16The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0.
CVE-2026-1572Medium6.42026-04-16The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0.

Luanti · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40959Critical9.32026-04-16Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.
CVE-2026-40960High8.12026-04-16Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment.

Nimiq · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-32605High7.52026-04-13nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm.
CVE-2026-34069Medium5.32026-04-14nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm.

Nozomi Networks · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-40899High8.92026-04-15A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter.
CVE-2025-40897High8.12026-04-15An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges.

Oauth2-proxy · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34457Critical9.12026-04-14OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers.
CVE-2026-34454Low3.52026-04-14OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers.

Openfind · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6350Critical9.82026-04-16MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code.
CVE-2026-6351High7.52026-04-16MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.

Pac4j · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40459High8.82026-04-17PAC4J is vulnerable to LDAP Injection in multiple methods.
CVE-2026-40458Medium6.52026-04-17PAC4J is vulnerable to Cross-Site Request Forgery (CSRF).

Pega · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1711Medium4.82026-04-15Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component.
CVE-2026-1564Medium4.82026-04-15Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component.

Phpgurukul · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6193High7.32026-04-13A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1.
CVE-2026-6162Low3.52026-04-13A vulnerability has been found in PHPGurukul Company Visitor Management System 2.0.

Prasathmani · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6497Medium6.32026-04-17A vulnerability was determined in prasathmani TinyFileManager up to 2.6.
CVE-2026-6496Medium5.42026-04-17A vulnerability was found in prasathmani TinyFileManager up to 2.6.

Progress Software Corporation · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-80952026-04-14The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform.
CVE-2025-73892026-04-14A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself.  The delegated authority of t…

Purestorage · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-02092026-04-14Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.
CVE-2026-02072026-04-14A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions.

Rapid7 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6290High8.02026-04-15Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token.
CVE-2026-6482High7.82026-04-17The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host.

S9y · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39971High7.22026-04-15Serendipity is a PHP-powered weblog engine.
CVE-2026-39963Medium6.92026-04-15Serendipity is a PHP-powered weblog engine.

Sparx Systems Pty Ltd. · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-156222026-04-17Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd.
CVE-2025-156212026-04-16Insufficiently Protected Credentials in Sparx Systems Pty Ltd.

Themefusion · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1509Medium5.42026-04-15The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1.
CVE-2026-1541Medium4.32026-04-15The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1.

Thymeleaf · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40478Critical9.02026-04-17Thymeleaf is a server-side Java template engine for web and standalone environments.
CVE-2026-40477Critical9.02026-04-17Thymeleaf is a server-side Java template engine for web and standalone environments.

Unisys · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39907Critical10.02026-04-14Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attacke…
CVE-2026-39906Critical10.02026-04-14Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a…

Unknown · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3830High8.62026-04-13The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
CVE-2025-15441Medium6.82026-04-13The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts.

Upkeeper Solutions · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-24502026-04-14.NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.
CVE-2026-24492026-04-14Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant…

Veronalabs · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5231High7.22026-04-17The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4.
CVE-2026-3488Medium6.52026-04-17The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4.

Wger · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40474High7.62026-04-17wger is a free, open-source workout and fitness manager.
CVE-2026-40353Medium5.42026-04-17wger is a free, open-source workout and fitness manager.

Xwiki · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40104High8.22026-04-15XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.
CVE-2026-40105Medium6.12026-04-15XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

Zohocorp · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3324High8.22026-04-16Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.
CVE-2026-5785High8.12026-04-16Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.

Zte · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40436High7.12026-04-13The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information…
CVE-2026-40002Medium5.02026-04-17Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations.

Abb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-3756Medium6.52026-04-13A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed as affected in this CVE.

Acyba · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3614High8.82026-04-16The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler.

Adonisjs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40255Medium6.12026-04-16AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework.

Aerin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5694High7.22026-04-15The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output es…

Agent-zero · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-30624High8.62026-04-15Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature.

Aguilatechnologies · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3464High8.82026-04-17The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4.

Amannn · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-402992026-04-17next-intl provides internationalization for Next.js.

Amazon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6437Medium6.52026-04-17Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount…

Arcserve · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40118Medium6.32026-04-16UDP Console provided by Arcserve contains an incorrectly specified destination in a communication channel vulnerability.

Arnobt78 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6492Medium5.32026-04-17A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea.

Arraytics · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4109Medium4.32026-04-14The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versi…

Artifex · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40505Low3.32026-04-16MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields.

Auth0 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40155Medium5.42026-04-17The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications.

Authzed · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40091Medium6.02026-04-15SpiceDB is an open source database system for creating and managing security-critical application permissions.

Aveva · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-53872026-04-15The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modif…

Backupguard · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4853Medium4.92026-04-17The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8.

Bappidgreat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3659Medium6.42026-04-15The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful_direct] shortcode in all versions up t…

Barracuda Networks · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-22676High7.82026-04-15Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory.

Bdthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40745High7.62026-04-15Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Ad…

Beaver Builder · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40744High8.52026-04-15Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder: from n/a through…

Blockart · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40728Medium4.32026-04-15Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a through <= 1.8.3.

Boidcms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39387High7.22026-04-14BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database.

Bosch · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-33618High7.52026-04-15Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface.

Bplugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40729Medium4.32026-04-15Missing Authorization vulnerability in bPlugins 3D viewer – Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer – Embed 3D Models: from n/a through <= 1.8.5.

Bytedance · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40518High7.12026-04-17ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed.

Cartasi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-15565Medium5.32026-04-14The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0.

Churchcrm · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-399402026-04-13ChurchCRM is an open-source church management system.

Cloud Foundry · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-22734High8.62026-04-17Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems.

Cloudark · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-29955High8.82026-04-13The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection.

Coachific · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4005Medium6.42026-04-15The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0.

Codeastro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6201Medium5.42026-04-13A vulnerability was identified in CodeAstro Online Job Portal 1.0.

Codesolz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3369Medium5.42026-04-16The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escap…

Cohere · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5752Critical9.32026-04-14Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal.

Colbeinformatik · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3649Medium5.32026-04-15The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0.

Crocoblock · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4352High7.52026-04-14The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1.

Cryptomator · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33472Medium4.82026-04-16Cryptomator is an open-source client-side encryption application for cloud storage.

Danielmiessler · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6141Medium6.32026-04-13A vulnerability was determined in danielmiessler Personal_AI_Infrastructure up to 2.3.0.

Data Recognition Corporation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5756High7.52026-04-14Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception…

Decidim · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-23891High8.72026-04-13Decidim is a participatory democracy framework.

Deluxethemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-53444Medium4.32026-04-15Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a through < 5.1.11.

Designingmedia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-15470Medium6.52026-04-15The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2.

Designinvento · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3489High7.52026-04-16The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied p…

Devitemsllc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4059Medium6.42026-04-14The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5.

Dgraph · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40173Critical9.42026-04-15Dgraph is an open source distributed GraphQL database.

Dgwyer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4011Medium6.42026-04-15The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [pc] shortcode in all versions up to, and including, 0.1.0.

Digital Knowledge · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5426Critical9.12026-04-16Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState…

Dolibarr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-23500Critical9.12026-04-17Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package.

Dynabook Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-35553Medium6.72026-04-13Bluetooth ACPI Drivers provided by Dynabook Inc.

Eclipse · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2332High7.42026-04-14In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/20…

Emarket-design · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-15636Medium6.52026-04-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through <= 3.5.1.

Essentialplugin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6443Critical9.82026-04-17All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions.

Expresstech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5797Medium5.32026-04-17The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0.

Extendthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5427Medium5.32026-04-17The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2.

External-secrets · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34984Medium6.52026-04-14External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets.

Fahadmahmood · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3878Medium6.42026-04-16The WP Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdocs_options[icon_size]' parameter in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping.

Farion1231 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6143Medium6.32026-04-13A security flaw has been discovered in farion1231 cc-switch up to 3.12.3.

Festo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-3634High8.82026-04-16In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability.

Flightbycanto · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6441Medium4.32026-04-17The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1.

Flippercode · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13364Medium6.42026-04-16The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7.

Flux159 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39884High8.32026-04-15mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management.

Forfront · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3642Medium5.32026-04-15The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2.

Foxcpp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40193High8.22026-04-16maddy is a composable, all-in-one mail server.

Foxit Software Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5936High8.52026-04-13An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations.

Fpt Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61792026-04-13Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser

Futo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40096Medium5.42026-04-15immich is a high performance self-hosted photo and video management solution.

Futtta · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3299Medium6.42026-04-16The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping on user supplie…

Git-for-windows · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-32631High7.42026-04-15Git for Windows is the Windows port of Git.

Gn_themes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3885Medium6.42026-04-16The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_box' shortcode in all versions up to, and including, 7.4.9 due to insufficient input sanitization and out…

Goodoneuz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-31843Critical9.82026-04-16The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files.

Google Cloud · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-48102026-04-13A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to exec…

Gramps-project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40258Critical9.12026-04-17The Gramps Web API is a Python REST API for the genealogical research software Gramps.

Growi, Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-26291Medium5.42026-04-15Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier.

Haproxy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33555Medium4.02026-04-13An issue was discovered in HAProxy before 3.3.6.

Hashthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6370Medium5.92026-04-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4.

Hcl · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-52641Low2.92026-04-15HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures.

Hclsoftware · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-31991Medium6.82026-04-13Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.  This vulnerability is fixed in 5.1.7.

Hgiga · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6349Critical9.82026-04-16The  iSherlock developed by HGiga  has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.

Horner Automation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6284Critical9.12026-04-17An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services.

Hp Inc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46822026-04-15Certain HP DeskJet All in One devices may be vulnerable to remote code execution caused by a buffer overflow when specially crafted Web Services for Devices (WSD) scan requests are improperly validated and handled by the MFP.

Hp Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46672026-04-15HP System Optimizer might potentially be vulnerable to escalation of privilege.

Iandunn · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3581Medium5.32026-04-16The Basic Google Maps Placemarks plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.10.7.

Iberezansky · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1314Medium5.32026-04-15The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, a…

Imagination Technologies · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-21733High7.32026-04-17Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory and files.

Istio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39350Medium5.42026-04-15Istio is an open platform to connect, manage, and secure microservices.

It-novum · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-24893High8.82026-04-14openITCOCKPIT is an open source monitoring tool built for different monitoring engines.

Ivole · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3355Medium6.12026-04-16The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, 5.101.0 due to insufficient input sanitization and output escaping…

Jdeguest · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5088High7.52026-04-15Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts.

Joedolson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-403082026-04-16My Calendar is a WordPress plugin for managing calendar events.

Keras-team · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1462High7.82026-04-13A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`.

Kimipooh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2396Medium4.42026-04-15The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping.

Kiuwan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-24069Medium5.42026-04-14Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application.

Knighthawk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5717Medium6.42026-04-15The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input…

Kpumuk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4032Medium6.12026-04-16The CodeColorer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in 'cc' comment shortcode in versions up to, and including, 0.10.1 due to insufficient input sanitization and output escaping.

Latepoint · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5234Medium5.32026-04-17The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2.

Leafletjs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-69993Medium6.12026-04-14Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method.

Lfprojects · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40090High7.12026-04-15Zarf is an Airgap Native Packager Manager for Kubernetes.

Libcoap · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-29013Critical9.82026-04-17libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled wit…

Libexpat Project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41080Low2.92026-04-16libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Linuxfoundation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39984Medium5.52026-04-15Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps.

Long Watch Studio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40786Medium4.32026-04-15Missing Authorization vulnerability in Long Watch Studio MyRewards woorewards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyRewards: from n/a through <= 5.7.3.

Lukevella · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6493Low3.52026-04-17A flaw has been found in lukevella rallly up to 4.7.4.

Ly Corporation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3861Medium6.52026-04-16LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potent…

Mafintosh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5758Medium6.52026-04-15JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.

Mahmudul Hasan Arif · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40784High8.12026-04-15Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1…

Majestic Support · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40778Medium5.32026-04-15Missing Authorization vulnerability in Majestic Support Majestic Support majestic-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Majestic Support: from n/a through <= 1.1.2.

Maradns · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40719High7.52026-04-15Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.

Marcobambini · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40504Critical9.82026-04-16Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope.

Mcphub · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13822Medium5.32026-04-14MCPHub in versions below 0.11.0 is vulnerable to authentication bypass.

Mcrawfor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5085Critical9.12026-04-13Solstice::Session versions through 1440 for Perl generates session ids insecurely.

Microchip · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-23362026-04-16A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileg…

Miniupnp Project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5720Critical9.12026-04-17miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote.

Mobatek · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6421High7.02026-04-17A vulnerability has been found in Mobatek MobaXterm Home Edition up to 26.1.

Moby · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-35469Medium6.52026-04-16spdystream is a Go library for multiplexing streams over SPDY connections.

Monetr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40481High7.52026-04-17monetr is a budgeting application for recurring expenses.

Mongodb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6231Medium4.32026-04-13The bson_validate function may return early on specific inputs and incorrectly report success.

Nelio Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40742Medium5.32026-04-15Missing Authorization vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nelio AB Testing: from n/a through <= 8.2.8.

Neo4j-contrib · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-354022026-04-17mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases.

Nerdvana · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5086High7.52026-04-13Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks.

Nghttp2 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40170High7.52026-04-16ngtcp2 is a C implementation of the IETF QUIC protocol.

Nocobase · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6224High7.32026-04-13A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23.

Nomios Poland · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-51312026-04-17GREENmod uses named pipes for communication between plugins, the web portal, and the system service, but the access control lists for these pipes are configured incorrectly.

Nuget · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39399Critical9.62026-04-14NuGet Gallery is a package repository that powers nuget.org.

Ocaml · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41082High7.32026-04-16In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.

Omron Social Solutions Co., Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5397High7.82026-04-15It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow a malicious actor to place a DLL that is then e…

Onesignal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3155Low3.12026-04-16The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0.

Onlineada · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3773Medium6.52026-04-16The Accessibility Suite by Ability, Inc plugin for WordPress is vulnerable to SQL Injection via the 'scan_id' parameter in all versions up to, and including, 4.20.

Onlineoptimisation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2840Medium6.42026-04-16The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitizati…

Onthemapmarketing · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3643High7.22026-04-15The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3.

Open-webui · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34225Medium4.32026-04-14Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.

Opencryptoki · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40253Medium6.82026-04-16openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX.

Openfga · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40293Medium6.52026-04-17OpenFGA is an authorization/permission engine built for developers.

Openproject · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33667High7.42026-04-15OpenProject is an open-source project management application.

Openremote · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39842Critical9.92026-04-15OpenRemote is an open-source IoT platform.

Openstack · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40683High7.72026-04-14In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default).

Opentext, Inc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-156102026-04-15The .NET Remoting framework used by OpenText Fax (RightFax) includes known security vulnerabilities that could be exploited if the service is exposed in environments where the remoting ports are accessible.

Owasp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40316High8.82026-04-15OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more.

Owen · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1555Critical9.82026-04-15The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024.

Pancho · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40043Medium6.52026-04-13Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie.

Petjeaf · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4002Medium4.32026-04-15The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8.

Plisio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6372High7.52026-04-15Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5.

Poporon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2434Medium6.42026-04-17The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanitization and output escaping.

Processwire · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40500Medium6.82026-04-15ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download param…

Prometheus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40179Medium6.12026-04-15Prometheus is an open-source monitoring system and time series database.

Properfraction · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4949Medium4.32026-04-15The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12.

Protocol Buffers · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-64092026-04-16A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input.

Py-pdf · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40260Medium5.32026-04-17pypdf is a free and open-source pure-python PDF library.

Python · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40192High7.52026-04-15Pillow is a Python imaging library.

Qihui · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6487Medium4.32026-04-17A flaw has been found in Qihui jtbc5 CMS 5.0.3.6.

Quantgeekdev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-393132026-04-16mcp-framework is a framework for building Model Context Protocol (MCP) servers.

Radware · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5754Medium6.12026-04-14Reflected Cross-Site Scripting (XSS) Vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious a…

Rafasashi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3551Medium4.42026-04-16The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0.

Rhukster · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40301Medium4.72026-04-17DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+.

Royalnavneet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5617High8.82026-04-15The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3.

Ruby · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-27820Critical9.82026-04-16zlib is a Ruby interface for the zlib compression/decompression library.

Sagredo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41113High8.12026-04-16sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

Sailpoint Technologies · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4857High8.42026-04-15IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the Vi…

Samba · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41035High7.42026-04-16In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free.

Shahinurislam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14868High8.82026-04-16The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6.

Shapedplugin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3017High7.22026-04-14The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_s…

Silverstripe · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-24749Medium5.32026-04-16The Silverstripe Assets Module is a required component of Silverstripe Framework.

Simopro Technology · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6348High8.82026-04-16WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the env…

Simple-git_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-28291High8.12026-04-13simple-git enables running native Git commands from JavaScript.

Siteorigin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5070Medium6.42026-04-16The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery block text content in versions up to, and including, 1.20.32 due to insufficient output escaping in the gallery template.

Snowflake · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6442High8.32026-04-16Improper validation of bash commands in Snowflake Cortex Code CLI versions prior to 1.0.25 allowed subsequent commands to execute outside the sandbox.

Sonatype · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-51892026-04-15CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute ar…

Specialk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3876High7.22026-04-16The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3.

Stirlingpdf · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33436Low3.12026-04-17Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files.

Stylemix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4817Medium6.52026-04-17The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versio…

Surbma · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1607Medium6.42026-04-14The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output…

Syed Balkhi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40764High8.12026-04-15Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.

Sysadminsmedia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40196High8.12026-04-17HomeBox is a home inventory and organization system.

Talend · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6264Critical9.82026-04-14A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port.

Techjewel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4160Medium5.32026-04-16The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21.

Themegrill · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40730Medium5.32026-04-15Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through <= 2…

Thimpress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4365Critical9.12026-04-14The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to, and including, 4.3.2.8.

Tholstkabelbwde · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6451Medium4.32026-04-17The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0.

Tokenoftrust · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2834High7.22026-04-15The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ parameter in all versions up to, and including, 3.32.3 due to insufficient input sanitiz…

Tomdever · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4666Medium6.52026-04-17The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and i…
CVESeverityCVSSKEVPublishedSummary
CVE-2026-5363High8.82026-04-16Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router…

Tushar-2223 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6142High7.32026-04-13A vulnerability was identified in tushar-2223 Hotel Management System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15.

Uclouvain · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6192Low3.32026-04-13A vulnerability was identified in uclouvain openjpeg up to 2.5.4.

Udamadu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6293Medium4.32026-04-15The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0.

Ukrsolution · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4880Critical9.82026-04-16The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1…

Unitecms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4659High7.52026-04-17The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6.

Utt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6186High8.82026-04-13A security vulnerability has been detected in UTT HiPER 1200GW up to 2.5.3-170306.

Valtimo-platform · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34164Medium4.92026-04-16Valtimo is an open-source business process automation platform.

Veeam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-21709Medium6.72026-04-17A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement.

Vendidero · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2582Medium6.52026-04-14The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5.

Villatheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40737Medium5.32026-04-15Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COMPE compe-woo-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects COMPE: from n/a through <= 1.1.4.

Visaacceptancesolutions · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3461Critical9.82026-04-15The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0.

Vision · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-58343Medium4.32026-04-16Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id.

Volcengine · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40525Critical9.12026-04-17OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty.

Wago · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2023-5872Medium4.32026-04-16In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint.
CVESeverityCVSSKEVPublishedSummary
CVE-2026-6483High7.22026-04-17A vulnerability was found in Wavlink WL-WN530H4 20220721.

Wc Lovers · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-63029High7.62026-04-15Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through <= 3.7.1.

Webmindpt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3998Medium6.42026-04-15The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the [jqmath] shortcode in all versions up to and including 1.3.

Webonyx · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40476High7.52026-04-17graphql-go is a Go implementation of GraphQL.

Woobeewoo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1852Medium6.12026-04-15The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0.

Wp Royal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40763Medium5.32026-04-15Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056.

Wp_media · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6227High7.22026-04-14The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()`…

Wpcodefactory · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4479Medium4.42026-04-14The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output…

Wpdevteam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3875Medium6.42026-04-16The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8.

Wpengine · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4812Medium5.32026-04-15The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0.

Wpeverest · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6203Medium6.12026-04-13The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4.

Wpmet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1782Medium5.32026-04-15The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without…

Wproyal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5162Medium6.42026-04-17The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanit…

Wpxpo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-0718Medium5.32026-04-16The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions…

Xquic Project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-63282026-04-15Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipula…

Yubico · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40947Low2.92026-04-16Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.

Zahlan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40734Medium6.52026-04-15Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1.

Zaytech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-15635Medium4.32026-04-15Cross-Site Request Forgery (CSRF) vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.