Patch Tuesday — April 2026
2026-04-14 · 1097 CVEs
CVEs published or modified the week of 2026-04-14, partitioned by vendor.
Microsoft (225 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33824 | Critical | 9.8 | — | 2026-04-14 | Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network. |
CVE-2026-6296 | Critical | 9.6 | — | 2026-04-15 | Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2026-27303 | Critical | 9.6 | — | 2026-04-14 | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-34615 | Critical | 9.3 | — | 2026-04-14 | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27246 | Critical | 9.3 | — | 2026-04-14 | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. |
CVE-2026-27245 | Critical | 9.3 | — | 2026-04-14 | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. |
CVE-2026-27243 | Critical | 9.3 | — | 2026-04-14 | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. |
CVE-2026-26149 | Critical | 9.0 | — | 2026-04-14 | Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network. |
CVE-2026-6318 | High | 8.8 | — | 2026-04-15 | Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. |
CVE-2026-6317 | High | 8.8 | — | 2026-04-15 | Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. |
CVE-2026-6316 | High | 8.8 | — | 2026-04-15 | Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. |
CVE-2026-6307 | High | 8.8 | — | 2026-04-15 | Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. |
CVE-2026-6306 | High | 8.8 | — | 2026-04-15 | Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. |
CVE-2026-6305 | High | 8.8 | — | 2026-04-15 | Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. |
CVE-2026-6303 | High | 8.8 | — | 2026-04-15 | Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. |
CVE-2026-6302 | High | 8.8 | — | 2026-04-15 | Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. |
CVE-2026-6301 | High | 8.8 | — | 2026-04-15 | Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. |
CVE-2026-6300 | High | 8.8 | — | 2026-04-15 | Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. |
CVE-2026-6299 | High | 8.8 | — | 2026-04-15 | Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. |
CVE-2026-33120 | High | 8.8 | — | 2026-04-14 | Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network. |
CVE-2026-32225 | High | 8.8 | — | 2026-04-14 | Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network. |
CVE-2026-32171 | High | 8.8 | — | 2026-04-14 | Insufficiently protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. |
CVE-2026-32157 | High | 8.8 | — | 2026-04-14 | Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network. |
CVE-2026-26178 | High | 8.8 | — | 2026-04-14 | Integer size truncation in Windows Advanced Rasterization Platform (WARP) allows an unauthorized attacker to elevate privileges locally. |
CVE-2026-26167 | High | 8.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. |
CVE-2026-34617 | High | 8.7 | — | 2026-04-14 | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. |
CVE-2026-27928 | High | 8.7 | — | 2026-04-14 | Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network. |
CVE-2026-27290 | High | 8.6 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. |
CVE-2026-34622 | High | 8.6 | — | 2026-04-14 | Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code exe… |
CVE-2026-33115 | High | 8.4 | — | 2026-04-14 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2026-33114 | High | 8.4 | — | 2026-04-14 | Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2026-32221 | High | 8.4 | — | 2026-04-14 | Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code locally. |
CVE-2026-32190 | High | 8.4 | — | 2026-04-14 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2026-32162 | High | 8.4 | — | 2026-04-14 | Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally. |
CVE-2026-32091 | High | 8.4 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-69627 | High | 8.4 | — | 2026-04-13 | Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). |
CVE-2026-6314 | High | 8.3 | — | 2026-04-15 | Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2026-6311 | High | 8.3 | — | 2026-04-15 | Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2026-6310 | High | 8.3 | — | 2026-04-15 | Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2026-6309 | High | 8.3 | — | 2026-04-15 | Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2026-6304 | High | 8.3 | — | 2026-04-15 | Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2026-6297 | High | 8.3 | — | 2026-04-15 | Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2026-33827 | High | 8.1 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network. |
CVE-2026-33826 | High | 8.0 | — | 2026-04-14 | Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network. |
CVE-2026-27912 | High | 8.0 | — | 2026-04-14 | Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an adjacent network. |
CVE-2026-33414 | High | 7.8 | — | 2026-04-14 | Podman is a tool for managing OCI containers and pods. |
CVE-2026-27298 | High | 7.8 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27297 | High | 7.8 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27296 | High | 7.8 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27295 | High | 7.8 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27294 | High | 7.8 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. |
CVE-2026-27293 | High | 7.8 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27292 | High | 7.8 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-34631 | High | 7.8 | — | 2026-04-14 | InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27287 | High | 7.8 | — | 2026-04-14 | InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. |
CVE-2026-34630 | High | 7.8 | — | 2026-04-14 | Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-34618 | High | 7.8 | — | 2026-04-14 | Illustrator versions 30.2, 29.8.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27313 | High | 7.8 | — | 2026-04-14 | Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27312 | High | 7.8 | — | 2026-04-14 | Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27311 | High | 7.8 | — | 2026-04-14 | Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27310 | High | 7.8 | — | 2026-04-14 | Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-33825 | High | 7.8 | KEV | 2026-04-14 | Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally. |
CVE-2026-33101 | High | 7.8 | — | 2026-04-14 | Use after free in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally. |
CVE-2026-33098 | High | 7.8 | — | 2026-04-14 | Use after free in Windows Container Isolation FS Filter Driver allows an authorized attacker to elevate privileges locally. |
CVE-2026-33095 | High | 7.8 | — | 2026-04-14 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2026-32222 | High | 7.8 | — | 2026-04-14 | Untrusted pointer dereference in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. |
CVE-2026-32200 | High | 7.8 | — | 2026-04-14 | Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. |
CVE-2026-32199 | High | 7.8 | — | 2026-04-14 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2026-32198 | High | 7.8 | — | 2026-04-14 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2026-32197 | High | 7.8 | — | 2026-04-14 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2026-32192 | High | 7.8 | — | 2026-04-14 | Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. |
CVE-2026-32189 | High | 7.8 | — | 2026-04-14 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2026-32184 | High | 7.8 | — | 2026-04-14 | Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally. |
CVE-2026-32183 | High | 7.8 | — | 2026-04-14 | Improper neutralization of special elements used in a command ('command injection') in Windows Snipping Tool allows an unauthorized attacker to execute code locally. |
CVE-2026-32168 | High | 7.8 | — | 2026-04-14 | Improper input validation in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. |
CVE-2026-32165 | High | 7.8 | — | 2026-04-14 | Use after free in Windows User Interface Core allows an authorized attacker to elevate privileges locally. |
CVE-2026-32164 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally. |
CVE-2026-32163 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally. |
CVE-2026-32160 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. |
CVE-2026-32159 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. |
CVE-2026-32158 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. |
CVE-2026-32155 | High | 7.8 | — | 2026-04-14 | Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally. |
CVE-2026-32154 | High | 7.8 | — | 2026-04-14 | Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally. |
CVE-2026-32153 | High | 7.8 | — | 2026-04-14 | Use after free in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally. |
CVE-2026-32152 | High | 7.8 | — | 2026-04-14 | Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally. |
CVE-2026-32090 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally. |
CVE-2026-32089 | High | 7.8 | — | 2026-04-14 | Use after free in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally. |
CVE-2026-32078 | High | 7.8 | — | 2026-04-14 | Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
CVE-2026-32077 | High | 7.8 | — | 2026-04-14 | Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally. |
CVE-2026-32076 | High | 7.8 | — | 2026-04-14 | Out-of-bounds read in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally. |
CVE-2026-32074 | High | 7.8 | — | 2026-04-14 | Double free in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
CVE-2026-32069 | High | 7.8 | — | 2026-04-14 | Double free in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
CVE-2026-27927 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
CVE-2026-27924 | High | 7.8 | — | 2026-04-14 | Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally. |
CVE-2026-27923 | High | 7.8 | — | 2026-04-14 | Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally. |
CVE-2026-27920 | High | 7.8 | — | 2026-04-14 | Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally. |
CVE-2026-27919 | High | 7.8 | — | 2026-04-14 | Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally. |
CVE-2026-27918 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally. |
CVE-2026-27916 | High | 7.8 | — | 2026-04-14 | Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally. |
CVE-2026-27915 | High | 7.8 | — | 2026-04-14 | Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally. |
CVE-2026-27914 | High | 7.8 | — | 2026-04-14 | Improper access control in Microsoft Management Console allows an authorized attacker to elevate privileges locally. |
CVE-2026-27911 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally. |
CVE-2026-27910 | High | 7.8 | — | 2026-04-14 | Improper handling of insufficient permissions or privileges in Windows Installer allows an authorized attacker to elevate privileges locally. |
CVE-2026-27909 | High | 7.8 | — | 2026-04-14 | Use after free in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally. |
CVE-2026-27907 | High | 7.8 | — | 2026-04-14 | Integer underflow (wrap or wraparound) in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally. |
CVE-2026-26184 | High | 7.8 | — | 2026-04-14 | Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
CVE-2026-26183 | High | 7.8 | — | 2026-04-14 | Improper access control in Windows RPC API allows an authorized attacker to elevate privileges locally. |
CVE-2026-26181 | High | 7.8 | — | 2026-04-14 | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
CVE-2026-26180 | High | 7.8 | — | 2026-04-14 | Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. |
CVE-2026-26179 | High | 7.8 | — | 2026-04-14 | Double free in Windows Kernel allows an authorized attacker to elevate privileges locally. |
CVE-2026-26176 | High | 7.8 | — | 2026-04-14 | Heap-based buffer overflow in Windows Client Side Caching driver (csc.sys) allows an authorized attacker to elevate privileges locally. |
CVE-2026-26172 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. |
CVE-2026-26170 | High | 7.8 | — | 2026-04-14 | Improper input validation in Microsoft PowerShell allows an authorized attacker to elevate privileges locally. |
CVE-2026-26168 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2026-26163 | High | 7.8 | — | 2026-04-14 | Double free in Windows Kernel allows an authorized attacker to elevate privileges locally. |
CVE-2026-26162 | High | 7.8 | — | 2026-04-14 | Access of resource using incompatible type ('type confusion') in Windows OLE allows an authorized attacker to elevate privileges locally. |
CVE-2026-26161 | High | 7.8 | — | 2026-04-14 | Untrusted pointer dereference in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally. |
CVE-2026-26160 | High | 7.8 | — | 2026-04-14 | Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an authorized attacker to elevate privileges locally. |
CVE-2026-26159 | High | 7.8 | — | 2026-04-14 | Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an authorized attacker to elevate privileges locally. |
CVE-2026-26156 | High | 7.8 | — | 2026-04-14 | Heap-based buffer overflow in Windows Hyper-V allows an unauthorized attacker to execute code locally. |
CVE-2026-26153 | High | 7.8 | — | 2026-04-14 | Out-of-bounds read in Windows Encrypting File System (EFS) allows an authorized attacker to elevate privileges locally. |
CVE-2026-26143 | High | 7.8 | — | 2026-04-14 | Improper input validation in Microsoft PowerShell allows an unauthorized attacker to bypass a security feature locally. |
CVE-2026-23657 | High | 7.8 | — | 2026-04-14 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2026-20930 | High | 7.8 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. |
CVE-2026-27284 | High | 7.8 | — | 2026-04-14 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. |
CVE-2026-27283 | High | 7.8 | — | 2026-04-14 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27238 | High | 7.8 | — | 2026-04-14 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27913 | High | 7.7 | — | 2026-04-14 | Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally. |
CVE-2026-6308 | High | 7.5 | — | 2026-04-15 | Out of bounds read in Media in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. |
CVE-2026-33116 | High | 7.5 | — | 2026-04-14 | Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network. |
CVE-2026-33096 | High | 7.5 | — | 2026-04-14 | Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to deny service over a network. |
CVE-2026-32203 | High | 7.5 | — | 2026-04-14 | Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network. |
CVE-2026-32178 | High | 7.5 | — | 2026-04-14 | Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network. |
CVE-2026-32071 | High | 7.5 | — | 2026-04-14 | Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network. |
CVE-2026-26171 | High | 7.5 | — | 2026-04-14 | Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network. |
CVE-2026-26154 | High | 7.5 | — | 2026-04-14 | Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network. |
CVE-2026-23666 | High | 7.5 | — | 2026-04-14 | Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network. |
CVE-2025-69624 | High | 7.5 | — | 2026-04-13 | Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). |
CVE-2025-66769 | High | 7.5 | — | 2026-04-13 | A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet. |
CVE-2026-32156 | High | 7.4 | — | 2026-04-14 | Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to execute code locally. |
CVE-2026-35603 | High | 7.3 | — | 2026-04-17 | Claude Code is an agentic coding tool. |
CVE-2026-32149 | High | 7.3 | — | 2026-04-14 | Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally. |
CVE-2026-32188 | High | 7.1 | — | 2026-04-14 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. |
CVE-2026-26151 | High | 7.1 | — | 2026-04-14 | Insufficient ui warning of dangerous operations in Windows Remote Desktop allows an unauthorized attacker to perform spoofing over a network. |
CVE-2026-33104 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally. |
CVE-2026-33100 | High | 7.0 | — | 2026-04-14 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2026-33099 | High | 7.0 | — | 2026-04-14 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2026-32224 | High | 7.0 | — | 2026-04-14 | Use after free in Windows Server Update Service allows an authorized attacker to elevate privileges locally. |
CVE-2026-32219 | High | 7.0 | — | 2026-04-14 | Double free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
CVE-2026-32195 | High | 7.0 | — | 2026-04-14 | Stack-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. |
CVE-2026-32150 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally. |
CVE-2026-32093 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally. |
CVE-2026-32087 | High | 7.0 | — | 2026-04-14 | Heap-based buffer overflow in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally. |
CVE-2026-32086 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally. |
CVE-2026-32083 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally. |
CVE-2026-32082 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally. |
CVE-2026-32080 | High | 7.0 | — | 2026-04-14 | Use after free in Windows WalletService allows an authorized attacker to elevate privileges locally. |
CVE-2026-32075 | High | 7.0 | — | 2026-04-14 | Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally. |
CVE-2026-32073 | High | 7.0 | — | 2026-04-14 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2026-32070 | High | 7.0 | — | 2026-04-14 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
CVE-2026-32068 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally. |
CVE-2026-27929 | High | 7.0 | — | 2026-04-14 | Time-of-check time-of-use (toctou) race condition in Windows LUAFV allows an authorized attacker to elevate privileges locally. |
CVE-2026-27926 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. |
CVE-2026-27922 | High | 7.0 | — | 2026-04-14 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2026-27921 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally. |
CVE-2026-27917 | High | 7.0 | — | 2026-04-14 | Use after free in Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) allows an authorized attacker to elevate privileges locally. |
CVE-2026-27908 | High | 7.0 | — | 2026-04-14 | Use after free in Windows TDI Translation Driver (tdx.sys) allows an authorized attacker to elevate privileges locally. |
CVE-2026-26182 | High | 7.0 | — | 2026-04-14 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2026-26177 | High | 7.0 | — | 2026-04-14 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2026-26174 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Server Update Service allows an authorized attacker to elevate privileges locally. |
CVE-2026-26173 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2026-26166 | High | 7.0 | — | 2026-04-14 | Double free in Windows Shell allows an authorized attacker to elevate privileges locally. |
CVE-2026-26165 | High | 7.0 | — | 2026-04-14 | Use after free in Windows Shell allows an authorized attacker to elevate privileges locally. |
CVE-2026-26152 | High | 7.0 | — | 2026-04-14 | Insecure storage of sensitive information in Windows Cryptographic Services allows an authorized attacker to elevate privileges locally. |
CVE-2026-25184 | High | 7.0 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Applocker Filter Driver (applockerfltr.sys) allows an authorized attacker to elevate privileges locally. |
CVE-2026-32223 | Medium | 6.8 | — | 2026-04-14 | Heap-based buffer overflow in Windows USB Print Driver allows an unauthorized attacker to elevate privileges with a physical attack. |
CVE-2026-32176 | Medium | 6.7 | — | 2026-04-14 | Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally. |
CVE-2026-32167 | Medium | 6.7 | — | 2026-04-14 | Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally. |
CVE-2026-0390 | Medium | 6.7 | — | 2026-04-14 | Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally. |
CVE-2026-32201 | Medium | 6.5 | KEV | 2026-04-14 | Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. |
CVE-2026-32151 | Medium | 6.5 | — | 2026-04-14 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information over a network. |
CVE-2026-27925 | Medium | 6.5 | — | 2026-04-14 | Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to disclose information over an adjacent network. |
CVE-2026-26155 | Medium | 6.5 | — | 2026-04-14 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability |
CVE-2026-27299 | Medium | 6.3 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. |
CVE-2026-34626 | Medium | 6.3 | — | 2026-04-14 | Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file sys… |
CVE-2026-32072 | Medium | 6.2 | — | 2026-04-14 | Improper authentication in Windows Active Directory allows an unauthorized attacker to perform spoofing locally. |
CVE-2026-34614 | Medium | 6.1 | — | 2026-04-14 | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. |
CVE-2026-33822 | Medium | 6.1 | — | 2026-04-14 | Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally. |
CVE-2026-32196 | Medium | 6.1 | — | 2026-04-14 | Improper neutralization of input during web page generation ('cross-site scripting') in Windows Admin Center allows an unauthorized attacker to perform spoofing over a network. |
CVE-2026-32088 | Medium | 6.1 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Biometric Service allows an unauthorized attacker to bypass a security feature with a physical attack. |
CVE-2026-26169 | Medium | 6.1 | — | 2026-04-14 | Buffer over-read in Windows Kernel Memory allows an authorized attacker to disclose information locally. |
CVE-2026-21331 | Medium | 6.1 | — | 2026-04-14 | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. |
CVE-2026-32226 | Medium | 5.9 | — | 2026-04-14 | Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network. |
CVE-2026-23670 | Medium | 5.7 | — | 2026-04-14 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally. |
CVE-2026-23653 | Medium | 5.7 | — | 2026-04-14 | Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network. |
CVE-2026-27301 | Medium | 5.5 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. |
CVE-2026-27300 | Medium | 5.5 | — | 2026-04-14 | Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could lead to memory exposure. |
CVE-2026-27222 | Medium | 5.5 | — | 2026-04-14 | Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Divide By Zero vulnerability that could lead to application denial-of-service. |
CVE-2026-33103 | Medium | 5.5 | — | 2026-04-14 | Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally. |
CVE-2026-32218 | Medium | 5.5 | — | 2026-04-14 | Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally. |
CVE-2026-32217 | Medium | 5.5 | — | 2026-04-14 | Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally. |
CVE-2026-32216 | Medium | 5.5 | — | 2026-04-14 | Null pointer dereference in Windows Redirected Drive Buffering allows an authorized attacker to deny service locally. |
CVE-2026-32215 | Medium | 5.5 | — | 2026-04-14 | Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally. |
CVE-2026-32214 | Medium | 5.5 | — | 2026-04-14 | Improper access control in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally. |
CVE-2026-32212 | Medium | 5.5 | — | 2026-04-14 | Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally. |
CVE-2026-32181 | Medium | 5.5 | — | 2026-04-14 | Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally. |
CVE-2026-32085 | Medium | 5.5 | — | 2026-04-14 | Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an authorized attacker to disclose information locally. |
CVE-2026-32084 | Medium | 5.5 | — | 2026-04-14 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. |
CVE-2026-32081 | Medium | 5.5 | — | 2026-04-14 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. |
CVE-2026-32079 | Medium | 5.5 | — | 2026-04-14 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. |
CVE-2026-27931 | Medium | 5.5 | — | 2026-04-14 | Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose information locally. |
CVE-2026-27930 | Medium | 5.5 | — | 2026-04-14 | Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose information locally. |
CVE-2026-20806 | Medium | 5.5 | — | 2026-04-14 | Access of resource using incompatible type ('type confusion') in Windows COM allows an authorized attacker to disclose information locally. |
CVE-2026-27286 | Medium | 5.5 | — | 2026-04-14 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. |
CVE-2026-27285 | Medium | 5.5 | — | 2026-04-14 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to application denial-of-service. |
CVE-2026-26175 | Medium | 4.6 | — | 2026-04-14 | Use of uninitialized resource in Windows Boot Manager allows an unauthorized attacker to bypass a security feature with a physical attack. |
CVE-2026-20945 | Medium | 4.6 | — | 2026-04-14 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. |
CVE-2026-20928 | Medium | 4.6 | — | 2026-04-14 | Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack. |
CVE-2026-32220 | Medium | 4.4 | — | 2026-04-14 | Improper access control in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally. |
CVE-2026-27906 | Medium | 4.4 | — | 2026-04-14 | Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally. |
CVE-2026-6298 | Medium | 4.3 | — | 2026-04-15 | Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. |
CVE-2026-33829 | Medium | 4.3 | — | 2026-04-14 | Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network. |
CVE-2026-32202 | Medium | 4.3 | KEV | 2026-04-14 | Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network. |
CVE-2026-6313 | Low | 3.1 | — | 2026-04-15 | Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. |
CVE-2026-6312 | Low | 3.1 | — | 2026-04-15 | Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. |
Other vendors (872 CVEs across 319 vendors)
N/a · 94 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-38526 | Critical | 9.9 | — | 2026-04-14 | An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file. |
CVE-2026-37749 | Critical | 9.8 | — | 2026-04-17 | A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php. |
CVE-2026-37345 | Critical | 9.8 | — | 2026-04-16 | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php. |
CVE-2026-37340 | Critical | 9.8 | — | 2026-04-16 | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/edit_music.php. |
CVE-2026-37339 | Critical | 9.8 | — | 2026-04-16 | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_genre.php. |
CVE-2026-30993 | Critical | 9.8 | — | 2026-04-15 | Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. |
CVE-2026-30625 | Critical | 9.8 | — | 2026-04-15 | Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. |
CVE-2025-70023 | Critical | 9.8 | — | 2026-04-14 | An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6. |
CVE-2025-65135 | Critical | 9.8 | — | 2026-04-14 | In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. |
CVE-2025-65133 | Critical | 9.8 | — | 2026-04-14 | A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. |
CVE-2025-63939 | Critical | 9.8 | — | 2026-04-14 | Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter. |
CVE-2025-61260 | Critical | 9.8 | — | 2026-04-14 | A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. |
CVE-2026-31049 | Critical | 9.8 | — | 2026-04-14 | An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field |
CVE-2026-31048 | Critical | 9.8 | — | 2026-04-13 | An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message. |
CVE-2026-31283 | Critical | 9.8 | — | 2026-04-13 | In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. |
CVE-2026-31282 | Critical | 9.8 | — | 2026-04-13 | Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. |
CVE-2026-37338 | Critical | 9.4 | — | 2026-04-16 | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php. |
CVE-2026-37347 | Critical | 9.1 | — | 2026-04-16 | SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php. |
CVE-2026-38529 | High | 8.8 | — | 2026-04-14 | A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a craf… |
CVE-2025-51414 | High | 8.8 | — | 2026-04-13 | In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page. |
CVE-2026-30995 | High | 8.6 | — | 2026-04-15 | Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint. |
CVE-2026-30617 | High | 8.6 | — | 2026-04-15 | LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. |
CVE-2026-38527 | High | 8.5 | — | 2026-04-14 | A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request. |
CVE-2024-53412 | High | 8.4 | — | 2026-04-15 | Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field |
CVE-2026-30461 | High | 8.3 | — | 2026-04-15 | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule. |
CVE-2026-38532 | High | 8.1 | — | 2026-04-14 | A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other user… |
CVE-2026-38530 | High | 8.1 | — | 2026-04-14 | A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users vi… |
CVE-2026-30615 | High | 8.0 | — | 2026-04-15 | A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system. |
CVE-2026-31281 | High | 8.0 | — | 2026-04-13 | Totara LMS v19.1.5 and before is vulnerable to HTML Injection. |
CVE-2026-31317 | High | 7.5 | — | 2026-04-17 | Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file |
CVE-2026-30656 | High | 7.5 | — | 2026-04-16 | A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. |
CVE-2026-30996 | High | 7.5 | — | 2026-04-15 | An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET request. |
CVE-2026-30994 | High | 7.5 | — | 2026-04-15 | Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials. |
CVE-2025-67841 | High | 7.5 | — | 2026-04-15 | Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue. |
CVE-2026-30364 | High | 7.5 | — | 2026-04-15 | CentSDR commit e40795 was discovered to contain a stack overflow in the "Thread1" function. |
CVE-2026-37337 | High | 7.3 | — | 2026-04-16 | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php. |
CVE-2026-37336 | High | 7.3 | — | 2026-04-16 | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php. |
CVE-2026-30616 | High | 7.3 | — | 2026-04-15 | Jaaz 1.0.30 contains a remote code execution vulnerability in its MCP STDIO command execution handling. |
CVE-2026-36948 | High | 7.3 | — | 2026-04-13 | Sourcecodester Online Thesis Archiving System v1.0 is vulnerale to SQL injection in the file /otas/view_archive.php. |
CVE-2026-37344 | High | 7.2 | — | 2026-04-16 | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_location.php. |
CVE-2026-37343 | High | 7.2 | — | 2026-04-16 | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_user.php. |
CVE-2026-37342 | High | 7.2 | — | 2026-04-16 | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/view_parked_details.php. |
CVE-2026-37341 | High | 7.2 | — | 2026-04-16 | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_category.php. |
CVE-2026-30459 | High | 7.1 | — | 2026-04-16 | An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message. |
CVE-2026-38528 | High | 7.1 | — | 2026-04-14 | Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php. |
CVE-2026-37100 | Medium | 6.5 | — | 2026-04-16 | An issue in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar firmware 2.40 (Mobile App: Sound Bar Remote / version: 2.40) allows remote attackers within BLE radio range to connect without authentication via… |
CVE-2026-38533 | Medium | 6.5 | — | 2026-04-14 | An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin user… |
CVE-2026-30480 | Medium | 6.5 | — | 2026-04-14 | A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the n… |
CVE-2026-31280 | Medium | 6.5 | — | 2026-04-13 | An issue in the Bluetooth RFCOMM service of Parani M10 Motorcycle Intercom v2.1.3 allows unauthorized attackers to cause a Denial of Service (DoS) via supplying crafted RFCOMM frames. |
CVE-2026-6215 | Medium | 6.3 | — | 2026-04-13 | A weakness has been identified in DbGate up to 7.1.4. |
CVE-2026-29628 | Medium | 6.2 | — | 2026-04-13 | A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file. |
CVE-2026-5160 | Medium | 6.1 | — | 2026-04-15 | Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. |
CVE-2025-65136 | Medium | 6.1 | — | 2026-04-14 | In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter. |
CVE-2025-65134 | Medium | 6.1 | — | 2026-04-14 | In manikandan580 School-management-system 1.0, a reflected cross-site scripting (XSS) vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter. |
CVE-2025-65132 | Medium | 6.1 | — | 2026-04-14 | alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter. |
CVE-2026-26460 | Medium | 6.1 | — | 2026-04-13 | A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. |
CVE-2025-70795 | Medium | 5.5 | — | 2026-04-17 | STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. |
CVE-2025-70936 | Medium | 5.4 | — | 2026-04-13 | Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. |
CVE-2025-63743 | Medium | 5.4 | — | 2026-04-13 | Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via… |
CVE-2026-6491 | Medium | 5.3 | — | 2026-04-17 | A security vulnerability has been detected in libvips up to 8.18.2. |
CVE-2026-37346 | Medium | 4.7 | — | 2026-04-16 | SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=. |
CVE-2026-6220 | Medium | 4.7 | — | 2026-04-13 | A vulnerability was identified in HummerRisk up to 1.5.0. |
CVE-2025-69893 | Medium | 4.6 | — | 2026-04-14 | A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. |
CVE-2026-6486 | Low | 3.5 | — | 2026-04-17 | A vulnerability was detected in classroombookings up to 2.17.0. |
CVE-2026-6216 | Low | 3.5 | — | 2026-04-13 | A security vulnerability has been detected in DbGate up to 7.1.4. |
CVE-2026-37602 | Low | 2.7 | — | 2026-04-14 | SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php. |
CVE-2026-37601 | Low | 2.7 | — | 2026-04-14 | SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php. |
CVE-2026-37600 | Low | 2.7 | — | 2026-04-14 | SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php. |
CVE-2026-37598 | Low | 2.7 | — | 2026-04-14 | SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings. |
CVE-2026-37597 | Low | 2.7 | — | 2026-04-14 | SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php. |
CVE-2026-37596 | Low | 2.7 | — | 2026-04-14 | SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php. |
CVE-2026-37595 | Low | 2.7 | — | 2026-04-14 | SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_employee.php. |
CVE-2026-37594 | Low | 2.7 | — | 2026-04-14 | SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php. |
CVE-2026-37593 | Low | 2.7 | — | 2026-04-14 | SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_att.php. |
CVE-2026-37592 | Low | 2.7 | — | 2026-04-14 | Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL in the file /storage/admin/maintenance/manage_pricing.php. |
CVE-2026-37591 | Low | 2.7 | — | 2026-04-14 | Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL injection in the file /storage/admin/tenants/view_details.php. |
CVE-2026-37590 | Low | 2.7 | — | 2026-04-14 | SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/rents/manage_rent.php. |
CVE-2026-37589 | Low | 2.7 | — | 2026-04-14 | SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/maintenance/manage_storage_unit.php. |
CVE-2026-36952 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php. |
CVE-2026-36950 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in /otas/projects_per_department.php. |
CVE-2026-36938 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in /orms/admin/rooms/view_room.php. |
CVE-2026-36937 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in /orms/admin/reservations/view_details.php. |
CVE-2026-36945 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/clients/manage_client.php |
CVE-2026-36944 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerale to SQL injection in the file/rsms/admin/repairs/view_details.php. |
CVE-2026-36943 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/repairs/manage_repair.php. |
CVE-2026-36942 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in the file /orms/admin/activities/manage_activity.php. |
CVE-2026-36941 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL Injection in the file /orms/admin/rooms/manage_room.php. |
CVE-2026-36947 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL Injection in the file /rsms/admin/services/view_service.php. |
CVE-2026-36946 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/inquiries/view_details.php. |
CVE-2026-36923 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the file /cms/admin/bookings/view_booking.php. |
CVE-2026-36922 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Cab Management System v1.0 is vulnerable to SQL injection in the file /cms/admin/categories/view_category.php. |
CVE-2026-36874 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php. |
CVE-2026-36873 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_admin.php. |
CVE-2026-36872 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_book.php. |
Fortinet · 27 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39813 | Critical | 9.8 | — | 2026-04-14 | A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via specially crafted HTTP requests. |
CVE-2026-39808 | Critical | 9.8 | — | 2026-04-14 | A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector h… |
CVE-2026-39815 | High | 8.8 | — | 2026-04-14 | A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests |
CVE-2026-22828 | High | 8.1 | — | 2026-04-14 | A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically craft… |
CVE-2026-23708 | High | 7.5 | — | 2026-04-14 | A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated att… |
CVE-2026-40688 | High | 7.2 | — | 2026-04-14 | An out-of-bounds write vulnerability [CWE-787] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow a remote privileged attacker to execute arbitrary code or command… |
CVE-2025-61848 | High | 7.2 | — | 2026-04-14 | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all v… |
CVE-2026-39814 | Medium | 6.7 | — | 2026-04-14 | A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.1 through 7.4.12, FortiWeb 7.2.7 through 7.2.12, FortiWeb 7.0.10 through 7.0.12 may allow attacker to execute unau… |
CVE-2026-39809 | Medium | 6.7 | — | 2026-04-14 | A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5, FortiClientEMS 7.2.0 through 7.2.12, FortiClientEMS 7.0 all versions may allow attacker to… |
CVE-2026-25691 | Medium | 6.7 | — | 2026-04-14 | A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSa… |
CVE-2026-22573 | Medium | 6.5 | — | 2026-04-14 | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versio… |
CVE-2026-22155 | Medium | 6.5 | — | 2026-04-14 | A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6… |
CVE-2025-53847 | Medium | 6.5 | — | 2026-04-14 | A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiOS 6.2.9 through… |
CVE-2026-39810 | Medium | 6.0 | — | 2026-04-14 | A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump. |
CVE-2025-68649 | Medium | 6.0 | — | 2026-04-14 | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all version… |
CVE-2025-61624 | Medium | 6.0 | — | 2026-04-14 | An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4… |
CVE-2026-21742 | Medium | 5.7 | — | 2026-04-14 | A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6… |
CVE-2025-61886 | Medium | 5.4 | — | 2026-04-14 | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox PaaS 5.0.0 through 5.0.4 may allow an attacker to perfo… |
CVE-2024-23104 | Medium | 5.4 | — | 2026-04-14 | An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0 all versions, FortiVoice 7.0.0 through… |
CVE-2026-39811 | Medium | 4.9 | — | 2026-04-14 | A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow attacker to denial of service… |
CVE-2026-39812 | Medium | 4.8 | — | 2026-04-14 | A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox PaaS 5.0.0 thr… |
CVE-2026-22154 | Medium | 4.6 | — | 2026-04-14 | An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 a… |
CVE-2026-22576 | Medium | 4.3 | — | 2026-04-14 | A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 thro… |
CVE-2025-59809 | Medium | 4.3 | — | 2026-04-14 | A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all ve… |
CVE-2026-22574 | Medium | 4.1 | — | 2026-04-14 | A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 thro… |
CVE-2026-27316 | Low | 2.7 | — | 2026-04-14 | A insufficiently protected credentials vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4 all versions, FortiSandbox PaaS 5.0.1 through 5.0.5 may allow an authenticathed administrator to read LDAP server credentia… |
CVE-2026-21741 | Low | 2.4 | — | 2026-04-14 | An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may allow a remote privileged attacker with s… |
Dell · 21 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-23853 | High | 8.4 | — | 2026-04-17 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a use o… |
CVE-2025-36568 | High | 7.8 | — | 2026-04-17 | Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an insufficiently protected cr… |
CVE-2026-23775 | High | 7.6 | — | 2026-04-17 | Dell PowerProtect Data Domain appliances with Data Domain Operating System (DD OS) of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of sensitive information into log file vu… |
CVE-2026-23772 | High | 7.3 | — | 2026-04-16 | Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, contain(s) an Improper Privilege Management vulnerability. |
CVE-2026-23776 | High | 7.2 | — | 2026-04-17 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60, contain(s) an I… |
CVE-2026-23778 | High | 7.2 | — | 2026-04-17 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a comma… |
CVE-2026-35153 | Medium | 6.7 | — | 2026-04-17 | Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of argument delimiters in a command… |
CVE-2026-35074 | Medium | 6.7 | — | 2026-04-17 | Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS Co… |
CVE-2026-35073 | Medium | 6.7 | — | 2026-04-17 | Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS co… |
CVE-2026-35072 | Medium | 6.7 | — | 2026-04-17 | Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS co… |
CVE-2026-23779 | Medium | 6.7 | — | 2026-04-17 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a comma… |
CVE-2025-46641 | Medium | 6.6 | — | 2026-04-17 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper authentication vulnerability. |
CVE-2025-46607 | Medium | 6.6 | — | 2026-04-17 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper authentication vulnerability. |
CVE-2025-43937 | Medium | 6.6 | — | 2026-04-16 | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. |
CVE-2025-46606 | Medium | 6.2 | — | 2026-04-17 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. |
CVE-2025-46605 | Medium | 6.2 | — | 2026-04-17 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. |
CVE-2026-28263 | Medium | 5.9 | — | 2026-04-17 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a cross… |
CVE-2025-36579 | Medium | 5.1 | — | 2026-04-16 | Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. |
CVE-2025-43935 | Medium | 4.4 | — | 2026-04-16 | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource shutdown or release vulnerability. |
CVE-2026-23777 | Medium | 4.3 | — | 2026-04-17 | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an expo… |
CVE-2025-43883 | Medium | 4.1 | — | 2026-04-16 | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper check for unusual or exceptional conditions vulnerability. |
Huawei · 20 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-34865 | Critical | 9.1 | — | 2026-04-13 | Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. |
CVE-2026-34853 | High | 7.7 | — | 2026-04-13 | Permission bypass vulnerability in the LBS module. |
CVE-2026-34856 | High | 7.3 | — | 2026-04-13 | UAF vulnerability in the communication module. |
CVE-2026-28553 | Medium | 6.9 | — | 2026-04-13 | Vulnerability of improper permission control in the theme setting module. |
CVE-2026-34864 | Medium | 6.8 | — | 2026-04-13 | Boundary-unlimited vulnerability in the application read module. |
CVE-2026-34863 | Medium | 6.7 | — | 2026-04-13 | Out-of-bounds write vulnerability in the file system. |
CVE-2026-34862 | Medium | 6.3 | — | 2026-04-13 | Race condition vulnerability in the power consumption statistics module. |
CVE-2026-34861 | Medium | 6.3 | — | 2026-04-13 | Race condition vulnerability in the thermal management module. |
CVE-2026-34852 | Medium | 6.1 | — | 2026-04-13 | Stack overflow vulnerability in the media platform. |
CVE-2026-34859 | Medium | 5.9 | — | 2026-04-13 | UAF vulnerability in the kernel module. |
CVE-2026-34855 | Medium | 5.7 | — | 2026-04-13 | Out-of-bounds write vulnerability in the kernel module. |
CVE-2026-34854 | Medium | 5.7 | — | 2026-04-13 | UAF vulnerability in the kernel module. |
CVE-2026-34867 | Medium | 5.6 | — | 2026-04-13 | Double free vulnerability in the multi-mode input system. |
CVE-2026-34866 | Medium | 5.1 | — | 2026-04-13 | Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. |
CVE-2026-34857 | Medium | 4.7 | — | 2026-04-13 | UAF vulnerability in the communication module. |
CVE-2026-34858 | Medium | 4.1 | — | 2026-04-13 | UAF vulnerability in the communication module. |
CVE-2026-34860 | Medium | 4.1 | — | 2026-04-13 | Access control vulnerability in the memo module. |
CVE-2026-34849 | Low | 2.5 | — | 2026-04-13 | UAF vulnerability in the screen management module. |
CVE-2026-34851 | Low | 2.2 | — | 2026-04-13 | Race condition vulnerability in the event notification module. |
CVE-2026-34850 | Low | 1.9 | — | 2026-04-13 | Race condition vulnerability in the notification service. |
Adobe · 18 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-27304 | Critical | 9.3 | — | 2026-04-14 | ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27305 | High | 8.6 | — | 2026-04-14 | ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. |
CVE-2026-27306 | High | 8.4 | — | 2026-04-14 | ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-34632 | High | 8.2 | — | 2026-04-15 | Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user. |
CVE-2026-27289 | High | 7.8 | — | 2026-04-14 | Photoshop Desktop versions 27.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. |
CVE-2026-34629 | High | 7.8 | — | 2026-04-14 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-34628 | High | 7.8 | — | 2026-04-14 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-34627 | High | 7.8 | — | 2026-04-14 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-27291 | High | 7.8 | — | 2026-04-14 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2026-34619 | High | 7.7 | — | 2026-04-14 | ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. |
CVE-2026-27282 | High | 7.5 | — | 2026-04-14 | ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. |
CVE-2026-27258 | Medium | 5.5 | — | 2026-04-14 | DNG SDK versions 1.7.1 2502 and earlier are affected by an out-of-bounds write vulnerability that could lead to application denial-of-service. |
CVE-2026-34625 | Medium | 5.4 | — | 2026-04-14 | Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. |
CVE-2026-34624 | Medium | 5.4 | — | 2026-04-14 | Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. |
CVE-2026-34623 | Medium | 5.4 | — | 2026-04-14 | Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. |
CVE-2026-27288 | Medium | 5.4 | — | 2026-04-14 | Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. |
CVE-2026-27308 | Low | 2.4 | — | 2026-04-14 | ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. |
CVE-2026-27307 | Low | 2.4 | — | 2026-04-14 | ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. |
Code-projects · 18 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6183 | High | 7.3 | — | 2026-04-13 | A security flaw has been discovered in code-projects Simple Content Management System 1.0. |
CVE-2026-6182 | High | 7.3 | — | 2026-04-13 | A vulnerability was identified in code-projects Simple Content Management System 1.0. |
CVE-2026-6167 | High | 7.3 | — | 2026-04-13 | A vulnerability was detected in code-projects Faculty Management System 1.0. |
CVE-2026-6166 | High | 7.3 | — | 2026-04-13 | A security vulnerability has been detected in code-projects Vehicle Showroom Management System 1.0. |
CVE-2026-6165 | High | 7.3 | — | 2026-04-13 | A weakness has been identified in code-projects Vehicle Showroom Management System 1.0. |
CVE-2026-6164 | High | 7.3 | — | 2026-04-13 | A security flaw has been discovered in code-projects Lost and Found Thing Management 1.0. |
CVE-2026-6163 | High | 7.3 | — | 2026-04-13 | A vulnerability was identified in code-projects Lost and Found Thing Management 1.0. |
CVE-2026-6161 | High | 7.3 | — | 2026-04-13 | A vulnerability was determined in code-projects Simple ChatBox up to 1.0. |
CVE-2026-6153 | High | 7.3 | — | 2026-04-13 | A vulnerability was identified in code-projects Vehicle Showroom Management System 1.0. |
CVE-2026-6152 | High | 7.3 | — | 2026-04-13 | A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. |
CVE-2026-6151 | High | 7.3 | — | 2026-04-13 | A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. |
CVE-2026-6149 | High | 7.3 | — | 2026-04-13 | A flaw has been found in code-projects Vehicle Showroom Management System 1.0. |
CVE-2026-6148 | High | 7.3 | — | 2026-04-13 | A vulnerability was detected in code-projects Vehicle Showroom Management System 1.0. |
CVE-2026-6202 | Medium | 6.3 | — | 2026-04-13 | A security flaw has been discovered in code-projects Easy Blog Site 1.0. |
CVE-2026-6160 | Medium | 5.3 | — | 2026-04-13 | A vulnerability was found in code-projects Simple ChatBox 1.0. |
CVE-2026-6159 | Medium | 4.3 | — | 2026-04-13 | A vulnerability has been found in code-projects Simple ChatBox up to 1.0. |
CVE-2026-6150 | Medium | 4.3 | — | 2026-04-13 | A vulnerability has been found in code-projects Simple Laundry System 1.0. |
CVE-2026-6184 | Low | 2.4 | — | 2026-04-13 | A weakness has been identified in code-projects Simple Content Management System 1.0. |
Samsung · 18 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-25208 | High | 8.1 | — | 2026-04-13 | Integer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335. |
CVE-2026-25207 | High | 7.4 | — | 2026-04-13 | Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335. |
CVE-2026-25205 | High | 7.4 | — | 2026-04-13 | Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows out-of-bounds write.This issue affects Escargot:commit hash 97e8115ab1110bc502b4b5e4a0c689a71520d335 . |
CVE-2026-40446 | Medium | 6.9 | — | 2026-04-13 | Access of resource using incompatible type ('type confusion') vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335. |
CVE-2026-21011 | Medium | 6.8 | — | 2026-04-13 | Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock. |
CVE-2026-21009 | Medium | 6.8 | — | 2026-04-13 | Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning. |
CVE-2026-21007 | Medium | 6.8 | — | 2026-04-13 | Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Knox Guard. |
CVE-2026-21003 | Medium | 6.8 | — | 2026-04-13 | Improper input validation in data related to network restrictions prior to SMR Apr-2026 Release 1 allows physical attackers to bypass the restrictions. |
CVE-2026-25206 | Medium | 6.7 | — | 2026-04-13 | Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335. |
CVE-2026-21010 | Medium | 6.6 | — | 2026-04-13 | Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows local attackers to trigger privileged functions. |
CVE-2026-21008 | Medium | 6.5 | — | 2026-04-13 | Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information. |
CVE-2026-25209 | Medium | 6.5 | — | 2026-04-13 | Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335. |
CVE-2026-25204 | Medium | 6.2 | — | 2026-04-13 | Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort. |
CVE-2026-21013 | Medium | 5.5 | — | 2026-04-13 | Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information. |
CVE-2026-40447 | Medium | 5.1 | — | 2026-04-13 | Integer overflow or wraparound vulnerability in Samsung Open Source Escargot allows undefined behavior.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335. |
CVE-2026-21012 | Low | 3.3 | — | 2026-04-13 | External control of file name in AODManager prior to SMR Apr-2026 Release 1 allows privileged local attacker to create file with system privilege. |
CVE-2026-21014 | Low | 2.8 | — | 2026-04-13 | Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. |
CVE-2026-21006 | Low | 2.4 | — | 2026-04-13 | Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows physical attackers to access to hidden notification contents. |
Cisco · 15 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-20186 | Critical | 9.9 | — | 2026-04-15 | A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. |
CVE-2026-20180 | Critical | 9.9 | — | 2026-04-15 | A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. |
CVE-2026-20147 | Critical | 9.9 | — | 2026-04-15 | A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. |
CVE-2026-20184 | Critical | 9.8 | — | 2026-04-15 | A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of… |
CVE-2026-20081 | Medium | 6.5 | — | 2026-04-15 | Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. |
CVE-2026-20078 | Medium | 6.5 | — | 2026-04-15 | Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. |
CVE-2026-20170 | Medium | 6.1 | — | 2026-04-15 | A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. |
CVE-2026-20059 | Medium | 6.1 | — | 2026-04-15 | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web… |
CVE-2026-20136 | Medium | 6.0 | — | 2026-04-15 | A vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on… |
CVE-2026-20161 | Medium | 5.5 | — | 2026-04-15 | A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to impr… |
CVE-2026-20152 | Medium | 5.3 | — | 2026-04-15 | A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to im… |
CVE-2026-20148 | Medium | 4.9 | — | 2026-04-15 | A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system and read arbitrary files. |
CVE-2026-20132 | Medium | 4.8 | — | 2026-04-15 | Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting (XSS) a… |
CVE-2026-20060 | Medium | 4.7 | — | 2026-04-15 | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP r… |
CVE-2026-20061 | Medium | 4.3 | — | 2026-04-15 | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. |
Linux · 15 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-31414 | Critical | 9.8 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. |
CVE-2026-31419 | High | 7.8 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clone… |
CVE-2026-31417 | High | 7.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. |
CVE-2026-31426 | High | 7.0 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware platforms, it has already started th… |
CVE-2026-31428 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put(… |
CVE-2026-31427 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat… |
CVE-2026-31425 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_… |
CVE-2026-31424 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Weiming Shi says: xt_match and xt_target structs registered with NFPROTO_UNSPEC… |
CVE-2026-31423 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() m2sm() converts a u32 slope to a u64 scaled value. |
CVE-2026-31422 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. |
CVE-2026-31421 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL pointer dereference on shared blocks The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. |
CVE-2026-31420 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: bridge: mrp: reject zero test interval to avoid OOM panic br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without val… |
CVE-2026-31418 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtype_del mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zer… |
CVE-2026-31416 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: account for netlink header size This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the att… |
CVE-2026-31415 | Medium | 5.5 | — | 2026-04-13 | In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : <quote> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data p… |
Apache · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-31908 | Critical | 9.1 | — | 2026-04-14 | Header injection vulnerability in Apache APISIX. |
CVE-2026-33858 | High | 8.8 | — | 2026-04-13 | Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. |
CVE-2026-35337 | High | 8.8 | — | 2026-04-13 | Deserialization of Untrusted Data vulnerability in Apache Storm. |
CVE-2025-54550 | High | 8.1 | — | 2026-04-15 | The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of… |
CVE-2026-31987 | High | 7.5 | — | 2026-04-16 | JWT Tokens used by tasks were exposed in logs. |
CVE-2026-30778 | High | 7.5 | — | 2026-04-15 | The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. |
CVE-2026-31923 | High | 7.5 | — | 2026-04-14 | Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. |
CVE-2025-66236 | High | 7.5 | — | 2026-04-13 | Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. |
CVE-2026-34476 | High | 7.1 | — | 2026-04-13 | Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. |
CVE-2026-25219 | Medium | 6.5 | — | 2026-04-15 | The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. |
CVE-2026-35565 | Medium | 5.4 | — | 2026-04-13 | Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream nam… |
CVE-2026-31924 | Medium | 5.3 | — | 2026-04-14 | Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. |
CVE-2026-33929 | Medium | 4.3 | — | 2026-04-14 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. |
Anviz · 12 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-35546 | Critical | 9.8 | — | 2026-04-17 | Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. |
CVE-2026-40066 | High | 8.8 | — | 2026-04-17 | Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. |
CVE-2026-35682 | High | 8.8 | — | 2026-04-17 | Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access. |
CVE-2026-40434 | High | 8.1 | — | 2026-04-17 | Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic. |
CVE-2026-32324 | High | 7.7 | — | 2026-04-17 | Anviz CX7 Firmware is vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at scale. |
CVE-2026-40461 | High | 7.5 | — | 2026-04-17 | Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate later compromise. |
CVE-2026-32650 | High | 7.5 | — | 2026-04-17 | Anviz CrossChex Standard is vulnerable when an attacker manipulates the TDS7 PreLogin to disable encryption, causing database credentials to be sent in plaintext and enabling unauthorized database access. |
CVE-2026-33569 | Medium | 6.5 | — | 2026-04-17 | Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device. |
CVE-2026-35061 | Medium | 5.3 | — | 2026-04-17 | Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery. |
CVE-2026-33093 | Medium | 5.3 | — | 2026-04-17 | Anviz CX7 Firmware is vulnerable to an unauthenticated POST to the device that captures a photo with the front facing camera, exposing visual information about the deployment environment. |
CVE-2026-32648 | Medium | 5.3 | — | 2026-04-17 | Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug configuration details (e.g., SSH/RTTY status), assisting attackers in reconnaissance against the device. |
CVE-2026-31927 | Medium | 4.9 | — | 2026-04-17 | Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug‑setting changes |
Imagemagick · 12 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33908 | High | 7.5 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-33901 | High | 7.5 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-40312 | Medium | 6.2 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-40169 | Medium | 6.2 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-33900 | Medium | 5.9 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-40311 | Medium | 5.5 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-40310 | Medium | 5.5 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-40183 | Medium | 5.5 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-33905 | Medium | 5.5 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-33902 | Medium | 5.5 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-33899 | Medium | 5.3 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
CVE-2026-34238 | Medium | 5.1 | — | 2026-04-13 | ImageMagick is free and open-source software used for editing and manipulating digital images. |
Sap_se · 12 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-27681 | Critical | 9.9 | — | 2026-04-14 | Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. |
CVE-2026-34256 | High | 7.1 | — | 2026-04-14 | Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without autho… |
CVE-2026-34261 | Medium | 6.5 | — | 2026-04-14 | Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their int… |
CVE-2026-27678 | Medium | 6.5 | — | 2026-04-14 | Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. |
CVE-2026-27677 | Medium | 6.5 | — | 2026-04-14 | Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. |
CVE-2026-0512 | Medium | 6.1 | — | 2026-04-14 | Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of mal… |
CVE-2026-27673 | Medium | 4.9 | — | 2026-04-14 | Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Conf… |
CVE-2026-27676 | Medium | 4.3 | — | 2026-04-14 | Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. |
CVE-2026-27672 | Medium | 4.3 | — | 2026-04-14 | The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. |
CVE-2026-24318 | Medium | 4.2 | — | 2026-04-14 | Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. |
CVE-2026-27683 | Medium | 4.1 | — | 2026-04-14 | SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. |
CVE-2026-27675 | Low | 2.0 | — | 2026-04-14 | SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. |
1panel-dev · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39421 | Medium | 6.3 | — | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2026-39420 | Medium | 6.3 | — | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2026-39426 | Medium | 5.4 | — | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2026-39425 | Medium | 5.4 | — | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2026-39423 | Medium | 5.4 | — | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2026-39422 | Medium | 5.4 | — | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2026-39418 | Medium | 5.0 | — | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2026-39424 | Medium | 4.7 | — | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2026-39417 | Medium | 4.6 | — | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. |
CVE-2025-15632 | Low | 3.5 | — | 2026-04-13 | A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. |
CVE-2026-39419 | Low | 3.1 | — | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. |
Totolink · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6195 | Critical | 9.8 | — | 2026-04-13 | A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. |
CVE-2026-6156 | Critical | 9.8 | — | 2026-04-13 | A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. |
CVE-2026-6155 | Critical | 9.8 | — | 2026-04-13 | A weakness has been identified in Totolink A7100RU 7.4cu.2313. |
CVE-2026-6154 | Critical | 9.8 | — | 2026-04-13 | A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. |
CVE-2026-6140 | Critical | 9.8 | — | 2026-04-13 | A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. |
CVE-2026-6139 | Critical | 9.8 | — | 2026-04-13 | A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. |
CVE-2026-6138 | Critical | 9.8 | — | 2026-04-13 | A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. |
CVE-2026-6194 | High | 8.8 | — | 2026-04-13 | A weakness has been identified in Totolink A3002MU B20211125.1046. |
CVE-2026-6168 | High | 8.8 | — | 2026-04-13 | A flaw has been found in TOTOLINK A7000R up to 9.1.0u.6115. |
CVE-2026-6157 | High | 8.8 | — | 2026-04-13 | A vulnerability was detected in Totolink A800R 4.1.2cu.5137_B20200730. |
CVE-2026-6158 | High | 7.3 | — | 2026-04-13 | A flaw has been found in Totolink N300RH 6.1c.1353_B20190305. |
Weblate · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-34393 | High | 8.8 | — | 2026-04-15 | Weblate is a web based localization tool. |
CVE-2026-33435 | High | 8.0 | — | 2026-04-15 | Weblate is a web based localization tool. |
CVE-2026-34242 | High | 7.7 | — | 2026-04-15 | Weblate is a web based localization tool. |
CVE-2026-33220 | Medium | 6.8 | — | 2026-04-15 | Weblate is a web based localization tool. |
CVE-2026-40256 | Medium | 5.0 | — | 2026-04-15 | Weblate is a web based localization tool. |
CVE-2026-34244 | Medium | 5.0 | — | 2026-04-15 | Weblate is a web based localization tool. |
CVE-2026-33440 | Medium | 5.0 | — | 2026-04-15 | Weblate is a web based localization tool. |
CVE-2026-33214 | Medium | 4.3 | — | 2026-04-15 | Weblate is a web based localization tool. |
CVE-2026-39845 | Medium | 4.1 | — | 2026-04-15 | Weblate is a web based localization tool. |
CVE-2026-33212 | Low | 3.1 | — | 2026-04-15 | Weblate is a web based localization tool. |
Dataease · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33122 | Critical | 9.8 | — | 2026-04-16 | DataEase is an open-source data visualization and analytics platform. |
CVE-2026-33082 | Critical | 9.8 | — | 2026-04-16 | DataEase is an open source data visualization analysis tool. |
CVE-2026-40901 | High | 8.8 | — | 2026-04-16 | DataEase is an open-source data visualization and analytics platform. |
CVE-2026-40900 | High | 8.8 | — | 2026-04-16 | DataEase is an open-source data visualization and analytics platform. |
CVE-2026-33207 | High | 8.8 | — | 2026-04-16 | DataEase is an open-source data visualization and analytics platform. |
CVE-2026-33121 | High | 8.8 | — | 2026-04-16 | DataEase is an open-source data visualization and analytics platform. |
CVE-2026-33084 | High | 8.8 | — | 2026-04-16 | DataEase is an open-source data visualization and analytics platform. |
CVE-2026-33083 | High | 8.8 | — | 2026-04-16 | DataEase is an open-source data visualization and analytics platform. |
CVE-2026-40899 | Medium | 6.5 | — | 2026-04-16 | DataEase is an open-source data visualization and analytics platform. |
Firebirdsql · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40342 | Critical | 9.9 | — | 2026-04-17 | Firebird is an open-source relational database management system. |
CVE-2026-28224 | High | 8.2 | — | 2026-04-17 | Firebird is an open-source relational database management system. |
CVE-2026-27890 | High | 8.2 | — | 2026-04-17 | Firebird is an open-source relational database management system. |
CVE-2025-65104 | High | 7.9 | — | 2026-04-17 | Firebird is an open-source relational database management system. |
CVE-2026-35215 | High | 7.5 | — | 2026-04-17 | Firebird is an open-source relational database management system. |
CVE-2026-34232 | High | 7.5 | — | 2026-04-17 | Firebird is an open-source relational database management system. |
CVE-2026-33337 | High | 7.5 | — | 2026-04-17 | Firebird is an open-source relational database management system. |
CVE-2026-28212 | High | 7.5 | — | 2026-04-17 | Firebird is an open-source relational database management system. |
CVE-2026-28214 | Medium | 6.5 | — | 2026-04-17 | Firebird is an open-source relational database management system. |
Google · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6363 | High | 8.8 | — | 2026-04-15 | Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. |
CVE-2026-6360 | High | 8.8 | — | 2026-04-15 | Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. |
CVE-2026-6359 | High | 8.8 | — | 2026-04-15 | Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. |
CVE-2026-6358 | High | 8.8 | — | 2026-04-15 | Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. |
CVE-2026-6315 | High | 8.8 | — | 2026-04-15 | Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. |
CVE-2026-6361 | High | 8.3 | — | 2026-04-15 | Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. |
CVE-2026-6319 | High | 7.5 | — | 2026-04-15 | Use after free in Payments in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. |
CVE-2026-6364 | Medium | 6.5 | — | 2026-04-15 | Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. |
CVE-2026-6362 | Medium | 4.3 | — | 2026-04-15 | Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. |
Artica · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-34186 | High | 8.8 | — | 2026-04-13 | Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. |
CVE-2026-30813 | High | 8.8 | — | 2026-04-13 | Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via module search. |
CVE-2026-30809 | High | 8.8 | — | 2026-04-13 | Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug. |
CVE-2026-30806 | High | 8.8 | — | 2026-04-13 | Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. |
CVE-2026-34188 | High | 7.2 | — | 2026-04-13 | Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. |
CVE-2026-30804 | High | 7.2 | — | 2026-04-13 | Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. |
CVE-2026-30811 | Medium | 6.5 | — | 2026-04-13 | Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. |
CVE-2026-30812 | Medium | 5.4 | — | 2026-04-13 | Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. |
Chamilo · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40291 | High | 8.8 | — | 2026-04-14 | Chamilo LMS is an open-source learning management system. |
CVE-2026-35196 | High | 8.8 | — | 2026-04-14 | Chamilo LMS is an open-source learning management system. |
CVE-2026-34160 | High | 8.6 | — | 2026-04-14 | Chamilo LMS is an open-source learning management system. |
CVE-2026-33715 | High | 7.2 | — | 2026-04-14 | Chamilo LMS is an open-source learning management system. |
CVE-2026-33714 | High | 7.2 | — | 2026-04-14 | Chamilo is an open-source learning management system (LMS). |
CVE-2026-34602 | High | 7.1 | — | 2026-04-14 | Chamilo LMS is an open-source learning management system. |
CVE-2026-34370 | Medium | 6.5 | — | 2026-04-14 | Chamilo LMS is an open-source learning management system. |
CVE-2026-34161 | Medium | 5.4 | — | 2026-04-14 | Chamilo LMS is an open-source learning management system. |
Fastify · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6270 | Critical | 9.1 | — | 2026-04-16 | @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. |
CVE-2026-33808 | Critical | 9.1 | — | 2026-04-15 | Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. |
CVE-2026-33807 | Critical | 9.1 | — | 2026-04-15 | @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. |
CVE-2026-33805 | High | 8.6 | — | 2026-04-15 | @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. |
CVE-2026-33806 | High | 7.5 | — | 2026-04-15 | Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. |
CVE-2026-33804 | High | 7.4 | — | 2026-04-16 | @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. |
CVE-2026-6414 | Medium | 5.9 | — | 2026-04-16 | @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. |
CVE-2026-6410 | Medium | 5.3 | — | 2026-04-16 | @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. |
Neutrinolabs · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33689 | Critical | 9.1 | — | 2026-04-17 | xrdp is an open source RDP server. |
CVE-2026-33516 | Critical | 9.1 | — | 2026-04-17 | xrdp is an open source RDP server. |
CVE-2026-35512 | High | 8.8 | — | 2026-04-17 | xrdp is an open source RDP server. |
CVE-2026-32107 | High | 8.8 | — | 2026-04-17 | xrdp is an open source RDP server. |
CVE-2026-32623 | High | 8.1 | — | 2026-04-17 | xrdp is an open source RDP server. |
CVE-2026-32105 | High | 7.7 | — | 2026-04-17 | xrdp is an open source RDP server. |
CVE-2026-32624 | Medium | 6.5 | — | 2026-04-17 | xrdp is an open source RDP server. |
CVE-2026-33145 | Medium | 6.3 | — | 2026-04-17 | xrdp is an open source RDP server. |
Schneider Electric · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2405 | Medium | 6.5 | — | 2026-04-14 | CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests. |
CVE-2026-2399 | Medium | 6.1 | — | 2026-04-14 | CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload. |
CVE-2026-2404 | Medium | 5.3 | — | 2026-04-14 | CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload. |
CVE-2026-2402 | Medium | 5.3 | — | 2026-04-14 | CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials… |
CVE-2026-2401 | Medium | 5.0 | — | 2026-04-14 | CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker. |
CVE-2026-2403 | Medium | 4.3 | — | 2026-04-14 | CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists that could cause Event and Data Log truncation impacting log integrity when a Web Admin user alters the POST /logsettings request payload. |
CVE-2026-2400 | Medium | 4.3 | — | 2026-04-14 | CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload. |
CVE-2026-4832 | — | — | — | 2026-04-14 | CWE-798 Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to sensitive device information when an unauthenticated attacker is able to interrogate the SNMP port. |
Tenda · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6200 | High | 8.8 | — | 2026-04-13 | A vulnerability was determined in Tenda F456 1.0.0.5. |
CVE-2026-6199 | High | 8.8 | — | 2026-04-13 | A vulnerability was found in Tenda F456 1.0.0.5. |
CVE-2026-6198 | High | 8.8 | — | 2026-04-13 | A vulnerability has been found in Tenda F456 1.0.0.5. |
CVE-2026-6197 | High | 8.8 | — | 2026-04-13 | A flaw has been found in Tenda F456 1.0.0.5. |
CVE-2026-6196 | High | 8.8 | — | 2026-04-13 | A vulnerability was detected in Tenda F456 1.0.0.5. |
CVE-2026-6137 | High | 8.8 | — | 2026-04-13 | A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958. |
CVE-2026-6136 | High | 8.8 | — | 2026-04-13 | A security vulnerability has been detected in Tenda F451 1.0.0.7_cn_svn7958. |
CVE-2026-6135 | High | 8.8 | — | 2026-04-13 | A weakness has been identified in Tenda F451 1.0.0.7_cn_svn7958. |
Red Hat · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6388 | Critical | 9.1 | — | 2026-04-15 | A flaw was found in ArgoCD Image Updater. |
CVE-2026-6507 | High | 7.5 | — | 2026-04-17 | A flaw was found in dnsmasq. |
CVE-2026-37980 | Medium | 6.9 | — | 2026-04-14 | A flaw was found in Keycloak, specifically in the organization selection login page. |
CVE-2026-6385 | Medium | 6.5 | — | 2026-04-15 | A flaw was found in FFmpeg. |
CVE-2026-6245 | Medium | 5.5 | — | 2026-04-15 | A flaw was found in the System Security Services Daemon (SSSD). |
CVE-2026-6383 | Medium | 5.4 | — | 2026-04-15 | A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. |
CVE-2026-6494 | Medium | 5.3 | — | 2026-04-17 | A flaw was found in the AAP MCP server. |
Apostrophecms · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-35569 | High | 8.7 | — | 2026-04-15 | ApostropheCMS is an open-source Node.js content management system. |
CVE-2026-40186 | Medium | 6.1 | — | 2026-04-15 | ApostropheCMS is an open-source Node.js content management system. |
CVE-2026-33889 | Medium | 5.4 | — | 2026-04-15 | ApostropheCMS is an open-source Node.js content management system. |
CVE-2026-39857 | Medium | 5.3 | — | 2026-04-15 | ApostropheCMS is an open-source Node.js content management system. |
CVE-2026-33888 | Medium | 5.3 | — | 2026-04-15 | ApostropheCMS is an open-source Node.js content management system. |
CVE-2026-33877 | Low | 3.7 | — | 2026-04-15 | ApostropheCMS is an open-source Node.js content management system. |
Gimp · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6384 | High | 7.3 | — | 2026-04-15 | A flaw was found in gimp. |
CVE-2026-40919 | Medium | 6.1 | — | 2026-04-15 | A flaw was found in GIMP. |
CVE-2026-40918 | Medium | 5.5 | — | 2026-04-15 | A flaw was found in GIMP. |
CVE-2026-40915 | Medium | 5.5 | — | 2026-04-15 | A flaw was found in GIMP. |
CVE-2026-40917 | Medium | 5.0 | — | 2026-04-15 | A flaw was found in GIMP. |
CVE-2026-40916 | Medium | 5.0 | — | 2026-04-15 | A flaw was found in GIMP. |
Jqlang · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-32316 | High | 8.2 | — | 2026-04-13 | jq is a command-line JSON processor. |
CVE-2026-40164 | High | 7.5 | — | 2026-04-14 | jq is a command-line JSON processor. |
CVE-2026-39979 | Medium | 6.5 | — | 2026-04-13 | jq is a command-line JSON processor. |
CVE-2026-33947 | Medium | 6.2 | — | 2026-04-13 | jq is a command-line JSON processor. |
CVE-2026-39956 | Medium | 6.1 | — | 2026-04-13 | jq is a command-line JSON processor. |
CVE-2026-33948 | Medium | 5.3 | — | 2026-04-14 | jq is a command-line JSON processor. |
Pachno · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40044 | Critical | 9.8 | — | 2026-04-13 | Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. |
CVE-2026-40042 | Critical | 9.8 | — | 2026-04-13 | Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. |
CVE-2026-40040 | High | 8.8 | — | 2026-04-13 | Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. |
CVE-2026-40038 | High | 7.2 | — | 2026-04-13 | Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. |
CVE-2026-40039 | Medium | 6.5 | — | 2026-04-13 | Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the return_to parameter. |
CVE-2026-40041 | Medium | 4.3 | — | 2026-04-13 | Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. |
Wso2 · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2374 | High | 7.5 | — | 2026-04-16 | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. |
CVE-2025-6024 | Medium | 6.1 | — | 2026-04-16 | The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. |
CVE-2024-10242 | Medium | 6.1 | — | 2026-04-16 | The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. |
CVE-2025-12624 | Medium | 6.0 | — | 2026-04-16 | Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. |
CVE-2024-4867 | Medium | 5.4 | — | 2026-04-16 | The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. |
CVE-2024-8010 | Low | 3.5 | — | 2026-04-16 | The component accepts XML input through the publisher without disabling external entity resolution. |
Eaton · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-22619 | High | 7.8 | — | 2026-04-16 | Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the l… |
CVE-2026-22616 | Medium | 6.5 | — | 2026-04-16 | Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP… |
CVE-2026-22615 | Medium | 6.0 | — | 2026-04-16 | Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command executi… |
CVE-2026-22618 | Medium | 5.9 | — | 2026-04-16 | A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in… |
CVE-2026-22617 | Medium | 5.7 | — | 2026-04-16 | Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the… |
Free5gc · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40248 | High | 7.5 | — | 2026-04-16 | free5GC is an open-source implementation of the 5G core network. |
CVE-2026-40247 | High | 7.5 | — | 2026-04-16 | free5GC is an open-source implementation of the 5G core network. |
CVE-2026-40246 | High | 7.5 | — | 2026-04-16 | free5GC is an open-source implementation of the 5G core network. |
CVE-2026-40245 | High | 7.5 | — | 2026-04-16 | Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. |
CVE-2026-40249 | Medium | 5.3 | — | 2026-04-16 | free5GC is an open-source implementation of the 5G core network. |
Hkuds · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40502 | High | 8.8 | — | 2026-04-16 | OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remo… |
CVE-2026-40516 | High | 8.3 | — | 2026-04-17 | OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper… |
CVE-2026-35589 | High | 8.0 | — | 2026-04-14 | nanobot is a personal AI assistant. |
CVE-2026-40515 | High | 7.5 | — | 2026-04-17 | OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. |
CVE-2026-40503 | Medium | 6.5 | — | 2026-04-16 | OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. |
Labredescefetrj · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40285 | High | 8.8 | — | 2026-04-17 | WeGIA is a web manager for charitable institutions. |
CVE-2026-40286 | High | 7.5 | — | 2026-04-17 | WeGIA is a web manager for charitable institutions. |
CVE-2026-40284 | Medium | 6.8 | — | 2026-04-17 | WeGIA is a web manager for charitable institutions. |
CVE-2026-40283 | Medium | 6.8 | — | 2026-04-17 | WeGIA is a web manager for charitable institutions. |
CVE-2026-40282 | — | — | — | 2026-04-17 | WeGIA is a web manager for charitable institutions. |
Legion Of The Bouncy Castle Inc. · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5598 | High | 7.5 | — | 2026-04-15 | Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. |
CVE-2026-5588 | High | 7.5 | — | 2026-04-15 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. |
CVE-2026-3505 | High | 7.5 | — | 2026-04-15 | Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. |
CVE-2025-14813 | High | 7.5 | — | 2026-04-15 | : Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. |
CVE-2026-0636 | Medium | 6.5 | — | 2026-04-15 | Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. |
Lenovo · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4145 | High | 7.8 | — | 2026-04-15 | During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix that could allow a local authenticated user to perform arbitrary code execution with elevated privileges. |
CVE-2026-4134 | High | 7.3 | — | 2026-04-15 | During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges. |
CVE-2026-0827 | High | 7.1 | — | 2026-04-15 | During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticate… |
CVE-2026-1636 | Medium | 6.7 | — | 2026-04-15 | A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge that, under certain conditions, could allow a local authenticated user to execute code with elevated privileges. |
CVE-2026-4135 | Medium | 6.6 | — | 2026-04-15 | During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to perform an arbitrary file write with elevated privileges. |
Mervinpraison · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40315 | Critical | 9.8 | — | 2026-04-14 | PraisonAI is a multi-agent teams system. |
CVE-2026-40288 | Critical | 9.8 | — | 2026-04-14 | PraisonAI is a multi-agent teams system. |
CVE-2026-40313 | Critical | 9.1 | — | 2026-04-14 | PraisonAI is a multi-agent teams system. |
CVE-2026-40289 | Critical | 9.1 | — | 2026-04-14 | PraisonAI is a multi-agent teams system. |
CVE-2026-40287 | High | 8.4 | — | 2026-04-14 | PraisonAI is a multi-agent teams system. |
Octobercms · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-24907 | Medium | 5.4 | — | 2026-04-14 | October is a Content Management System (CMS) and web platform. |
CVE-2026-24906 | Medium | 5.4 | — | 2026-04-14 | October is a Content Management System (CMS) and web platform. |
CVE-2026-25125 | Medium | 4.9 | — | 2026-04-14 | October is a Content Management System (CMS) and web platform. |
CVE-2026-22692 | Medium | 4.9 | — | 2026-04-14 | October is a Content Management System (CMS) and web platform. |
CVE-2026-25133 | Medium | 4.8 | — | 2026-04-14 | October is a Content Management System (CMS) and web platform. |
Saitoha · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33023 | High | 7.8 | — | 2026-04-14 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. |
CVE-2026-33021 | High | 7.3 | — | 2026-04-14 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. |
CVE-2026-33020 | High | 7.1 | — | 2026-04-14 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. |
CVE-2026-33019 | High | 7.1 | — | 2026-04-14 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. |
CVE-2026-33018 | High | 7.0 | — | 2026-04-14 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. |
Sap · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-34264 | Medium | 6.5 | — | 2026-04-14 | During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. |
CVE-2026-27679 | Medium | 6.5 | — | 2026-04-14 | Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. |
CVE-2026-34257 | Medium | 6.1 | — | 2026-04-14 | Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. |
CVE-2026-27674 | Medium | 6.1 | — | 2026-04-14 | Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled… |
CVE-2026-34262 | Medium | 5.0 | — | 2026-04-14 | Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer |
Siemens · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-27668 | High | 8.8 | — | 2026-04-14 | A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). |
CVE-2026-25654 | High | 8.8 | — | 2026-04-14 | A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). |
CVE-2026-24032 | High | 7.3 | — | 2026-04-14 | A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3 with UMC). |
CVE-2026-33892 | High | 7.1 | — | 2026-04-14 | A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 < V1.15.17), Industrial Edge Management Pro V2 (All versions >= V2.0.0 < V2.1.1), Industrial Edge Management Virtual (All versions >= V2.2.0 <… |
CVE-2025-40745 | Low | 3.7 | — | 2026-04-14 | A vulnerability has been identified in Siemens Software Center (All versions < V3.5.8.2), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Simcenter STAR-CCM+ (All versions < V2602), Solid Edge SE2025… |
Ubiquiti Inc · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-22564 | Critical | 9.8 | — | 2026-04-13 | An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) … |
CVE-2026-22563 | Critical | 9.8 | — | 2026-04-13 | A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. |
CVE-2026-22562 | Critical | 9.8 | — | 2026-04-13 | A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE). |
CVE-2026-22566 | High | 7.5 | — | 2026-04-13 | An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Po… |
CVE-2026-22565 | High | 7.5 | — | 2026-04-13 | An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio… |
B3log · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40322 | Critical | 9.0 | — | 2026-04-16 | SiYuan is an open-source personal knowledge management system. |
CVE-2026-40318 | High | 8.5 | — | 2026-04-16 | SiYuan is an open-source personal knowledge management system. |
CVE-2026-40259 | High | 8.1 | — | 2026-04-16 | SiYuan is an open-source personal knowledge management system. |
CVE-2026-40922 | Medium | 5.4 | — | 2026-04-17 | SiYuan is an open-source personal knowledge management system. |
Docmost · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-34213 | Medium | 5.4 | — | 2026-04-14 | Docmost is open-source collaborative wiki and documentation software. |
CVE-2026-34212 | Medium | 5.4 | — | 2026-04-14 | Docmost is open-source collaborative wiki and documentation software. |
CVE-2026-33193 | Medium | 4.6 | — | 2026-04-14 | Docmost is open-source collaborative wiki and documentation software. |
CVE-2026-33146 | Medium | 4.3 | — | 2026-04-14 | Docmost is open-source collaborative wiki and documentation software. |
Espocrm · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33740 | Medium | 5.4 | — | 2026-04-13 | EspoCRM is an open source customer relationship management application. |
CVE-2026-33657 | Medium | 4.6 | — | 2026-04-13 | EspoCRM is an open source customer relationship management application. |
CVE-2026-33534 | Medium | 4.3 | — | 2026-04-13 | EspoCRM is an open source customer relationship management application. |
CVE-2026-33659 | Low | 3.5 | — | 2026-04-13 | EspoCRM is an open source customer relationship management application. |
Ffmpeg · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-30999 | High | 7.5 | — | 2026-04-13 | A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. |
CVE-2026-30998 | High | 7.5 | — | 2026-04-13 | An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file. |
CVE-2026-30997 | High | 7.5 | — | 2026-04-13 | An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. |
CVE-2026-40962 | Medium | 4.9 | — | 2026-04-16 | FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c. |
Grafana · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41118 | Critical | 9.1 | — | 2026-04-15 | Pyroscope is an open-source continuous profiling database. |
CVE-2025-12141 | Medium | 6.5 | — | 2026-04-15 | In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Write… |
CVE-2026-21726 | Medium | 5.3 | — | 2026-04-15 | The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Su… |
CVE-2026-21727 | Low | 3.3 | — | 2026-04-15 | --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana sever… |
Hashicorp · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3605 | High | 8.1 | — | 2026-04-17 | An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. |
CVE-2026-5807 | High | 7.5 | — | 2026-04-17 | Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. |
CVE-2026-4525 | High | 7.5 | — | 2026-04-17 | If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. |
CVE-2026-5052 | Medium | 5.3 | — | 2026-04-17 | Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. |
Jellyfin · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-35031 | Critical | 9.9 | — | 2026-04-14 | Jellyfin is an open source self hosted media server. |
CVE-2026-35033 | Critical | 9.1 | — | 2026-04-14 | Jellyfin is an open source self hosted media server. |
CVE-2026-35032 | High | 8.1 | — | 2026-04-14 | Jellyfin is an open source self hosted media server. |
CVE-2026-35034 | Medium | 6.5 | — | 2026-04-14 | Jellyfin is an open source self hosted media server. |
Splunk · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-20205 | High | 7.2 | — | 2026-04-15 | In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text… |
CVE-2026-20204 | High | 7.1 | — | 2026-04-15 | In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold… |
CVE-2026-20202 | Medium | 6.6 | — | 2026-04-15 | In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains th… |
CVE-2026-20203 | Medium | 4.3 | — | 2026-04-15 | In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold… |
Amd · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-54502 | High | 7.5 | — | 2026-04-16 | Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resulting in arbitrary code execution. |
CVE-2025-54510 | — | — | — | 2026-04-16 | A missing lock verification in AMD Secure Processor (ASP) firmware may permit a locally authenticated attacker with administrative privileges to alter MMIO routing on some Zen 5-based products, potentially compromising guest system integri… |
CVE-2023-20585 | — | — | — | 2026-04-16 | Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest… |
Autodesk · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4369 | High | 7.1 | — | 2026-04-14 | A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop applic… |
CVE-2026-4345 | High | 7.1 | — | 2026-04-14 | A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. |
CVE-2026-4344 | High | 7.1 | — | 2026-04-14 | A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. |
Craftcms · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-32272 | — | — | — | 2026-04-13 | Craft Commerce is an ecommerce platform for Craft CMS. |
CVE-2026-32271 | — | — | — | 2026-04-13 | Craft Commerce is an ecommerce platform for Craft CMS. |
CVE-2026-32270 | — | — | — | 2026-04-13 | Craft Commerce is an ecommerce platform for Craft CMS. |
Cubecart · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-34018 | Critical | 9.8 | — | 2026-04-17 | An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product. |
CVE-2026-21719 | High | 7.2 | — | 2026-04-17 | An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command. |
CVE-2026-35496 | Low | 2.7 | — | 2026-04-17 | A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible. |
Dnnsoftware · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40321 | High | 8.0 | — | 2026-04-17 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. |
CVE-2026-40306 | Medium | 6.5 | — | 2026-04-17 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. |
CVE-2026-40305 | Medium | 4.3 | — | 2026-04-17 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. |
Enchant97 · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40262 | High | 8.7 | — | 2026-04-17 | Note Mark is an open-source note-taking application. |
CVE-2026-40265 | Medium | 5.9 | — | 2026-04-17 | Note Mark is an open-source note-taking application. |
CVE-2026-40263 | Low | 3.7 | — | 2026-04-17 | Note Mark is an open-source note-taking application. |
Imprintnext · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3596 | Critical | 9.8 | — | 2026-04-16 | The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.2. |
CVE-2026-3599 | High | 7.5 | — | 2026-04-16 | The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and… |
CVE-2026-3595 | Medium | 5.3 | — | 2026-04-16 | The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. |
Mattermost · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-28741 | Medium | 6.8 | — | 2026-04-15 | Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by… |
CVE-2026-3590 | Medium | 6.5 | — | 2026-04-15 | Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish… |
CVE-2026-27769 | Low | 2.7 | — | 2026-04-15 | Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed… |
Netfoundry · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40303 | High | 7.5 | — | 2026-04-17 | zrok is software for sharing web services, files, and network resources. |
CVE-2026-40302 | Medium | 6.1 | — | 2026-04-17 | zrok is software for sharing web services, files, and network resources. |
CVE-2026-40304 | Medium | 5.3 | — | 2026-04-17 | zrok is software for sharing web services, files, and network resources. |
Palo Alto Networks · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-0234 | — | — | — | 2026-04-13 | An improper verification of cryptographic signature vulnerability exists in Cortex XSOAR and Cortex XSIAM platforms during integration of Microsoft Teams that enables an unauthenticated user to access and modify protected resources. |
CVE-2026-0233 | — | — | — | 2026-04-13 | A certificate validation vulnerability in Palo Alto Networks Autonomous Digital Experience Manager on Windows allows an unauthenticated attacker with adjacent network access to execute arbitrary code with NT AUTHORITY\SYSTEM privileges. |
CVE-2026-0232 | — | — | — | 2026-04-13 | A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection. |
Python Software Foundation · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6100 | High | 8.1 | — | 2026-04-13 | Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. |
CVE-2026-4786 | High | 7.1 | — | 2026-04-13 | Mitgation of CVE-2026-4519 was incomplete. |
CVE-2026-5713 | — | — | — | 2026-04-14 | The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that proce… |
Querymine · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6490 | High | 7.3 | — | 2026-04-17 | A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. |
CVE-2026-6489 | Medium | 6.3 | — | 2026-04-17 | A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. |
CVE-2026-6488 | Medium | 6.3 | — | 2026-04-17 | A vulnerability was identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. |
Radare · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40527 | High | 7.8 | — | 2026-04-17 | radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. |
CVE-2026-40499 | High | 7.8 | — | 2026-04-15 | radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. |
CVE-2026-41015 | High | 7.4 | — | 2026-04-16 | radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. |
Sourcecodester · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6189 | High | 7.3 | — | 2026-04-13 | A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. |
CVE-2026-6188 | High | 7.3 | — | 2026-04-13 | A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. |
CVE-2026-6187 | High | 7.3 | — | 2026-04-13 | A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. |
Sparxsystems · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-15625 | Critical | 9.8 | — | 2026-04-17 | Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases. |
CVE-2025-15624 | High | 7.5 | — | 2026-04-17 | Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. |
CVE-2025-15623 | High | 7.5 | — | 2026-04-17 | Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. |
Themeum · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6080 | Medium | 6.5 | — | 2026-04-17 | The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. |
CVE-2026-40740 | Medium | 5.4 | — | 2026-04-15 | Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7. |
CVE-2026-5502 | Medium | 5.3 | — | 2026-04-17 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. |
10web · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4388 | High | 7.2 | — | 2026-04-14 | The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. |
CVE-2026-3330 | Medium | 4.9 | — | 2026-04-17 | The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. |
Aandrew-me · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6219 | Medium | 5.3 | — | 2026-04-13 | A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. |
CVE-2026-6218 | Medium | 4.3 | — | 2026-04-13 | A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. |
Ascensio · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-41030 | Medium | 6.2 | — | 2026-04-16 | In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges. |
CVE-2026-41034 | Medium | 5.0 | — | 2026-04-16 | ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass. |
Asus · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3428 | — | — | — | 2026-04-16 | A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use (TOC-TOU) durin… |
CVE-2026-1880 | — | — | — | 2026-04-16 | An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources during the validation phase, permitting a lo… |
Composer · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40261 | High | 8.8 | — | 2026-04-15 | Composer is a dependency manager for PHP. |
CVE-2026-40176 | High | 7.8 | — | 2026-04-15 | Composer is a dependency manager for PHP. |
Faridsaniee · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4091 | Medium | 6.1 | — | 2026-04-15 | The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. |
CVE-2026-3995 | Medium | 4.4 | — | 2026-04-16 | The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. |
Fastgpt · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40351 | Critical | 9.8 | — | 2026-04-17 | FastGPT is an AI Agent building platform. |
CVE-2026-40352 | High | 8.8 | — | 2026-04-17 | FastGPT is an AI Agent building platform. |
Giskard · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40320 | High | 7.8 | — | 2026-04-17 | Giskard is an open-source testing framework for AI models. |
CVE-2026-40319 | Medium | 5.5 | — | 2026-04-17 | Giskard is an open-source testing framework for AI models. |
Glenwpcoder · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5718 | High | 8.1 | — | 2026-04-17 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. |
CVE-2026-5710 | High | 7.5 | — | 2026-04-17 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. |
Itsourcecode · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6191 | Medium | 6.3 | — | 2026-04-13 | A vulnerability was determined in itsourcecode Construction Management System 1.0. |
CVE-2026-6190 | Medium | 6.3 | — | 2026-04-13 | A vulnerability was found in itsourcecode Construction Management System 1.0. |
Ivanti · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4913 | Medium | 5.7 | — | 2026-04-14 | Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled. |
CVE-2026-4914 | Medium | 5.4 | — | 2026-04-14 | Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required. |
Janobe · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-36920 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Online Reviewer System v1.0 is vulnerable to SQL Injection in the file /system/system/admins/assessments/examproper/questions-view.php. |
CVE-2026-36919 | Low | 2.7 | — | 2026-04-13 | Sourcecodester Online Reviewer System v1.0 is vulnerale to SQL Injection in the file /system/system/admins/assessments/examproper/exam-update.php. |
Jconti · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5050 | High | 7.5 | — | 2026-04-16 | The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signa… |
CVE-2026-6439 | Medium | 4.4 | — | 2026-04-17 | The VideoZen plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.1. |
Jetbrains · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33392 | High | 7.2 | — | 2026-04-17 | In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass |
CVE-2026-41153 | Medium | 5.8 | — | 2026-04-17 | In JetBrains Junie before 252.549.29 command execution was possible via malicious project file |
Kimai · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40479 | Medium | 5.4 | — | 2026-04-17 | Kimai is an open-source time tracking application. |
CVE-2026-40486 | Medium | 4.3 | — | 2026-04-17 | Kimai is an open-source time tracking application. |
Librenms · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6204 | High | 7.2 | — | 2026-04-13 | LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. |
CVE-2026-2728 | Medium | 4.8 | — | 2026-04-13 | LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page. |
Livemesh · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1620 | High | 8.8 | — | 2026-04-16 | The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. |
CVE-2026-1572 | Medium | 6.4 | — | 2026-04-16 | The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. |
Luanti · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40959 | Critical | 9.3 | — | 2026-04-16 | Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod. |
CVE-2026-40960 | High | 8.1 | — | 2026-04-16 | Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. |
Nimiq · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-32605 | High | 7.5 | — | 2026-04-13 | nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. |
CVE-2026-34069 | Medium | 5.3 | — | 2026-04-14 | nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. |
Nozomi Networks · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40899 | High | 8.9 | — | 2026-04-15 | A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. |
CVE-2025-40897 | High | 8.1 | — | 2026-04-15 | An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. |
Oauth2-proxy · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-34457 | Critical | 9.1 | — | 2026-04-14 | OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. |
CVE-2026-34454 | Low | 3.5 | — | 2026-04-14 | OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. |
Openfind · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6350 | Critical | 9.8 | — | 2026-04-16 | MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code. |
CVE-2026-6351 | High | 7.5 | — | 2026-04-16 | MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files. |
Pac4j · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40459 | High | 8.8 | — | 2026-04-17 | PAC4J is vulnerable to LDAP Injection in multiple methods. |
CVE-2026-40458 | Medium | 6.5 | — | 2026-04-17 | PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). |
Pega · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1711 | Medium | 4.8 | — | 2026-04-15 | Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. |
CVE-2026-1564 | Medium | 4.8 | — | 2026-04-15 | Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. |
Phpgurukul · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6193 | High | 7.3 | — | 2026-04-13 | A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. |
CVE-2026-6162 | Low | 3.5 | — | 2026-04-13 | A vulnerability has been found in PHPGurukul Company Visitor Management System 2.0. |
Prasathmani · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6497 | Medium | 6.3 | — | 2026-04-17 | A vulnerability was determined in prasathmani TinyFileManager up to 2.6. |
CVE-2026-6496 | Medium | 5.4 | — | 2026-04-17 | A vulnerability was found in prasathmani TinyFileManager up to 2.6. |
Progress Software Corporation · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-8095 | — | — | — | 2026-04-14 | The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. |
CVE-2025-7389 | — | — | — | 2026-04-14 | A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself. The delegated authority of t… |
Purestorage · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-0209 | — | — | — | 2026-04-14 | Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured. |
CVE-2026-0207 | — | — | — | 2026-04-14 | A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions. |
Rapid7 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6290 | High | 8.0 | — | 2026-04-15 | Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. |
CVE-2026-6482 | High | 7.8 | — | 2026-04-17 | The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. |
S9y · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39971 | High | 7.2 | — | 2026-04-15 | Serendipity is a PHP-powered weblog engine. |
CVE-2026-39963 | Medium | 6.9 | — | 2026-04-15 | Serendipity is a PHP-powered weblog engine. |
Sparx Systems Pty Ltd. · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-15622 | — | — | — | 2026-04-17 | Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. |
CVE-2025-15621 | — | — | — | 2026-04-16 | Insufficiently Protected Credentials in Sparx Systems Pty Ltd. |
Themefusion · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1509 | Medium | 5.4 | — | 2026-04-15 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. |
CVE-2026-1541 | Medium | 4.3 | — | 2026-04-15 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. |
Thymeleaf · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40478 | Critical | 9.0 | — | 2026-04-17 | Thymeleaf is a server-side Java template engine for web and standalone environments. |
CVE-2026-40477 | Critical | 9.0 | — | 2026-04-17 | Thymeleaf is a server-side Java template engine for web and standalone environments. |
Unisys · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39907 | Critical | 10.0 | — | 2026-04-14 | Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attacke… |
CVE-2026-39906 | Critical | 10.0 | — | 2026-04-14 | Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a… |
Unknown · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3830 | High | 8.6 | — | 2026-04-13 | The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks |
CVE-2025-15441 | Medium | 6.8 | — | 2026-04-13 | The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts. |
Upkeeper Solutions · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2450 | — | — | — | 2026-04-14 | .NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0. |
CVE-2026-2449 | — | — | — | 2026-04-14 | Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant… |
Veronalabs · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5231 | High | 7.2 | — | 2026-04-17 | The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. |
CVE-2026-3488 | Medium | 6.5 | — | 2026-04-17 | The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. |
Wger · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40474 | High | 7.6 | — | 2026-04-17 | wger is a free, open-source workout and fitness manager. |
CVE-2026-40353 | Medium | 5.4 | — | 2026-04-17 | wger is a free, open-source workout and fitness manager. |
Xwiki · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40104 | High | 8.2 | — | 2026-04-15 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. |
CVE-2026-40105 | Medium | 6.1 | — | 2026-04-15 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. |
Zohocorp · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3324 | High | 8.2 | — | 2026-04-16 | Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration. |
CVE-2026-5785 | High | 8.1 | — | 2026-04-16 | Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module. |
Zte · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40436 | High | 7.1 | — | 2026-04-13 | The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information… |
CVE-2026-40002 | Medium | 5.0 | — | 2026-04-17 | Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations. |
Abb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3756 | Medium | 6.5 | — | 2026-04-13 | A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed as affected in this CVE. |
Acyba · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3614 | High | 8.8 | — | 2026-04-16 | The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. |
Adonisjs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40255 | Medium | 6.1 | — | 2026-04-16 | AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. |
Aerin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5694 | High | 7.2 | — | 2026-04-15 | The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output es… |
Agent-zero · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-30624 | High | 8.6 | — | 2026-04-15 | Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. |
Aguilatechnologies · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3464 | High | 8.8 | — | 2026-04-17 | The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. |
Amannn · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40299 | — | — | — | 2026-04-17 | next-intl provides internationalization for Next.js. |
Amazon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6437 | Medium | 6.5 | — | 2026-04-17 | Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount… |
Arcserve · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40118 | Medium | 6.3 | — | 2026-04-16 | UDP Console provided by Arcserve contains an incorrectly specified destination in a communication channel vulnerability. |
Arnobt78 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6492 | Medium | 5.3 | — | 2026-04-17 | A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. |
Arraytics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4109 | Medium | 4.3 | — | 2026-04-14 | The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versi… |
Artifex · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40505 | Low | 3.3 | — | 2026-04-16 | MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. |
Auth0 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40155 | Medium | 5.4 | — | 2026-04-17 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. |
Authzed · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40091 | Medium | 6.0 | — | 2026-04-15 | SpiceDB is an open source database system for creating and managing security-critical application permissions. |
Aveva · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5387 | — | — | — | 2026-04-15 | The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modif… |
Backupguard · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4853 | Medium | 4.9 | — | 2026-04-17 | The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. |
Bappidgreat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3659 | Medium | 6.4 | — | 2026-04-15 | The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful_direct] shortcode in all versions up t… |
Barracuda Networks · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-22676 | High | 7.8 | — | 2026-04-15 | Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. |
Bdthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40745 | High | 7.6 | — | 2026-04-15 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Ad… |
Beaver Builder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40744 | High | 8.5 | — | 2026-04-15 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder: from n/a through… |
Blockart · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40728 | Medium | 4.3 | — | 2026-04-15 | Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a through <= 1.8.3. |
Boidcms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39387 | High | 7.2 | — | 2026-04-14 | BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. |
Bosch · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-33618 | High | 7.5 | — | 2026-04-15 | Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface. |
Bplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40729 | Medium | 4.3 | — | 2026-04-15 | Missing Authorization vulnerability in bPlugins 3D viewer – Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer – Embed 3D Models: from n/a through <= 1.8.5. |
Bytedance · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40518 | High | 7.1 | — | 2026-04-17 | ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. |
Cartasi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-15565 | Medium | 5.3 | — | 2026-04-14 | The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. |
Churchcrm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39940 | — | — | — | 2026-04-13 | ChurchCRM is an open-source church management system. |
Cloud Foundry · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-22734 | High | 8.6 | — | 2026-04-17 | Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. |
Cloudark · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-29955 | High | 8.8 | — | 2026-04-13 | The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. |
Coachific · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4005 | Medium | 6.4 | — | 2026-04-15 | The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. |
Codeastro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6201 | Medium | 5.4 | — | 2026-04-13 | A vulnerability was identified in CodeAstro Online Job Portal 1.0. |
Codesolz · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3369 | Medium | 5.4 | — | 2026-04-16 | The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escap… |
Cohere · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5752 | Critical | 9.3 | — | 2026-04-14 | Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal. |
Colbeinformatik · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3649 | Medium | 5.3 | — | 2026-04-15 | The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. |
Crocoblock · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4352 | High | 7.5 | — | 2026-04-14 | The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. |
Cryptomator · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33472 | Medium | 4.8 | — | 2026-04-16 | Cryptomator is an open-source client-side encryption application for cloud storage. |
Danielmiessler · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6141 | Medium | 6.3 | — | 2026-04-13 | A vulnerability was determined in danielmiessler Personal_AI_Infrastructure up to 2.3.0. |
Data Recognition Corporation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5756 | High | 7.5 | — | 2026-04-14 | Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception… |
Decidim · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-23891 | High | 8.7 | — | 2026-04-13 | Decidim is a participatory democracy framework. |
Deluxethemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53444 | Medium | 4.3 | — | 2026-04-15 | Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a through < 5.1.11. |
Designingmedia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-15470 | Medium | 6.5 | — | 2026-04-15 | The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. |
Designinvento · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3489 | High | 7.5 | — | 2026-04-16 | The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied p… |
Devitemsllc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4059 | Medium | 6.4 | — | 2026-04-14 | The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. |
Dgraph · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40173 | Critical | 9.4 | — | 2026-04-15 | Dgraph is an open source distributed GraphQL database. |
Dgwyer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4011 | Medium | 6.4 | — | 2026-04-15 | The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [pc] shortcode in all versions up to, and including, 0.1.0. |
Digital Knowledge · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5426 | Critical | 9.1 | — | 2026-04-16 | Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState… |
Dolibarr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-23500 | Critical | 9.1 | — | 2026-04-17 | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. |
Dynabook Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-35553 | Medium | 6.7 | — | 2026-04-13 | Bluetooth ACPI Drivers provided by Dynabook Inc. |
Eclipse · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2332 | High | 7.4 | — | 2026-04-14 | In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/20… |
Emarket-design · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-15636 | Medium | 6.5 | — | 2026-04-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through <= 3.5.1. |
Essentialplugin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6443 | Critical | 9.8 | — | 2026-04-17 | All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. |
Expresstech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5797 | Medium | 5.3 | — | 2026-04-17 | The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. |
Extendthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5427 | Medium | 5.3 | — | 2026-04-17 | The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. |
External-secrets · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-34984 | Medium | 6.5 | — | 2026-04-14 | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. |
Fahadmahmood · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3878 | Medium | 6.4 | — | 2026-04-16 | The WP Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdocs_options[icon_size]' parameter in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping. |
Farion1231 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6143 | Medium | 6.3 | — | 2026-04-13 | A security flaw has been discovered in farion1231 cc-switch up to 3.12.3. |
Festo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-3634 | High | 8.8 | — | 2026-04-16 | In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability. |
Flightbycanto · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6441 | Medium | 4.3 | — | 2026-04-17 | The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. |
Flippercode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13364 | Medium | 6.4 | — | 2026-04-16 | The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. |
Flux159 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39884 | High | 8.3 | — | 2026-04-15 | mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. |
Forfront · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3642 | Medium | 5.3 | — | 2026-04-15 | The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. |
Foxcpp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40193 | High | 8.2 | — | 2026-04-16 | maddy is a composable, all-in-one mail server. |
Foxit Software Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5936 | High | 8.5 | — | 2026-04-13 | An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. |
Fpt Software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6179 | — | — | — | 2026-04-13 | Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser |
Futo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40096 | Medium | 5.4 | — | 2026-04-15 | immich is a high performance self-hosted photo and video management solution. |
Futtta · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3299 | Medium | 6.4 | — | 2026-04-16 | The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping on user supplie… |
Git-for-windows · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-32631 | High | 7.4 | — | 2026-04-15 | Git for Windows is the Windows port of Git. |
Gn_themes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3885 | Medium | 6.4 | — | 2026-04-16 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_box' shortcode in all versions up to, and including, 7.4.9 due to insufficient input sanitization and out… |
Goodoneuz · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-31843 | Critical | 9.8 | — | 2026-04-16 | The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. |
Google Cloud · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4810 | — | — | — | 2026-04-13 | A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to exec… |
Gramps-project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40258 | Critical | 9.1 | — | 2026-04-17 | The Gramps Web API is a Python REST API for the genealogical research software Gramps. |
Growi, Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-26291 | Medium | 5.4 | — | 2026-04-15 | Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. |
Haproxy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33555 | Medium | 4.0 | — | 2026-04-13 | An issue was discovered in HAProxy before 3.3.6. |
Hashthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6370 | Medium | 5.9 | — | 2026-04-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4. |
Hcl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-52641 | Low | 2.9 | — | 2026-04-15 | HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. |
Hclsoftware · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-31991 | Medium | 6.8 | — | 2026-04-13 | Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7. |
Hgiga · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6349 | Critical | 9.8 | — | 2026-04-16 | The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server. |
Horner Automation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6284 | Critical | 9.1 | — | 2026-04-17 | An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. |
Hp Inc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4682 | — | — | — | 2026-04-15 | Certain HP DeskJet All in One devices may be vulnerable to remote code execution caused by a buffer overflow when specially crafted Web Services for Devices (WSD) scan requests are improperly validated and handled by the MFP. |
Hp Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4667 | — | — | — | 2026-04-15 | HP System Optimizer might potentially be vulnerable to escalation of privilege. |
Iandunn · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3581 | Medium | 5.3 | — | 2026-04-16 | The Basic Google Maps Placemarks plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.10.7. |
Iberezansky · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1314 | Medium | 5.3 | — | 2026-04-15 | The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, a… |
Imagination Technologies · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-21733 | High | 7.3 | — | 2026-04-17 | Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory and files. |
Istio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39350 | Medium | 5.4 | — | 2026-04-15 | Istio is an open platform to connect, manage, and secure microservices. |
It-novum · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-24893 | High | 8.8 | — | 2026-04-14 | openITCOCKPIT is an open source monitoring tool built for different monitoring engines. |
Ivole · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3355 | Medium | 6.1 | — | 2026-04-16 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, 5.101.0 due to insufficient input sanitization and output escaping… |
Jdeguest · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5088 | High | 7.5 | — | 2026-04-15 | Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts. |
Joedolson · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40308 | — | — | — | 2026-04-16 | My Calendar is a WordPress plugin for managing calendar events. |
Keras-team · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1462 | High | 7.8 | — | 2026-04-13 | A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. |
Kimipooh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2396 | Medium | 4.4 | — | 2026-04-15 | The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. |
Kiuwan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-24069 | Medium | 5.4 | — | 2026-04-14 | Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. |
Knighthawk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5717 | Medium | 6.4 | — | 2026-04-15 | The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input… |
Kpumuk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4032 | Medium | 6.1 | — | 2026-04-16 | The CodeColorer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in 'cc' comment shortcode in versions up to, and including, 0.10.1 due to insufficient input sanitization and output escaping. |
Latepoint · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5234 | Medium | 5.3 | — | 2026-04-17 | The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. |
Leafletjs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-69993 | Medium | 6.1 | — | 2026-04-14 | Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. |
Lfprojects · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40090 | High | 7.1 | — | 2026-04-15 | Zarf is an Airgap Native Packager Manager for Kubernetes. |
Libcoap · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-29013 | Critical | 9.8 | — | 2026-04-17 | libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled wit… |
Libexpat Project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-41080 | Low | 2.9 | — | 2026-04-16 | libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. |
Linuxfoundation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39984 | Medium | 5.5 | — | 2026-04-15 | Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. |
Long Watch Studio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40786 | Medium | 4.3 | — | 2026-04-15 | Missing Authorization vulnerability in Long Watch Studio MyRewards woorewards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyRewards: from n/a through <= 5.7.3. |
Lukevella · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6493 | Low | 3.5 | — | 2026-04-17 | A flaw has been found in lukevella rallly up to 4.7.4. |
Ly Corporation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3861 | Medium | 6.5 | — | 2026-04-16 | LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potent… |
Mafintosh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5758 | Medium | 6.5 | — | 2026-04-15 | JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution. |
Mahmudul Hasan Arif · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40784 | High | 8.1 | — | 2026-04-15 | Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1… |
Majestic Support · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40778 | Medium | 5.3 | — | 2026-04-15 | Missing Authorization vulnerability in Majestic Support Majestic Support majestic-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Majestic Support: from n/a through <= 1.1.2. |
Maradns · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40719 | High | 7.5 | — | 2026-04-15 | Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved. |
Marcobambini · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40504 | Critical | 9.8 | — | 2026-04-16 | Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. |
Mcphub · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-13822 | Medium | 5.3 | — | 2026-04-14 | MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. |
Mcrawfor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5085 | Critical | 9.1 | — | 2026-04-13 | Solstice::Session versions through 1440 for Perl generates session ids insecurely. |
Microchip · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2336 | — | — | — | 2026-04-16 | A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileg… |
Miniupnp Project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5720 | Critical | 9.1 | — | 2026-04-17 | miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending a malformed SOAPAction header with a single quote. |
Mobatek · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6421 | High | 7.0 | — | 2026-04-17 | A vulnerability has been found in Mobatek MobaXterm Home Edition up to 26.1. |
Moby · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-35469 | Medium | 6.5 | — | 2026-04-16 | spdystream is a Go library for multiplexing streams over SPDY connections. |
Monetr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40481 | High | 7.5 | — | 2026-04-17 | monetr is a budgeting application for recurring expenses. |
Mongodb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6231 | Medium | 4.3 | — | 2026-04-13 | The bson_validate function may return early on specific inputs and incorrectly report success. |
Nelio Software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40742 | Medium | 5.3 | — | 2026-04-15 | Missing Authorization vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nelio AB Testing: from n/a through <= 8.2.8. |
Neo4j-contrib · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-35402 | — | — | — | 2026-04-17 | mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. |
Nerdvana · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5086 | High | 7.5 | — | 2026-04-13 | Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. |
Nghttp2 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40170 | High | 7.5 | — | 2026-04-16 | ngtcp2 is a C implementation of the IETF QUIC protocol. |
Nocobase · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6224 | High | 7.3 | — | 2026-04-13 | A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. |
Nomios Poland · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5131 | — | — | — | 2026-04-17 | GREENmod uses named pipes for communication between plugins, the web portal, and the system service, but the access control lists for these pipes are configured incorrectly. |
Nuget · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39399 | Critical | 9.6 | — | 2026-04-14 | NuGet Gallery is a package repository that powers nuget.org. |
Ocaml · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-41082 | High | 7.3 | — | 2026-04-16 | In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. |
Omron Social Solutions Co., Ltd. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5397 | High | 7.8 | — | 2026-04-15 | It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow a malicious actor to place a DLL that is then e… |
Onesignal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3155 | Low | 3.1 | — | 2026-04-16 | The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. |
Onlineada · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3773 | Medium | 6.5 | — | 2026-04-16 | The Accessibility Suite by Ability, Inc plugin for WordPress is vulnerable to SQL Injection via the 'scan_id' parameter in all versions up to, and including, 4.20. |
Onlineoptimisation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2840 | Medium | 6.4 | — | 2026-04-16 | The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitizati… |
Onthemapmarketing · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3643 | High | 7.2 | — | 2026-04-15 | The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. |
Open-webui · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-34225 | Medium | 4.3 | — | 2026-04-14 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. |
Opencryptoki · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40253 | Medium | 6.8 | — | 2026-04-16 | openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. |
Openfga · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40293 | Medium | 6.5 | — | 2026-04-17 | OpenFGA is an authorization/permission engine built for developers. |
Openproject · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33667 | High | 7.4 | — | 2026-04-15 | OpenProject is an open-source project management application. |
Openremote · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39842 | Critical | 9.9 | — | 2026-04-15 | OpenRemote is an open-source IoT platform. |
Openstack · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40683 | High | 7.7 | — | 2026-04-14 | In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). |
Opentext, Inc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-15610 | — | — | — | 2026-04-15 | The .NET Remoting framework used by OpenText Fax (RightFax) includes known security vulnerabilities that could be exploited if the service is exposed in environments where the remoting ports are accessible. |
Owasp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40316 | High | 8.8 | — | 2026-04-15 | OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. |
Owen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1555 | Critical | 9.8 | — | 2026-04-15 | The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. |
Pancho · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40043 | Medium | 6.5 | — | 2026-04-13 | Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. |
Petjeaf · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4002 | Medium | 4.3 | — | 2026-04-15 | The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. |
Plisio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6372 | High | 7.5 | — | 2026-04-15 | Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5. |
Poporon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2434 | Medium | 6.4 | — | 2026-04-17 | The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanitization and output escaping. |
Processwire · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40500 | Medium | 6.8 | — | 2026-04-15 | ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download param… |
Prometheus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40179 | Medium | 6.1 | — | 2026-04-15 | Prometheus is an open-source monitoring system and time series database. |
Properfraction · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4949 | Medium | 4.3 | — | 2026-04-15 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. |
Protocol Buffers · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6409 | — | — | — | 2026-04-16 | A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. |
Py-pdf · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40260 | Medium | 5.3 | — | 2026-04-17 | pypdf is a free and open-source pure-python PDF library. |
Python · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40192 | High | 7.5 | — | 2026-04-15 | Pillow is a Python imaging library. |
Qihui · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6487 | Medium | 4.3 | — | 2026-04-17 | A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. |
Quantgeekdev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-39313 | — | — | — | 2026-04-16 | mcp-framework is a framework for building Model Context Protocol (MCP) servers. |
Radware · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5754 | Medium | 6.1 | — | 2026-04-14 | Reflected Cross-Site Scripting (XSS) Vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious a… |
Rafasashi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3551 | Medium | 4.4 | — | 2026-04-16 | The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. |
Rhukster · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40301 | Medium | 4.7 | — | 2026-04-17 | DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. |
Royalnavneet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5617 | High | 8.8 | — | 2026-04-15 | The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. |
Ruby · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-27820 | Critical | 9.8 | — | 2026-04-16 | zlib is a Ruby interface for the zlib compression/decompression library. |
Sagredo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-41113 | High | 8.1 | — | 2026-04-16 | sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c. |
Sailpoint Technologies · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4857 | High | 8.4 | — | 2026-04-15 | IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the Vi… |
Samba · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-41035 | High | 7.4 | — | 2026-04-16 | In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. |
Shahinurislam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-14868 | High | 8.8 | — | 2026-04-16 | The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. |
Shapedplugin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3017 | High | 7.2 | — | 2026-04-14 | The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_s… |
Silverstripe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-24749 | Medium | 5.3 | — | 2026-04-16 | The Silverstripe Assets Module is a required component of Silverstripe Framework. |
Simopro Technology · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6348 | High | 8.8 | — | 2026-04-16 | WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the env… |
Simple-git_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-28291 | High | 8.1 | — | 2026-04-13 | simple-git enables running native Git commands from JavaScript. |
Siteorigin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5070 | Medium | 6.4 | — | 2026-04-16 | The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery block text content in versions up to, and including, 1.20.32 due to insufficient output escaping in the gallery template. |
Snowflake · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6442 | High | 8.3 | — | 2026-04-16 | Improper validation of bash commands in Snowflake Cortex Code CLI versions prior to 1.0.25 allowed subsequent commands to execute outside the sandbox. |
Sonatype · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5189 | — | — | — | 2026-04-15 | CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute ar… |
Specialk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3876 | High | 7.2 | — | 2026-04-16 | The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. |
Stirlingpdf · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33436 | Low | 3.1 | — | 2026-04-17 | Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. |
Stylemix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4817 | Medium | 6.5 | — | 2026-04-17 | The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versio… |
Surbma · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1607 | Medium | 6.4 | — | 2026-04-14 | The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output… |
Syed Balkhi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40764 | High | 8.1 | — | 2026-04-15 | Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2. |
Sysadminsmedia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40196 | High | 8.1 | — | 2026-04-17 | HomeBox is a home inventory and organization system. |
Talend · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6264 | Critical | 9.8 | — | 2026-04-14 | A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. |
Techjewel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4160 | Medium | 5.3 | — | 2026-04-16 | The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. |
Themegrill · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40730 | Medium | 5.3 | — | 2026-04-15 | Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through <= 2… |
Thimpress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4365 | Critical | 9.1 | — | 2026-04-14 | The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to, and including, 4.3.2.8. |
Tholstkabelbwde · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6451 | Medium | 4.3 | — | 2026-04-17 | The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. |
Tokenoftrust · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2834 | High | 7.2 | — | 2026-04-15 | The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ parameter in all versions up to, and including, 3.32.3 due to insufficient input sanitiz… |
Tomdever · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4666 | Medium | 6.5 | — | 2026-04-17 | The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and i… |
Tp-link · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5363 | High | 8.8 | — | 2026-04-16 | Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router… |
Tushar-2223 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6142 | High | 7.3 | — | 2026-04-13 | A vulnerability was identified in tushar-2223 Hotel Management System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. |
Uclouvain · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6192 | Low | 3.3 | — | 2026-04-13 | A vulnerability was identified in uclouvain openjpeg up to 2.5.4. |
Udamadu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6293 | Medium | 4.3 | — | 2026-04-15 | The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. |
Ukrsolution · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4880 | Critical | 9.8 | — | 2026-04-16 | The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1… |
Unitecms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4659 | High | 7.5 | — | 2026-04-17 | The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. |
Utt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6186 | High | 8.8 | — | 2026-04-13 | A security vulnerability has been detected in UTT HiPER 1200GW up to 2.5.3-170306. |
Valtimo-platform · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-34164 | Medium | 4.9 | — | 2026-04-16 | Valtimo is an open-source business process automation platform. |
Veeam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-21709 | Medium | 6.7 | — | 2026-04-17 | A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement. |
Vendidero · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2582 | Medium | 6.5 | — | 2026-04-14 | The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. |
Villatheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40737 | Medium | 5.3 | — | 2026-04-15 | Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COMPE compe-woo-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects COMPE: from n/a through <= 1.1.4. |
Visaacceptancesolutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3461 | Critical | 9.8 | — | 2026-04-15 | The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. |
Vision · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-58343 | Medium | 4.3 | — | 2026-04-16 | Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. |
Volcengine · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40525 | Critical | 9.1 | — | 2026-04-17 | OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. |
Wago · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-5872 | Medium | 4.3 | — | 2026-04-16 | In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint. |
Wavlink · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6483 | High | 7.2 | — | 2026-04-17 | A vulnerability was found in Wavlink WL-WN530H4 20220721. |
Wc Lovers · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-63029 | High | 7.6 | — | 2026-04-15 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through <= 3.7.1. |
Webmindpt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3998 | Medium | 6.4 | — | 2026-04-15 | The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the [jqmath] shortcode in all versions up to and including 1.3. |
Webonyx · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40476 | High | 7.5 | — | 2026-04-17 | graphql-go is a Go implementation of GraphQL. |
Woobeewoo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1852 | Medium | 6.1 | — | 2026-04-15 | The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. |
Wp Royal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40763 | Medium | 5.3 | — | 2026-04-15 | Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056. |
Wp_media · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6227 | High | 7.2 | — | 2026-04-14 | The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()`… |
Wpcodefactory · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4479 | Medium | 4.4 | — | 2026-04-14 | The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output… |
Wpdevteam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-3875 | Medium | 6.4 | — | 2026-04-16 | The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. |
Wpengine · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-4812 | Medium | 5.3 | — | 2026-04-15 | The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. |
Wpeverest · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6203 | Medium | 6.1 | — | 2026-04-13 | The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. |
Wpmet · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-1782 | Medium | 5.3 | — | 2026-04-15 | The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without… |
Wproyal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-5162 | Medium | 6.4 | — | 2026-04-17 | The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanit… |
Wpxpo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-0718 | Medium | 5.3 | — | 2026-04-16 | The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions… |
Xquic Project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-6328 | — | — | — | 2026-04-15 | Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipula… |
Yubico · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40947 | Low | 2.9 | — | 2026-04-16 | Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path. |
Zahlan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-40734 | Medium | 6.5 | — | 2026-04-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1. |
Zaytech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-15635 | Medium | 4.3 | — | 2026-04-15 | Cross-Site Request Forgery (CSRF) vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0. |