Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
220
Total
14
Critical
71
High
65
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2025-12886 | HIGH | 7.2 | The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. … | Mar 28, 2026 |
| CVE-2026-4987 | HIGH | 7.5 | The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up … | Mar 28, 2026 |
| CVE-2026-1679 | HIGH | 7.3 | The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit … | Mar 28, 2026 |
| CVE-2026-4992 | MEDIUM | 4.3 | A flaw has been found in wandb OpenUI up to 1.0. This affects the function create_share/get_share of the file backend/openui/server.py of the component HTMLAnnotator Component. … | Mar 27, 2026 |
| CVE-2026-4991 | LOW | 3.5 | A vulnerability was detected in QDOCS Smart School Management System up to 7.2. The impacted element is an unknown function of the file /admin/enquiry of … | Mar 27, 2026 |
| CVE-2026-4248 | HIGH | 8.0 | The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the … | Mar 27, 2026 |
| CVE-2026-33996 | UNKNOWN | — | LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect … | Mar 27, 2026 |
| CVE-2026-33994 | UNKNOWN | — | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability … | Mar 27, 2026 |
| CVE-2026-33993 | UNKNOWN | — | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to … | Mar 27, 2026 |
| CVE-2026-33992 | UNKNOWN | — | pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side … | Mar 27, 2026 |
| CVE-2026-33991 | HIGH | 8.8 | WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file `html/socio/sistema/deletar_tag.php` uses `extract($_REQUEST)` on line 14 and directly concatenates the `$id_tag` … | Mar 27, 2026 |
| CVE-2026-33936 | MEDIUM | 5.3 | The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve … | Mar 27, 2026 |
| CVE-2026-4990 | HIGH | 7.3 | A security vulnerability has been detected in chatwoot up to 4.11.1. The affected element is an unknown function of the file /app/login of the component … | Mar 27, 2026 |
| CVE-2026-4988 | LOW | 3.7 | A security flaw has been discovered in Open5GS 2.7.6. This issue affects the function smf_gx_cca_cb/smf_gy_cca_cb/smf_s6b of the component CCA Message Handler. The manipulation results in … | Mar 27, 2026 |
| CVE-2026-4985 | MEDIUM | 4.3 | A vulnerability was identified in dloebl CGIF up to 0.5.2. This vulnerability affects the function cgif_addframe of the file src/cgif.c of the component GIF Image … | Mar 27, 2026 |
| CVE-2026-34226 | HIGH | 7.5 | Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current … | Mar 27, 2026 |
| CVE-2026-33989 | HIGH | 8.1 | Mobile Next is an MCP server for mobile development and automation. Prior to version 0.0.49, the `@mobilenext/mobile-mcp` server contains a Path Traversal vulnerability in the … | Mar 27, 2026 |
| CVE-2026-33981 | UNKNOWN | — | changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the … | Mar 27, 2026 |
| CVE-2026-33980 | HIGH | 8.3 | Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer … | Mar 27, 2026 |
| CVE-2026-33979 | HIGH | 8.2 | Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting … | Mar 27, 2026 |
| CVE-2026-33976 | CRITICAL | 9.6 | Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can … | Mar 27, 2026 |
| CVE-2026-33955 | HIGH | 8.6 | Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop, a cross-site scripting vulnerability stored in the note history comparison viewer can escalate to … | Mar 27, 2026 |
| CVE-2026-33954 | MEDIUM | 6.5 | LinkAce is a self-hosted archive to collect website links. In versions prior to 2.5.3, a private note attached to a non-private link can be disclosed … | Mar 27, 2026 |
| CVE-2026-33953 | HIGH | 8.5 | LinkAce is a self-hosted archive to collect website links. Versions prior to 2.5.3 block direct requests to private IP literals, but still performs server-side requests … | Mar 27, 2026 |
| CVE-2026-33946 | UNKNOWN | — | MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains … | Mar 27, 2026 |