Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-32604 | CRITICAL | 9.9 | Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands … | Apr 20, 2026 |
| CVE-2026-29648 | UNKNOWN | — | In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read … | Apr 20, 2026 |
| CVE-2026-29647 | UNKNOWN | — | In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context … | Apr 20, 2026 |
| CVE-2026-29646 | UNKNOWN | — | In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be … | Apr 20, 2026 |
| CVE-2026-29642 | UNKNOWN | — | A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in … | Apr 20, 2026 |
| CVE-2026-6550 | MEDIUM | 4.7 | Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated … | Apr 20, 2026 |
| CVE-2026-6257 | CRITICAL | 9.1 | Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows … | Apr 20, 2026 |
| CVE-2026-6249 | HIGH | 8.8 | Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by … | Apr 20, 2026 |
| CVE-2026-5478 | HIGH | 8.1 | The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due … | Apr 20, 2026 |
| CVE-2026-32311 | UNKNOWN | — | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used … | Apr 20, 2026 |
| CVE-2026-32135 | UNKNOWN | — | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function … | Apr 20, 2026 |
| CVE-2026-29649 | UNKNOWN | — | NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write … | Apr 20, 2026 |
| CVE-2026-29645 | UNKNOWN | — | NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when … | Apr 20, 2026 |
| CVE-2026-6248 | HIGH | 8.1 | The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding … | Apr 20, 2026 |
| CVE-2026-6060 | MEDIUM | 4.5 | A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. … | Apr 20, 2026 |
| CVE-2025-11249 | UNKNOWN | — | Rejected reason: This CVE id was assigned as a duplicate of CVE-2025-66414. | Apr 20, 2026 |
| CVE-2026-41389 | MEDIUM | 5.8 | OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious … | Apr 20, 2026 |
| CVE-2026-39112 | MEDIUM | 5.4 | Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can inject … | Apr 20, 2026 |
| CVE-2026-39111 | HIGH | 7.5 | SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the email parameter of the forgot password page (forgot-password.php). This allows … | Apr 20, 2026 |
| CVE-2026-39110 | HIGH | 8.2 | SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows … | Apr 20, 2026 |
| CVE-2026-39109 | CRITICAL | 9.4 | SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an … | Apr 20, 2026 |
| CVE-2026-26399 | UNKNOWN | — | A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its … | Apr 20, 2026 |
| CVE-2026-23758 | UNKNOWN | — | GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by … | Apr 20, 2026 |
| CVE-2026-23757 | MEDIUM | 5.4 | GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML … | Apr 20, 2026 |
| CVE-2026-23756 | MEDIUM | 5.4 | GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and … | Apr 20, 2026 |