Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-2986 | MEDIUM | 6.4 | The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due … | Apr 18, 2026 |
| CVE-2026-2505 | MEDIUM | 5.4 | The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is … | Apr 18, 2026 |
| CVE-2026-0894 | MEDIUM | 6.4 | The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, … | Apr 18, 2026 |
| CVE-2026-41254 | MEDIUM | 4.0 | Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication. | Apr 18, 2026 |
| CVE-2026-32690 | UNKNOWN | — | Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as … | Apr 18, 2026 |
| CVE-2026-32228 | UNKNOWN | — | UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 … | Apr 18, 2026 |
| CVE-2026-30912 | UNKNOWN | — | In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing … | Apr 18, 2026 |
| CVE-2026-30898 | UNKNOWN | — | An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used … | Apr 18, 2026 |
| CVE-2026-25917 | UNKNOWN | — | Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary … | Apr 18, 2026 |
| CVE-2026-41253 | MEDIUM | 6.9 | In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a … | Apr 18, 2026 |
| CVE-2026-6518 | HIGH | 8.8 | The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all … | Apr 18, 2026 |
| CVE-2026-6048 | MEDIUM | 6.4 | The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL `custom_attributes` field in all versions … | Apr 18, 2026 |
| CVE-2026-4801 | MEDIUM | 6.4 | The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via external iCal feed data in all versions up … | Apr 18, 2026 |
| CVE-2026-40494 | CRITICAL | 9.8 | SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's … | Apr 18, 2026 |
| CVE-2026-40493 | CRITICAL | 9.8 | SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec … | Apr 18, 2026 |
| CVE-2026-40492 | CRITICAL | 9.8 | SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec … | Apr 18, 2026 |
| CVE-2026-40491 | MEDIUM | 6.5 | gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting … | Apr 18, 2026 |
| CVE-2026-40490 | MEDIUM | 6.8 | The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of … | Apr 18, 2026 |
| CVE-2026-40489 | UNKNOWN | — | editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in … | Apr 18, 2026 |
| CVE-2026-40487 | HIGH | 8.9 | Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, … | Apr 18, 2026 |
| CVE-2026-35582 | HIGH | 8.8 | Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file … | Apr 18, 2026 |
| CVE-2026-1838 | MEDIUM | 6.1 | The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to … | Apr 18, 2026 |
| CVE-2026-1559 | MEDIUM | 6.4 | The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to … | Apr 18, 2026 |
| CVE-2026-40572 | CRITICAL | 9.0 | NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode … | Apr 18, 2026 |
| CVE-2026-40350 | HIGH | 8.8 | Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access … | Apr 18, 2026 |