Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-2262 | HIGH | 7.5 | The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API … | Apr 18, 2026 |
| CVE-2026-5250 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | Apr 17, 2026 |
| CVE-2026-40486 | MEDIUM | 4.3 | Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking … | Apr 17, 2026 |
| CVE-2026-40481 | UNKNOWN | — | monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory … | Apr 17, 2026 |
| CVE-2026-40479 | MEDIUM | 5.4 | Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote … | Apr 17, 2026 |
| CVE-2026-2434 | MEDIUM | 6.4 | The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due … | Apr 17, 2026 |
| CVE-2026-5720 | UNKNOWN | — | miniupnpd contains an integer underflow vulnerability in SOAPAction header parsing that allows remote attackers to cause a denial of service or information disclosure by sending … | Apr 17, 2026 |
| CVE-2026-40478 | CRITICAL | 9.0 | Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression … | Apr 17, 2026 |
| CVE-2026-40477 | CRITICAL | 9.0 | Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution … | Apr 17, 2026 |
| CVE-2026-40476 | UNKNOWN | — | graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same … | Apr 17, 2026 |
| CVE-2026-40474 | HIGH | 7.6 | wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of … | Apr 17, 2026 |
| CVE-2026-40353 | UNKNOWN | — | wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled … | Apr 17, 2026 |
| CVE-2026-40352 | HIGH | 8.8 | FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can … | Apr 17, 2026 |
| CVE-2026-40351 | CRITICAL | 9.8 | FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an … | Apr 17, 2026 |
| CVE-2026-40321 | HIGH | 8.0 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially … | Apr 17, 2026 |
| CVE-2026-40306 | UNKNOWN | — | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the … | Apr 17, 2026 |
| CVE-2026-40305 | MEDIUM | 4.3 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in … | Apr 17, 2026 |
| CVE-2026-40304 | MEDIUM | 5.3 | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its … | Apr 17, 2026 |
| CVE-2026-40258 | CRITICAL | 9.1 | The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip … | Apr 17, 2026 |
| CVE-2026-29013 | UNKNOWN | — | libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is … | Apr 17, 2026 |
| CVE-2026-40527 | HIGH | 7.8 | radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences … | Apr 17, 2026 |
| CVE-2026-40303 | HIGH | 7.5 | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, … | Apr 17, 2026 |
| CVE-2026-40302 | MEDIUM | 6.1 | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no … | Apr 17, 2026 |
| CVE-2026-40301 | MEDIUM | 4.7 | DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. … | Apr 17, 2026 |
| CVE-2026-40299 | UNKNOWN | — | next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG … | Apr 17, 2026 |