Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-4659 | HIGH | 7.5 | The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and … | Apr 17, 2026 |
| CVE-2026-6482 | UNKNOWN | — | The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a … | Apr 17, 2026 |
| CVE-2026-6421 | HIGH | 7.0 | A vulnerability has been found in Mobatek MobaXterm Home Edition up to 26.1. This affects an unknown part in the library msimg32.dll. The manipulation leads … | Apr 17, 2026 |
| CVE-2026-5797 | MEDIUM | 5.3 | The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to … | Apr 17, 2026 |
| CVE-2026-35496 | LOW | 2.7 | A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should … | Apr 17, 2026 |
| CVE-2026-34018 | MEDIUM | 6.3 | An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product. | Apr 17, 2026 |
| CVE-2026-21719 | HIGH | 7.2 | An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS … | Apr 17, 2026 |
| CVE-2026-6080 | MEDIUM | 6.5 | The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on … | Apr 17, 2026 |
| CVE-2026-5807 | HIGH | 7.5 | Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single … | Apr 17, 2026 |
| CVE-2026-5502 | MEDIUM | 5.3 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including … | Apr 17, 2026 |
| CVE-2026-5427 | MEDIUM | 5.3 | The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks … | Apr 17, 2026 |
| CVE-2026-5234 | MEDIUM | 5.3 | The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the … | Apr 17, 2026 |
| CVE-2026-4853 | MEDIUM | 4.9 | The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and … | Apr 17, 2026 |
| CVE-2026-3330 | MEDIUM | 4.9 | The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions … | Apr 17, 2026 |
| CVE-2026-5052 | MEDIUM | 5.3 | Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to … | Apr 17, 2026 |
| CVE-2026-4666 | MEDIUM | 6.5 | The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the … | Apr 17, 2026 |
| CVE-2026-4525 | HIGH | 7.5 | If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded … | Apr 17, 2026 |
| CVE-2026-3605 | HIGH | 8.1 | An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized … | Apr 17, 2026 |
| CVE-2026-5231 | HIGH | 7.2 | The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This … | Apr 17, 2026 |
| CVE-2026-5162 | MEDIUM | 6.4 | The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up … | Apr 17, 2026 |
| CVE-2026-4817 | MEDIUM | 6.5 | The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' … | Apr 17, 2026 |
| CVE-2026-3488 | MEDIUM | 6.5 | The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability … | Apr 17, 2026 |
| CVE-2026-40922 | UNKNOWN | — | SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for … | Apr 17, 2026 |
| CVE-2026-40265 | MEDIUM | 5.9 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the … | Apr 17, 2026 |
| CVE-2026-40263 | LOW | 3.7 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, … | Apr 17, 2026 |