Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-37343 | UNKNOWN | — | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_user.php. | Apr 16, 2026 |
| CVE-2026-37342 | UNKNOWN | — | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/view_parked_details.php. | Apr 16, 2026 |
| CVE-2026-37341 | UNKNOWN | — | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_category.php. | Apr 16, 2026 |
| CVE-2026-37340 | UNKNOWN | — | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/edit_music.php. | Apr 16, 2026 |
| CVE-2026-37339 | UNKNOWN | — | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_genre.php. | Apr 16, 2026 |
| CVE-2026-37338 | CRITICAL | 9.4 | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php. | Apr 16, 2026 |
| CVE-2026-37337 | HIGH | 7.3 | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php. | Apr 16, 2026 |
| CVE-2026-37336 | HIGH | 7.3 | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php. | Apr 16, 2026 |
| CVE-2026-33804 | HIGH | 7.4 | @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not … | Apr 16, 2026 |
| CVE-2026-30656 | HIGH | 7.5 | A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does … | Apr 16, 2026 |
| CVE-2026-30459 | HIGH | 7.1 | An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user … | Apr 16, 2026 |
| CVE-2026-2840 | MEDIUM | 6.4 | The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all … | Apr 16, 2026 |
| CVE-2026-6410 | MEDIUM | 5.3 | @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured … | Apr 16, 2026 |
| CVE-2026-6270 | CRITICAL | 9.1 | @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a … | Apr 16, 2026 |
| CVE-2026-5785 | HIGH | 8.1 | Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query … | Apr 16, 2026 |
| CVE-2026-4160 | MEDIUM | 5.3 | The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the … | Apr 16, 2026 |
| CVE-2026-31987 | UNKNOWN | — | JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to … | Apr 16, 2026 |
| CVE-2026-6414 | MEDIUM | 5.9 | @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers … | Apr 16, 2026 |
| CVE-2026-5968 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … | Apr 16, 2026 |
| CVE-2026-31843 | CRITICAL | 9.8 | The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. … | Apr 16, 2026 |
| CVE-2025-15621 | UNKNOWN | — | Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication | Apr 16, 2026 |
| CVE-2026-3489 | HIGH | 7.5 | The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, … | Apr 16, 2026 |
| CVE-2026-3369 | MEDIUM | 5.4 | The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, … | Apr 16, 2026 |
| CVE-2026-3155 | LOW | 3.1 | The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to … | Apr 16, 2026 |
| CVE-2025-12624 | MEDIUM | 6.0 | Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously … | Apr 16, 2026 |