Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2025-6024 | MEDIUM | 6.1 | The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by … | Apr 16, 2026 |
| CVE-2024-8010 | LOW | 3.5 | The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits … | Apr 16, 2026 |
| CVE-2024-4867 | MEDIUM | 5.4 | The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to … | Apr 16, 2026 |
| CVE-2024-10242 | MEDIUM | 6.1 | The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads … | Apr 16, 2026 |
| CVE-2026-23772 | HIGH | 7.3 | Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could … | Apr 16, 2026 |
| CVE-2024-2374 | HIGH | 7.5 | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious … | Apr 16, 2026 |
| CVE-2026-0718 | MEDIUM | 5.3 | The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a … | Apr 16, 2026 |
| CVE-2025-14868 | HIGH | 8.8 | The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, … | Apr 16, 2026 |
| CVE-2026-41035 | HIGH | 7.4 | In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run … | Apr 16, 2026 |
| CVE-2026-41034 | MEDIUM | 5.0 | ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass. | Apr 16, 2026 |
| CVE-2026-41030 | MEDIUM | 6.2 | In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges. | Apr 16, 2026 |
| CVE-2026-3995 | MEDIUM | 4.4 | The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. … | Apr 16, 2026 |
| CVE-2026-3876 | HIGH | 7.2 | The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is … | Apr 16, 2026 |
| CVE-2026-3875 | MEDIUM | 6.4 | The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is … | Apr 16, 2026 |
| CVE-2026-3861 | MEDIUM | 6.5 | LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level … | Apr 16, 2026 |
| CVE-2026-3355 | MEDIUM | 6.1 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, … | Apr 16, 2026 |
| CVE-2026-1620 | HIGH | 8.8 | The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due … | Apr 16, 2026 |
| CVE-2026-1572 | MEDIUM | 6.4 | The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions … | Apr 16, 2026 |
| CVE-2025-13364 | MEDIUM | 6.4 | The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions … | Apr 16, 2026 |
| CVE-2026-5050 | HIGH | 7.5 | The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, … | Apr 16, 2026 |
| CVE-2026-3773 | MEDIUM | 6.5 | The Accessibility Suite by Ability, Inc plugin for WordPress is vulnerable to SQL Injection via the 'scan_id' parameter in all versions up to, and including, … | Apr 16, 2026 |
| CVE-2026-3614 | HIGH | 8.8 | The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability … | Apr 16, 2026 |
| CVE-2026-3599 | HIGH | 7.5 | The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint … | Apr 16, 2026 |
| CVE-2026-3596 | CRITICAL | 9.8 | The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.2. The plugin registers an unauthenticated … | Apr 16, 2026 |
| CVE-2026-3595 | MEDIUM | 5.3 | The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the … | Apr 16, 2026 |