Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40734 | UNKNOWN | — | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a … | Apr 15, 2026 |
| CVE-2026-40730 | UNKNOWN | — | Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through … | Apr 15, 2026 |
| CVE-2026-40729 | UNKNOWN | — | Missing Authorization vulnerability in bPlugins 3D viewer – Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer – … | Apr 15, 2026 |
| CVE-2026-40728 | MEDIUM | 4.3 | Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a through <= 1.8.3. | Apr 15, 2026 |
| CVE-2026-33805 | UNKNOWN | — | @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This … | Apr 15, 2026 |
| CVE-2026-30778 | UNKNOWN | — | The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to … | Apr 15, 2026 |
| CVE-2026-28741 | MEDIUM | 6.8 | Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows … | Apr 15, 2026 |
| CVE-2026-27769 | LOW | 2.7 | Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected … | Apr 15, 2026 |
| CVE-2026-5598 | UNKNOWN | — | Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). Non-constant time comparisons risk private key leakage in … | Apr 15, 2026 |
| CVE-2026-5588 | UNKNOWN | — | : Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules). PKIX draft … | Apr 15, 2026 |
| CVE-2026-3505 | UNKNOWN | — | Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before … | Apr 15, 2026 |
| CVE-2026-33808 | UNKNOWN | — | Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass … | Apr 15, 2026 |
| CVE-2026-33807 | CRITICAL | 9.1 | @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. … | Apr 15, 2026 |
| CVE-2026-0636 | UNKNOWN | — | Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov … | Apr 15, 2026 |
| CVE-2025-14813 | UNKNOWN | — | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is … | Apr 15, 2026 |
| CVE-2024-33618 | HIGH | 7.5 | Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface. | Apr 15, 2026 |
| CVE-2026-5717 | MEDIUM | 6.4 | The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions … | Apr 15, 2026 |
| CVE-2026-5694 | HIGH | 7.2 | The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and … | Apr 15, 2026 |
| CVE-2026-5617 | HIGH | 8.8 | The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the … | Apr 15, 2026 |
| CVE-2026-4091 | MEDIUM | 6.1 | The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. This is due to missing nonce … | Apr 15, 2026 |
| CVE-2026-4011 | MEDIUM | 6.4 | The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [pc] shortcode in all versions up … | Apr 15, 2026 |
| CVE-2026-4005 | MEDIUM | 6.4 | The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. … | Apr 15, 2026 |
| CVE-2026-4002 | MEDIUM | 4.3 | The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce … | Apr 15, 2026 |
| CVE-2026-3998 | MEDIUM | 6.4 | The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the [jqmath] shortcode in all versions up … | Apr 15, 2026 |
| CVE-2026-3659 | MEDIUM | 6.4 | The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode … | Apr 15, 2026 |