Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-3649 | MEDIUM | 5.3 | The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered … | Apr 15, 2026 |
| CVE-2026-3643 | HIGH | 7.2 | The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin … | Apr 15, 2026 |
| CVE-2026-3642 | MEDIUM | 5.3 | The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks … | Apr 15, 2026 |
| CVE-2026-3461 | CRITICAL | 9.8 | The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the … | Apr 15, 2026 |
| CVE-2026-1782 | MEDIUM | 5.3 | The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the … | Apr 15, 2026 |
| CVE-2025-52641 | LOW | 2.9 | HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights … | Apr 15, 2026 |
| CVE-2025-40899 | HIGH | 8.9 | A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with … | Apr 15, 2026 |
| CVE-2025-40897 | HIGH | 8.1 | An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only … | Apr 15, 2026 |
| CVE-2026-5088 | UNKNOWN | — | Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then … | Apr 15, 2026 |
| CVE-2026-6293 | MEDIUM | 4.3 | The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This … | Apr 15, 2026 |
| CVE-2026-40719 | HIGH | 7.5 | Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved. | Apr 15, 2026 |
| CVE-2026-5160 | MEDIUM | 6.1 | Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates … | Apr 15, 2026 |
| CVE-2026-5397 | HIGH | 7.8 | It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow … | Apr 15, 2026 |
| CVE-2026-26291 | MEDIUM | 5.4 | Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web … | Apr 15, 2026 |
| CVE-2026-6328 | UNKNOWN | — | Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler … | Apr 15, 2026 |
| CVE-2026-4812 | MEDIUM | 5.3 | The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This … | Apr 15, 2026 |
| CVE-2026-40499 | UNKNOWN | — | radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding … | Apr 15, 2026 |
| CVE-2026-40105 | UNKNOWN | — | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and … | Apr 15, 2026 |
| CVE-2026-40104 | UNKNOWN | — | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include … | Apr 15, 2026 |
| CVE-2026-40096 | UNKNOWN | — | immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, … | Apr 15, 2026 |
| CVE-2026-40091 | MEDIUM | 6.0 | SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level … | Apr 15, 2026 |
| CVE-2026-40090 | HIGH | 7.1 | Zarf is an Airgap Native Packager Manager for Kubernetes. Versions 0.23.0 through 0.74.1 contain an arbitrary file write vulnerability in the zarf package inspect sbom … | Apr 15, 2026 |
| CVE-2026-39984 | MEDIUM | 5.5 | Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse … | Apr 15, 2026 |
| CVE-2026-39971 | HIGH | 7.2 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header … | Apr 15, 2026 |
| CVE-2026-39963 | MEDIUM | 6.9 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of … | Apr 15, 2026 |