Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-39884 | HIGH | 8.3 | mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in … | Apr 15, 2026 |
| CVE-2026-39842 | CRITICAL | 9.9 | OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution … | Apr 15, 2026 |
| CVE-2026-33806 | HIGH | 7.5 | Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is … | Apr 15, 2026 |
| CVE-2026-2834 | HIGH | 7.2 | The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ parameter in all … | Apr 15, 2026 |
| CVE-2026-2396 | MEDIUM | 4.4 | The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, … | Apr 15, 2026 |
| CVE-2026-1555 | CRITICAL | 9.8 | The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up … | Apr 15, 2026 |
| CVE-2026-1541 | MEDIUM | 4.3 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to … | Apr 15, 2026 |
| CVE-2026-1509 | MEDIUM | 5.4 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due … | Apr 15, 2026 |
| CVE-2026-1314 | MEDIUM | 5.3 | The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a … | Apr 15, 2026 |
| CVE-2025-54550 | UNKNOWN | — | The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to … | Apr 15, 2026 |
| CVE-2025-15470 | MEDIUM | 6.5 | The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, … | Apr 15, 2026 |
| CVE-2026-40688 | HIGH | 7.2 | An out-of-bounds write vulnerability [CWE-787] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow a remote privileged … | Apr 14, 2026 |
| CVE-2026-39399 | CRITICAL | 9.6 | NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. … | Apr 14, 2026 |
| CVE-2026-39387 | HIGH | 7.2 | BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to … | Apr 14, 2026 |
| CVE-2026-35589 | HIGH | 8.0 | nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, … | Apr 14, 2026 |
| CVE-2026-35034 | MEDIUM | 6.5 | Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint … | Apr 14, 2026 |
| CVE-2026-35033 | UNKNOWN | — | Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through … | Apr 14, 2026 |
| CVE-2026-35032 | UNKNOWN | — | Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), … | Apr 14, 2026 |
| CVE-2026-35031 | CRITICAL | 9.9 | Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where … | Apr 14, 2026 |
| CVE-2026-34457 | CRITICAL | 9.1 | OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 … | Apr 14, 2026 |
| CVE-2026-34454 | LOW | 3.5 | OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie … | Apr 14, 2026 |
| CVE-2026-33414 | UNKNOWN | — | Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in … | Apr 14, 2026 |
| CVE-2026-33023 | HIGH | 7.8 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists … | Apr 14, 2026 |
| CVE-2026-33021 | HIGH | 7.3 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned … | Apr 14, 2026 |
| CVE-2026-27301 | MEDIUM | 5.5 | Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. An attacker could leverage this … | Apr 14, 2026 |