Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10648
Total
723
Critical
3075
High
3393
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-4301 | MEDIUM | 4.3 | The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and … | May 12, 2026 |
| CVE-2026-3604 | MEDIUM | 4.9 | The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and … | May 12, 2026 |
| CVE-2026-39432 | HIGH | 8.2 | Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Timetics: from n/a through 1.0.53. | May 12, 2026 |
| CVE-2026-2993 | HIGH | 7.5 | The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to … | May 12, 2026 |
| CVE-2026-2300 | MEDIUM | 6.4 | The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. … | May 12, 2026 |
| CVE-2026-35227 | UNKNOWN | — | An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is … | May 12, 2026 |
| CVE-2026-1681 | MEDIUM | 6.1 | Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input … | May 12, 2026 |
| CVE-2026-1185 | MEDIUM | 5.4 | A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability … | May 12, 2026 |
| CVE-2026-0804 | MEDIUM | 6.7 | An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be … | May 12, 2026 |
| CVE-2026-0802 | MEDIUM | 6.0 | An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited … | May 12, 2026 |
| CVE-2026-0541 | MEDIUM | 6.7 | ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be … | May 12, 2026 |
| CVE-2026-41872 | HIGH | 7.4 | "Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication … | May 12, 2026 |
| CVE-2026-41530 | LOW | 3.3 | The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with … | May 12, 2026 |
| CVE-2026-44499 | UNKNOWN | — | ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated … | May 08, 2026 |
| CVE-2026-43967 | UNKNOWN | — | Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each … | May 08, 2026 |
| CVE-2026-42794 | UNKNOWN | — | Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes … | May 08, 2026 |
| CVE-2026-42793 | UNKNOWN | — | Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. … | May 08, 2026 |
| CVE-2026-42353 | HIGH | 8.2 | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes … | May 08, 2026 |
| CVE-2026-41886 | HIGH | 7.5 | locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that … | May 08, 2026 |
| CVE-2026-41885 | MEDIUM | 6.5 | i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend … | May 08, 2026 |
| CVE-2026-41883 | HIGH | 8.1 | OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote … | May 08, 2026 |
| CVE-2026-41693 | HIGH | 8.2 | i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes … | May 08, 2026 |
| CVE-2026-41690 | HIGH | 8.6 | 18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an … | May 08, 2026 |
| CVE-2026-41683 | HIGH | 8.6 | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote … | May 08, 2026 |
| CVE-2026-41591 | MEDIUM | 6.4 | Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated … | May 08, 2026 |