Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,541
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 20,361 - 20,380 of 40,154 CVEs
CVE-2026-23853 HIGH - 8.4

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a use of weak credentials vulnerability. An unauthenticated attacker...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Apr 17, 2026
Source: NVD
CVE-2026-6443 CRITICAL - 9.8

The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain...

Published: Apr 17, 2026
Source: NVD
CVE-2026-6441 MEDIUM - 4.3

The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231)...

Published: Apr 17, 2026
Source: NVD
CVE-2026-4659 HIGH - 7.5

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ...

Published: Apr 17, 2026
Source: NVD

The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by stan...

Published: Apr 17, 2026
Source: NVD
CVE-2026-6421 HIGH - 7.0

A vulnerability has been found in Mobatek MobaXterm Home Edition up to 26.1. This affects an unknown part in the library msimg32.dll. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The attack is considered to have high complexity. It is indicated that the...

Published: Apr 17, 2026
Source: NVD
CVE-2026-5797 MEDIUM - 5.3

The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to insufficient input sanitization and the execution of do_shortcode() on user-submitted quiz answer text. User-submitted answers pass through sanitize_t...

Published: Apr 17, 2026
Source: NVD

A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible.

Vendor: CubeCart Limited
Product: CubeCart
Published: Apr 17, 2026
Source: NVD
CVE-2026-34018 MEDIUM - 6.3

An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product.

Vendor: CubeCart Limited
Product: CubeCart
Published: Apr 17, 2026
Source: NVD
CVE-2026-21719 HIGH - 7.2

An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command.

Vendor: CubeCart Limited
Product: CubeCart
Published: Apr 17, 2026
Source: NVD
CVE-2026-6080 MEDIUM - 6.5

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible fo...

Published: Apr 17, 2026
Source: NVD
CVE-2026-5807 HIGH - 7.5

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability,...

Vendor: go
Product: github.com/hashicorp/vault
Published: Apr 17, 2026
Source: NVD
CVE-2026-5502 MEDIUM - 5.3

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the...

Published: Apr 17, 2026
Source: NVD
CVE-2026-5427 MEDIUM - 5.3

The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, pages, templates, and...

Published: Apr 17, 2026
Source: NVD
CVE-2026-5234 MEDIUM - 5.3

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required)...

Published: Apr 17, 2026
Source: NVD
CVE-2026-4853 MEDIUM - 4.9

The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes...

Published: Apr 17, 2026
Source: NVD
CVE-2026-3330 MEDIUM - 4.9

The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Li...

Published: Apr 17, 2026
Source: NVD
CVE-2026-5052 MEDIUM - 5.3

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1....

Vendor: go
Product: github.com/hashicorp/vault
Published: Apr 17, 2026
Source: NVD
CVE-2026-4666 MEDIUM - 6.5

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions....

Published: Apr 17, 2026
Source: NVD
CVE-2026-4525 HIGH - 7.5

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Vendor: go
Product: github.com/hashicorp/vault
Published: Apr 17, 2026
Source: NVD