Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,527
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 20,441 - 20,460 of 40,154 CVEs
CVE-2026-37339 CRITICAL - 9.8

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_genre.php.

Published: Apr 16, 2026
Source: NVD
CVE-2026-37338 CRITICAL - 9.4

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php.

Published: Apr 16, 2026
Source: NVD
CVE-2026-37337 HIGH - 7.3

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php.

Published: Apr 16, 2026
Source: NVD
CVE-2026-37336 HIGH - 7.3

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php.

Published: Apr 16, 2026
Source: NVD
CVE-2026-33804 HIGH - 7.4

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplic...

Vendor: @fastify/middie
Product: @fastify/middie
Published: Apr 16, 2026
Source: NVD
CVE-2026-30656 HIGH - 7.5

A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. Thi...

Published: Apr 16, 2026
Source: NVD
CVE-2026-30459 HIGH - 7.1

An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.

Vendor: thedaylightstudio
Product: fuel_cms
Published: Apr 16, 2026
Source: NVD
CVE-2026-2840 MEDIUM - 6.4

The Email Encoder โ€“ Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for ...

Published: Apr 16, 2026
Source: NVD
CVE-2026-6410 MEDIUM - 5.3

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain dir...

Vendor: npm
Product: @fastify/static
Published: Apr 16, 2026
Source: NVD
CVE-2026-6270 CRITICAL - 9.1

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the pare...

Vendor: npm
Product: @fastify/middie
Published: Apr 16, 2026
Source: NVD
CVE-2026-5785 HIGH - 8.1

Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.

Published: Apr 16, 2026
Source: NVD
CVE-2026-4160 MEDIUM - 5.3

The Fluent Forms โ€“ Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownersh...

Published: Apr 16, 2026
Source: NVD
CVE-2026-31987 MEDIUM - 7.5

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Apr 16, 2026
Source: NVD
CVE-2026-6414 MEDIUM - 5.9

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/stati...

Vendor: npm
Product: @fastify/static
Published: Apr 16, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

Published: Apr 16, 2026
Source: NVD
CVE-2026-31843 CRITICAL - 9.8

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling ...

Vendor: goodoneuz
Product: pay-uz
Published: Apr 16, 2026
Source: NVD

Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication

Vendor: Sparx Systems Pty Ltd.
Product: Sparx Enterprise Architect
Published: Apr 16, 2026
Source: NVD
CVE-2026-3489 HIGH - 7.5

The DirectoryPress โ€“ Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the ...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3369 MEDIUM - 5.4

The Better Find and Replace โ€“ AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3155 LOW - 3.1

The OneSignal โ€“ Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscri...

Published: Apr 16, 2026
Source: NVD