Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,522
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 20,461 - 20,480 of 40,154 CVEs
CVE-2025-12624 MEDIUM - 6.0

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequen...

Vendor: WSO2
Product: WSO2 Identity Server
Published: Apr 16, 2026
Source: NVD
CVE-2025-6024 MEDIUM - 6.1

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a maliciou...

Vendor: wso2
Product: api_manager
Published: Apr 16, 2026
Source: NVD
CVE-2024-8010 LOW - 3.5

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files fr...

Vendor: wso2
Product: api_manager
Published: Apr 16, 2026
Source: NVD
CVE-2024-4867 MEDIUM - 5.4

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-sit...

Vendor: wso2
Product: api_manager
Published: Apr 16, 2026
Source: NVD
CVE-2024-10242 MEDIUM - 6.1

The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an ...

Vendor: WSO2
Product: WSO2 API Manager
Published: Apr 16, 2026
Source: NVD
CVE-2026-23772 HIGH - 7.3

Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.

Vendor: Dell
Product: Storage Manager
Published: Apr 16, 2026
Source: NVD
CVE-2024-2374 HIGH - 7.5

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources...

Vendor: wso2
Product: api_manager
Published: Apr 16, 2026
Source: NVD
CVE-2026-0718 MEDIUM - 5.3

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions up to, and including, 5.0.5. This makes it possible for unaut...

Published: Apr 16, 2026
Source: NVD
CVE-2025-14868 HIGH - 8.8

The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action in the 'appform...

Vendor: shahinurislam
Product: Career Section
Published: Apr 16, 2026
Source: NVD
CVE-2026-41035 HIGH - 7.4

In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerab...

Vendor: Samba
Product: rsync
Published: Apr 16, 2026
Source: NVD
CVE-2026-41034 MEDIUM - 5.0

ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.

Vendor: Ascensio
Product: ONLYOFFICE DocumentServer
Published: Apr 16, 2026
Source: NVD
CVE-2026-41030 MEDIUM - 6.2

In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.

Vendor: Ascensio
Product: ONLYOFFICE DesktopEditors
Published: Apr 16, 2026
Source: NVD
CVE-2026-3995 MEDIUM - 4.4

The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() which strips HTML tags bu...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3876 HIGH - 7.2

The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismati...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3875 MEDIUM - 6.4

The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3861 MEDIUM - 6.5

LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs, potentially causing the iOS device to become temporarily inoperable.

Published: Apr 16, 2026
Source: NVD
CVE-2026-3355 MEDIUM - 6.1

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the β€˜crsearch’ parameter in all versions up to, and including, 5.101.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inj...

Published: Apr 16, 2026
Source: NVD
CVE-2026-1620 HIGH - 8.8

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach...

Published: Apr 16, 2026
Source: NVD
CVE-2026-1572 MEDIUM - 6.4

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient...

Published: Apr 16, 2026
Source: NVD
CVE-2025-13364 MEDIUM - 6.4

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output...

Vendor: flippercode
Product: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Published: Apr 16, 2026
Source: NVD