Total CVEs

143,749

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,518
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 20,521 - 20,540 of 40,154 CVEs
CVE-2026-4880 CRITICAL - 9.8

The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Bas...

Published: Apr 16, 2026
Source: NVD

Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.

Vendor: Yubico
Product: libfido2, python-fido2, yubikey-manager
Published: Apr 16, 2026
Source: NVD
CVE-2026-4949 MEDIUM - 4.3

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not proper...

Published: Apr 15, 2026
Source: NVD
CVE-2026-40316 HIGH - 8.8

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with...

Vendor: OWASP-BLT
Product: BLT
Published: Apr 15, 2026
Source: NVD
CVE-2026-39350 MEDIUM - 5.4

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is ...

Vendor: istio
Product: istio
Published: Apr 15, 2026
Source: NVD
CVE-2026-6388 CRITICAL - 9.1

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on ...

Published: Apr 15, 2026
Source: NVD
CVE-2026-40500 MEDIUM - 6.8

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTT...

Vendor: processwire
Product: processwire
Published: Apr 15, 2026
Source: NVD

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.

Published: Apr 15, 2026
Source: NVD

Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.

Published: Apr 15, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

Published: Apr 15, 2026
Source: NVD
CVE-2026-40186 MEDIUM - 6.1

ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements (textarea and option). Apostrophe...

Vendor: apostrophecms
Product: apostrophe, sanitize-html
Published: Apr 15, 2026
Source: NVD
CVE-2026-40173 CRITICAL - 9.4

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line includ...

Vendor: dgraph-io
Product: dgraph
Published: Apr 15, 2026
Source: NVD
CVE-2026-22676 HIGH - 7.8

Barracuda RMM versions prior toΒ 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker...

Vendor: Barracuda Networks
Product: RMM
Published: Apr 15, 2026
Source: NVD
CVE-2026-6385 MEDIUM - 6.5

A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds ch...

Published: Apr 15, 2026
Source: NVD
CVE-2026-6384 HIGH - 7.3

A flaw was found in gimp. This buffer overflow vulnerability in the GIF image loading component's `ReadJeffsImage` function allows an attacker to write beyond an allocated buffer by processing a specially crafted GIF file. This can lead to a denial of service or potentially arbitrary code execu...

Published: Apr 15, 2026
Source: NVD
CVE-2026-6364 MEDIUM - 6.5

Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: Apr 15, 2026
Source: NVD
CVE-2026-6363 HIGH - 8.8

Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: Apr 15, 2026
Source: NVD
CVE-2026-6362 MEDIUM - 6.3

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 15, 2026
Source: NVD
CVE-2026-6361 HIGH - 7.2

Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 15, 2026
Source: NVD
CVE-2026-6360 HIGH - 8.8

Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 15, 2026
Source: NVD