Total CVEs

143,768

Critical Severity

4,091

High Severity

14,768

Last 7 Days

1,518
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 20,681 - 20,700 of 40,173 CVEs
CVE-2026-40764 HIGH - 8.1

Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.

Vendor: Syed Balkhi
Product: Contact Form by WPForms
Published: Apr 15, 2026
Source: NVD
CVE-2026-40763 MEDIUM - 5.3

Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056.

Vendor: WP Royal
Product: Royal Elementor Addons
Published: Apr 15, 2026
Source: NVD
CVE-2026-40745 HIGH - 7.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.

Vendor: bdthemes
Product: Element Pack Elementor Addons
Published: Apr 15, 2026
Source: NVD
CVE-2026-40744 HIGH - 8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder: from n/a through <= 2.10.1.2.

Vendor: Beaver Builder
Product: Beaver Builder
Published: Apr 15, 2026
Source: NVD
CVE-2026-40742 MEDIUM - 5.3

Missing Authorization vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nelio AB Testing: from n/a through <= 8.2.8.

Vendor: Nelio Software
Product: Nelio AB Testing
Published: Apr 15, 2026
Source: NVD
CVE-2026-40740 MEDIUM - 5.4

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.

Vendor: Themeum
Product: Tutor LMS
Published: Apr 15, 2026
Source: NVD
CVE-2026-40737 MEDIUM - 5.3

Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COMPE compe-woo-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects COMPE: from n/a through <= 1.1.4.

Vendor: VillaTheme
Product: COMPE
Published: Apr 15, 2026
Source: NVD
CVE-2026-40734 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1.

Vendor: Zahlan
Product: Categories Images
Published: Apr 15, 2026
Source: NVD
CVE-2026-40730 MEDIUM - 5.3

Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6.

Vendor: ThemeGrill
Product: ThemeGrill Demo Importer
Published: Apr 15, 2026
Source: NVD
CVE-2026-40729 MEDIUM - 4.3

Missing Authorization vulnerability in bPlugins 3D viewer โ€“ Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer โ€“ Embed 3D Models: from n/a through <= 1.8.5.

Vendor: bPlugins
Product: 3D viewer โ€“ Embed 3D Models
Published: Apr 15, 2026
Source: NVD
CVE-2026-40728 MEDIUM - 4.3

Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a through <= 1.8.3.

Vendor: BlockArt
Product: Magazine Blocks
Published: Apr 15, 2026
Source: NVD

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them...

Vendor: @fastify/reply-from
Product: @fastify/reply-from, @fastify/http-proxy
Published: Apr 15, 2026
Source: NVD
CVE-2026-30778 HIGH - 7.5

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache SkyWalking
Published: Apr 15, 2026
Source: NVD
CVE-2026-28741 MEDIUM - 6.8

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious p...

Vendor: Mattermost
Product: Mattermost
Published: Apr 15, 2026
Source: NVD

Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. ...

Vendor: Mattermost
Product: Mattermost
Published: Apr 15, 2026
Source: NVD

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects BC-JAVA: from 2.17.3 before 1.84.

Published: Apr 15, 2026
Source: NVD

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Ja...

Published: Apr 15, 2026
Source: NVD

Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Ja...

Vendor: maven
Product: org.bouncycastle:bcpg-jdk12
Published: Apr 15, 2026
Source: NVD

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via...

Vendor: fastify
Product: @fastify/express
Published: Apr 15, 2026
Source: NVD
CVE-2026-33807 CRITICAL - 9.1

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causi...

Vendor: fastify
Product: @fastify/express
Published: Apr 15, 2026
Source: NVD