Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,531
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 20,721 - 20,740 of 40,198 CVEs

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects BC-JAVA: from 2.17.3 before 1.84.

Published: Apr 15, 2026
Source: NVD

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Ja...

Published: Apr 15, 2026
Source: NVD

Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Ja...

Vendor: maven
Product: org.bouncycastle:bcpg-jdk12
Published: Apr 15, 2026
Source: NVD

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via...

Vendor: fastify
Product: @fastify/express
Published: Apr 15, 2026
Source: NVD
CVE-2026-33807 CRITICAL - 9.1

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causi...

Vendor: fastify
Product: @fastify/express
Published: Apr 15, 2026
Source: NVD

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1....

Vendor: maven
Product: org.bouncycastle:bcprov-jdk14
Published: Apr 15, 2026
Source: NVD

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher. GOSTCTR implementation unable to process more than 255 blocks correctly. This issue aff...

Vendor: Legion of the Bouncy Castle Inc.
Product: BC-JAVA
Published: Apr 15, 2026
Source: NVD
CVE-2024-33618 HIGH - 7.5

Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface.

Vendor: Bosch
Product: BVMS, BVMS Viewer, Bosch DIVAR IP all-in-one 7000 R3, Bosch DIVAR IP 7000 R2, Bosch DIVAR IP all-in-one 5000, Bosch DIVAR IP all-in-one 7000, DIVAR IP all-in-one 4000, DIVAR IP all-in-one 6000
Published: Apr 15, 2026
Source: NVD
CVE-2026-5717 MEDIUM - 6.4

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user...

Published: Apr 15, 2026
Source: NVD
CVE-2026-5694 HIGH - 7.2

The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauth...

Published: Apr 15, 2026
Source: NVD
CVE-2026-5617 HIGH - 8.8

The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as, without any server-si...

Published: Apr 15, 2026
Source: NVD
CVE-2026-4091 MEDIUM - 6.1

The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. This is due to missing nonce verification on the settings form in the func_page_main() function. This makes it possible for unauthenticated attackers to inject malicious web s...

Published: Apr 15, 2026
Source: NVD
CVE-2026-4011 MEDIUM - 6.4

The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [pc] shortcode in all versions up to, and including, 0.1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute. Sp...

Published: Apr 15, 2026
Source: NVD
CVE-2026-4005 MEDIUM - 6.4

The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() on the 'u...

Published: Apr 15, 2026
Source: NVD
CVE-2026-4002 MEDIUM - 4.3

The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function which handles the 'petjeaf_disconnect' AJAX action. The function performs destructive operati...

Published: Apr 15, 2026
Source: NVD
CVE-2026-3998 MEDIUM - 6.4

The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the [jqmath] shortcode in all versions up to and including 1.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. T...

Published: Apr 15, 2026
Source: NVD
CVE-2026-3659 MEDIUM - 6.4

The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful_direct] shortcode in all versions up to and including 1.2. This is due to insufficient in...

Published: Apr 15, 2026
Source: NVD
CVE-2026-3649 MEDIUM - 5.3

The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can(...

Published: Apr 15, 2026
Source: NVD
CVE-2026-3643 HIGH - 7.2

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission_callback` set to `__ret...

Published: Apr 15, 2026
Source: NVD
CVE-2026-3642 MEDIUM - 5.3

The e-shotโ„ข form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The...

Published: Apr 15, 2026
Source: NVD