Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,529
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 20,761 - 20,780 of 40,198 CVEs
CVE-2026-1509 MEDIUM - 5.4

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without...

Published: Apr 15, 2026
Source: NVD
CVE-2026-1314 MEDIUM - 5.3

The 3D FlipBook โ€“ PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthentic...

Published: Apr 15, 2026
Source: NVD
CVE-2025-54550 HIGH - 8.1

The example example_xcomย that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly tru...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Apr 15, 2026
Source: NVD
CVE-2025-15470 MEDIUM - 6.5

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to de...

Vendor: DesigningMedia
Product: Eleganzo
Published: Apr 15, 2026
Source: NVD
CVE-2026-40688 HIGH - 7.2

An out-of-bounds write vulnerability [CWE-787] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow a remote privileged attacker to execute arbitrary code or command via crafted HTTP requests.

Vendor: Fortinet
Product: FortiWeb
Published: Apr 14, 2026
Source: NVD
CVE-2026-39399 CRITICAL - 9.6

NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend jobโ€™s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may r...

Vendor: NuGet
Product: NuGetGallery
Published: Apr 14, 2026
Source: NVD
CVE-2026-39387 HIGH - 7.2

BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion (LFI) attack via the tpl parameter, which can lead to Remote Code Execution (RCE).The application fails to ...

Vendor: BoidCMS
Product: BoidCMS
Published: Apr 14, 2026
Source: NVD
CVE-2026-35589 HIGH - 8.0

nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the binding from 0.0.0....

Vendor: HKUDS
Product: nanobot
Published: Apr 14, 2026
Source: NVD
CVE-2026-35034 MEDIUM - 6.5

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By s...

Vendor: jellyfin
Product: jellyfin
Published: Apr 14, 2026
Source: NVD

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowerca...

Vendor: jellyfin
Product: jellyfin
Published: Apr 14, 2026
Source: NVD

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP U...

Vendor: jellyfin
Product: jellyfin
Published: Apr 14, 2026
Source: NVD
CVE-2026-35031 CRITICAL - 9.9

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. T...

Vendor: jellyfin
Product: jellyfin
Published: Apr 14, 2026
Source: NVD
CVE-2026-33023 HIGH - 7.8

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its...

Vendor: saitoha
Product: libsixel
Published: Apr 14, 2026
Source: NVD
CVE-2026-33021 HIGH - 7.3

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a de...

Vendor: saitoha
Product: libsixel
Published: Apr 14, 2026
Source: NVD
CVE-2026-27301 MEDIUM - 5.5

Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a...

Vendor: Adobe
Product: Adobe Framemaker
Published: Apr 14, 2026
Source: NVD
CVE-2026-27300 MEDIUM - 5.5

Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim mus...

Vendor: Adobe
Product: Adobe Framemaker
Published: Apr 14, 2026
Source: NVD
CVE-2026-27299 MEDIUM - 6.3

Adobe Framemaker versions 2022.8 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to access sensitive files or data on the system. Exploitation of this issue requires user interaction i...

Vendor: Adobe
Product: Adobe Framemaker
Published: Apr 14, 2026
Source: NVD
CVE-2026-27298 HIGH - 7.8

Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victi...

Vendor: Adobe
Product: Adobe Framemaker
Published: Apr 14, 2026
Source: NVD
CVE-2026-27297 HIGH - 7.8

Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: Adobe
Product: Adobe Framemaker
Published: Apr 14, 2026
Source: NVD
CVE-2026-27296 HIGH - 7.8

Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: Adobe
Product: Adobe Framemaker
Published: Apr 14, 2026
Source: NVD