Total CVEs

144,294

Critical Severity

4,165

High Severity

14,995

Last 7 Days

1,580
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 21,241 - 21,260 of 40,699 CVEs
CVE-2026-3642 MEDIUM - 5.3

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The...

Published: Apr 15, 2026
Source: NVD
CVE-2026-3461 CRITICAL - 9.8

The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the `express_pay_product_page_pay_for_order()` function logging users in based solely on a user-supplied billing email address during guest checkout f...

Published: Apr 15, 2026
Source: NVD
CVE-2026-1782 MEDIUM - 5.3

The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form pric...

Published: Apr 15, 2026
Source: NVD

HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited information disclosur...

Vendor: HCL
Product: AION
Published: Apr 15, 2026
Source: NVD
CVE-2025-40899 HIGH - 8.9

A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets...

Vendor: Nozomi Networks
Product: Guardian, CMC
Published: Apr 15, 2026
Source: NVD
CVE-2025-40897 HIGH - 8.1

An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality can perform administ...

Vendor: Nozomi Networks
Product: Guardian, CMC
Published: Apr 15, 2026
Source: NVD
CVE-2026-5088 HIGH - 7.5

Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simp...

Published: Apr 15, 2026
Source: NVD
CVE-2026-6293 MEDIUM - 4.3

The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied...

Published: Apr 15, 2026
Source: NVD
CVE-2026-40719 HIGH - 7.5

Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.

Vendor: MaraDNS
Product: MaraDNS
Published: Apr 15, 2026
Source: NVD
CVE-2026-5160 MEDIUM - 6.1

Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities....

Vendor: go
Product: github.com/yuin/goldmark/renderer/html
Published: Apr 15, 2026
Source: NVD
CVE-2026-5397 HIGH - 7.8

It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow a malicious actor to place a DLL that is then executed with administrator privileges. If a malicious DLL is...

Published: Apr 15, 2026
Source: NVD
CVE-2026-26291 MEDIUM - 5.4

Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser.

Vendor: GROWI, Inc.
Product: GROWI
Published: Apr 15, 2026
Source: NVD

Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3.

Published: Apr 15, 2026
Source: NVD
CVE-2026-4812 MEDIUM - 5.3

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions withou...

Published: Apr 15, 2026
Source: NVD

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially craft...

Vendor: radareorg
Product: radare2
Published: Apr 15, 2026
Source: NVD

immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a <meta> tag in api.service.ts. A registered attacker can create a s...

Vendor: immich-app
Product: immich
Published: Apr 15, 2026
Source: NVD
CVE-2026-33806 HIGH - 7.5

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= ...

Vendor: fastify
Product: fastify
Published: Apr 15, 2026
Source: NVD
CVE-2026-2834 HIGH - 7.2

The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ parameter in all versions up to, and including, 3.32.3 due to insufficient input sanitization and output escaping. This makes it possible for una...

Published: Apr 15, 2026
Source: NVD
CVE-2026-2396 MEDIUM - 4.4

The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-lev...

Published: Apr 15, 2026
Source: NVD
CVE-2026-1555 CRITICAL - 9.8

The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...

Published: Apr 15, 2026
Source: NVD