Total CVEs

144,730

Critical Severity

4,194

High Severity

15,272

Last 7 Days

1,790
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 21,681 - 21,700 of 41,135 CVEs
CVE-2025-40899 HIGH - 8.9

A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets...

Vendor: Nozomi Networks
Product: Guardian, CMC
Published: Apr 15, 2026
Source: NVD
CVE-2025-40897 HIGH - 8.1

An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality can perform administ...

Vendor: Nozomi Networks
Product: Guardian, CMC
Published: Apr 15, 2026
Source: NVD
CVE-2026-5088 HIGH - 7.5

Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simp...

Published: Apr 15, 2026
Source: NVD
CVE-2026-6293 MEDIUM - 4.3

The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied...

Published: Apr 15, 2026
Source: NVD
CVE-2026-40719 HIGH - 7.5

Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.

Vendor: MaraDNS
Product: MaraDNS
Published: Apr 15, 2026
Source: NVD
CVE-2026-5160 MEDIUM - 6.1

Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities....

Vendor: go
Product: github.com/yuin/goldmark/renderer/html
Published: Apr 15, 2026
Source: NVD
CVE-2026-5397 HIGH - 7.8

It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow a malicious actor to place a DLL that is then executed with administrator privileges. If a malicious DLL is...

Published: Apr 15, 2026
Source: NVD
CVE-2026-26291 MEDIUM - 5.4

Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser.

Vendor: GROWI, Inc.
Product: GROWI
Published: Apr 15, 2026
Source: NVD

Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through 1.8.3.

Published: Apr 15, 2026
Source: NVD
CVE-2026-4812 MEDIUM - 5.3

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions withou...

Published: Apr 15, 2026
Source: NVD

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially craft...

Vendor: radareorg
Product: radare2
Published: Apr 15, 2026
Source: NVD

immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a <meta> tag in api.service.ts. A registered attacker can create a s...

Vendor: immich-app
Product: immich
Published: Apr 15, 2026
Source: NVD
CVE-2026-33806 HIGH - 7.5

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= ...

Vendor: fastify
Product: fastify
Published: Apr 15, 2026
Source: NVD
CVE-2026-2834 HIGH - 7.2

The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ parameter in all versions up to, and including, 3.32.3 due to insufficient input sanitization and output escaping. This makes it possible for una...

Published: Apr 15, 2026
Source: NVD
CVE-2026-2396 MEDIUM - 4.4

The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-lev...

Published: Apr 15, 2026
Source: NVD
CVE-2026-1555 CRITICAL - 9.8

The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...

Published: Apr 15, 2026
Source: NVD
CVE-2026-1541 MEDIUM - 4.3

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This...

Published: Apr 15, 2026
Source: NVD
CVE-2026-1509 MEDIUM - 5.4

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without...

Published: Apr 15, 2026
Source: NVD
CVE-2026-1314 MEDIUM - 5.3

The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthentic...

Published: Apr 15, 2026
Source: NVD
CVE-2025-54550 HIGH - 8.1

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly tru...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Apr 15, 2026
Source: NVD