Total CVEs

145,459

Critical Severity

4,246

High Severity

15,641

Last 7 Days

2,353
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 22,201 - 22,220 of 41,864 CVEs
CVE-2026-22617 MEDIUM - 5.7

Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP software which is available on th...

Vendor: Eaton
Product: IPP Software
Published: Apr 16, 2026
Source: NVD
CVE-2026-40118 MEDIUM - 6.3

UDP Console provided by Arcserve contains an incorrectly specified destination in a communication channel vulnerability. When a user configures an activation server hostname of the affected product to a dummy URL, the product may unintentionally communicate with the dummy domain, causing information...

Vendor: Arcserve
Product: UDP Console
Published: Apr 16, 2026
Source: NVD
CVE-2026-22616 MEDIUM - 6.5

Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre.

Vendor: Eaton
Product: IPP Software
Published: Apr 16, 2026
Source: NVD
CVE-2026-22615 MEDIUM - 6.0

Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version ...

Vendor: Eaton
Product: IPP Software
Published: Apr 16, 2026
Source: NVD
CVE-2023-5872 MEDIUM - 4.3

In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint.

Published: Apr 16, 2026
Source: NVD
CVE-2023-3634 HIGH - 8.8

In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability.

Published: Apr 16, 2026
Source: NVD
CVE-2026-5070 MEDIUM - 6.4

The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery block text content in versions up to, and including, 1.20.32 due to insufficient output escaping in the gallery template. This makes it possible for authenticated attackers, with contributor-level access and abo...

Published: Apr 16, 2026
Source: NVD
CVE-2026-4032 MEDIUM - 6.1

The CodeColorer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in 'cc' comment shortcode in versions up to, and including, 0.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated at...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3878 MEDIUM - 6.4

The WP Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdocs_options[icon_size]' parameter in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subsc...

Published: Apr 16, 2026
Source: NVD
CVE-2026-6351 HIGH - 7.5

MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.

Published: Apr 16, 2026
Source: NVD
CVE-2026-6350 CRITICAL - 9.8

MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code.

Published: Apr 16, 2026
Source: NVD

The  iSherlock developed by HGiga  has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.

Published: Apr 16, 2026
Source: NVD
CVE-2026-6348 HIGH - 8.8

WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.

Published: Apr 16, 2026
Source: NVD
CVE-2026-41015 HIGH - 7.4

radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1....

Vendor: radare
Product: radare2
Published: Apr 16, 2026
Source: NVD
CVE-2026-3885 MEDIUM - 6.4

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_box' shortcode in all versions up to, and including, 7.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This...

Published: Apr 16, 2026
Source: NVD

A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use (TOC-TOU) during the update process, where an unexpected payload is substitu...

Published: Apr 16, 2026
Source: NVD

An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources during the validation phase, permitting a local user to make unprivileged modifications. This allows the ...

Published: Apr 16, 2026
Source: NVD
CVE-2026-40962 MEDIUM - 4.9

FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.

Vendor: FFMpeg
Product: FFMpeg
Published: Apr 16, 2026
Source: NVD

MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when runni...

Vendor: Artifex Software Inc.
Product: MuPDF
Published: Apr 16, 2026
Source: NVD
CVE-2026-40504 CRITICAL - 9.8

Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign(...

Vendor: marcobambini
Product: gravity
Published: Apr 16, 2026
Source: NVD