Total CVEs

145,459

Critical Severity

4,246

High Severity

15,641

Last 7 Days

2,350
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 22,221 - 22,240 of 41,864 CVEs
CVE-2026-3299 MEDIUM - 6.4

The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authe...

Published: Apr 16, 2026
Source: NVD
CVE-2026-40353 MEDIUM - 5.4

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django&#...

Vendor: pip
Product: wger
Published: Apr 16, 2026
Source: GitHub
CVE-2026-40474 HIGH - 7.6

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is...

Vendor: pip
Product: wger
Published: Apr 16, 2026
Source: GitHub
CVE-2026-40594 MEDIUM - 4.8

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted...

Vendor: pip
Product: pyload-ng
Published: Apr 16, 2026
Source: GitHub
CVE-2026-40960 HIGH - 8.1

Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it.

Vendor: Luanti
Product: Luanti
Published: Apr 16, 2026
Source: NVD
CVE-2026-40959 CRITICAL - 9.3

Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.

Vendor: Luanti
Product: Luanti
Published: Apr 16, 2026
Source: NVD
CVE-2026-40503 MEDIUM - 6.5

OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. Attackers can manipulate the path input parameter to escape the project memor...

Vendor: HKUDS
Product: OpenHarness
Published: Apr 16, 2026
Source: NVD
CVE-2026-40502 HIGH - 8.8

OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execut...

Vendor: HKUDS
Product: OpenHarness
Published: Apr 16, 2026
Source: NVD
CVE-2026-32179 CRITICAL - 9.8

MsQuic has a Remote Elevation of Privilege Vulnerability

Vendor: nuget
Product: Microsoft.Native.Quic.MsQuic.OpenSSL
Published: Apr 16, 2026
Source: GitHub

Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation.Β The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login.Β  An adjacent attacker with the ability to inter...

Published: Apr 16, 2026
Source: NVD
CVE-2026-4880 CRITICAL - 9.8

The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Bas...

Published: Apr 16, 2026
Source: NVD

Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.

Vendor: Yubico
Product: libfido2, python-fido2, yubikey-manager
Published: Apr 16, 2026
Source: NVD
CVE-2026-4949 MEDIUM - 4.3

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not proper...

Published: Apr 15, 2026
Source: NVD
CVE-2026-40316 HIGH - 8.8

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with...

Vendor: OWASP-BLT
Product: BLT
Published: Apr 15, 2026
Source: NVD
CVE-2026-39350 MEDIUM - 5.4

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is ...

Vendor: istio
Product: istio
Published: Apr 15, 2026
Source: NVD
CVE-2026-6388 CRITICAL - 9.1

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on ...

Published: Apr 15, 2026
Source: NVD
CVE-2026-40500 MEDIUM - 6.8

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTT...

Vendor: processwire
Product: processwire
Published: Apr 15, 2026
Source: NVD

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.

Published: Apr 15, 2026
Source: NVD

Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.

Published: Apr 15, 2026
Source: NVD

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

Published: Apr 15, 2026
Source: NVD