Total CVEs

145,577

Critical Severity

4,257

High Severity

15,676

Last 7 Days

2,317
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 22,501 - 22,520 of 41,982 CVEs

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them...

Vendor: @fastify/reply-from
Product: @fastify/reply-from, @fastify/http-proxy
Published: Apr 15, 2026
Source: NVD
CVE-2026-30778 HIGH - 7.5

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache SkyWalking
Published: Apr 15, 2026
Source: NVD
CVE-2026-28741 MEDIUM - 6.8

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious p...

Vendor: Mattermost
Product: Mattermost
Published: Apr 15, 2026
Source: NVD

Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. ...

Vendor: Mattermost
Product: Mattermost
Published: Apr 15, 2026
Source: NVD

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects BC-JAVA: from 2.17.3 before 1.84.

Published: Apr 15, 2026
Source: NVD

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Ja...

Published: Apr 15, 2026
Source: NVD

Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Ja...

Vendor: maven
Product: org.bouncycastle:bcpg-jdk12
Published: Apr 15, 2026
Source: NVD

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via...

Vendor: fastify
Product: @fastify/express
Published: Apr 15, 2026
Source: NVD
CVE-2026-33807 CRITICAL - 9.1

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causi...

Vendor: fastify
Product: @fastify/express
Published: Apr 15, 2026
Source: NVD

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1....

Vendor: maven
Product: org.bouncycastle:bcprov-jdk14
Published: Apr 15, 2026
Source: NVD

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher. GOSTCTR implementation unable to process more than 255 blocks correctly. This issue aff...

Vendor: Legion of the Bouncy Castle Inc.
Product: BC-JAVA
Published: Apr 15, 2026
Source: NVD
CVE-2024-33618 HIGH - 7.5

Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface.

Vendor: Bosch
Product: BVMS, BVMS Viewer, Bosch DIVAR IP all-in-one 7000 R3, Bosch DIVAR IP 7000 R2, Bosch DIVAR IP all-in-one 5000, Bosch DIVAR IP all-in-one 7000, DIVAR IP all-in-one 4000, DIVAR IP all-in-one 6000
Published: Apr 15, 2026
Source: NVD
CVE-2026-5717 MEDIUM - 6.4

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user...

Published: Apr 15, 2026
Source: NVD
CVE-2026-5694 HIGH - 7.2

The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauth...

Published: Apr 15, 2026
Source: NVD
CVE-2026-5617 HIGH - 8.8

The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as, without any server-si...

Published: Apr 15, 2026
Source: NVD
CVE-2026-4091 MEDIUM - 6.1

The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. This is due to missing nonce verification on the settings form in the func_page_main() function. This makes it possible for unauthenticated attackers to inject malicious web s...

Published: Apr 15, 2026
Source: NVD
CVE-2026-4011 MEDIUM - 6.4

The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [pc] shortcode in all versions up to, and including, 0.1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute. Sp...

Published: Apr 15, 2026
Source: NVD
CVE-2026-4005 MEDIUM - 6.4

The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() on the 'u...

Published: Apr 15, 2026
Source: NVD
CVE-2026-4002 MEDIUM - 4.3

The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function which handles the 'petjeaf_disconnect' AJAX action. The function performs destructive operati...

Published: Apr 15, 2026
Source: NVD
CVE-2026-3998 MEDIUM - 6.4

The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the [jqmath] shortcode in all versions up to and including 1.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. T...

Published: Apr 15, 2026
Source: NVD