Total CVEs

145,906

Critical Severity

4,292

High Severity

15,777

Last 7 Days

2,224
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 23,581 - 23,600 of 42,311 CVEs
CVE-2026-1116 HIGH - 8.2

A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This al...

Vendor: lollms
Product: lollms
Published: Apr 12, 2026
Source: NVD
CVE-2026-6109 MEDIUM - 4.3

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack ma...

Vendor: pip
Product: metagpt
Published: Apr 12, 2026
Source: NVD
CVE-2026-6108 MEDIUM - 6.3

A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. The affected element is the function execute of the file apps/application/flow/step_node/mcp_node/impl/base_mcp_node.py of the component Model Context Protocol Node. Performing a manipulation results in os command injection. The attack is po...

Published: Apr 12, 2026
Source: NVD
CVE-2026-6107 LOW - 3.5

A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attac...

Published: Apr 12, 2026
Source: NVD
CVE-2026-6106 LOW - 3.5

A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting....

Published: Apr 11, 2026
Source: NVD
CVE-2026-6105 HIGH - 7.3

A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiated r...

Published: Apr 11, 2026
Source: NVD
CVE-2026-31845 CRITICAL - 9.3

A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without prope...

Vendor: Rukovoditel
Product: Rukovoditel CRM
Published: Apr 11, 2026
Source: NVD

Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confineme...

Vendor: Gleam
Product: Gleam
Published: Apr 11, 2026
Source: NVD
CVE-2026-23900 MEDIUM - 6.5

Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.

Vendor: phoca.cz
Product: phoca.cz - Phoca Maps for Joomla
Published: Apr 11, 2026
Source: NVD
CVE-2026-5809 HIGH - 7.1

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without...

Published: Apr 11, 2026
Source: NVD
CVE-2026-34621 CRITICAL - 9.6

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this i...

Vendor: Adobe
Product: Acrobat Reader
Published: Apr 11, 2026
Source: NVD
CVE-2026-5226 MEDIUM - 6.1

The Optimole โ€“ Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into Jav...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5217 HIGH - 7.2

The Optimole โ€“ Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied &...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5207 MEDIUM - 6.5

The LifterLMS plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 9.2.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible ...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5144 HIGH - 8.8

The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper aut...

Published: Apr 11, 2026
Source: NVD
CVE-2026-4979 MEDIUM - 5.0

The UsersWP โ€“ Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the process_image_crop(...

Published: Apr 11, 2026
Source: NVD
CVE-2026-4895 MEDIUM - 6.4

The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.8.9 This is due to insufficient input sanitization and output escaping in the gspb_greenShift_block_script_assets() function. The function uses st...

Published: Apr 11, 2026
Source: NVD
CVE-2026-3498 MEDIUM - 6.4

The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

Published: Apr 11, 2026
Source: NVD
CVE-2026-3371 MEDIUM - 4.3

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by...

Published: Apr 11, 2026
Source: NVD
CVE-2026-3358 MEDIUM - 5.4

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endp...

Published: Apr 11, 2026
Source: NVD