Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,307
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 7,901 - 7,920 of 13,819 CVEs
CVE-2026-3831 MEDIUM - 4.3

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Cont...

Published: Apr 01, 2026
Source: NVD
CVE-2026-3778 MEDIUM - 6.2

The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack ex...

Published: Apr 01, 2026
Source: NVD
CVE-2026-3777 MEDIUM - 5.5

The application does not properly validate the lifetime and validity of internal view cache pointers after JavaScript changes the document zoom and page state. When a script modifies the zoom property and then triggers a page change, the original view object may be destroyed while stale pointers are...

Published: Apr 01, 2026
Source: NVD
CVE-2026-3776 MEDIUM - 5.5

The application does not validate the presence of required appearance (AP) data before accessing stamp annotation resources. When a PDF contains a stamp annotation missing its AP entry, the code continues to dereference the associated object without a prior null or validity check, which allows a cra...

Published: Apr 01, 2026
Source: NVD
CVE-2026-3774 MEDIUM - 4.7

The application allows PDF JavaScript and document/print actions (such as WillPrint/DidPrint) to update form fields, annotations, or optional content groups (OCGs) immediately before or after redaction, encryption, or printing. These scriptโ€‘driven updates are not fully covered by the existing redact...

Published: Apr 01, 2026
Source: NVD
CVE-2026-5248 MEDIUM - 6.3

A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\app\home\controller\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be ...

Published: Apr 01, 2026
Source: NVD
CVE-2026-35057 MEDIUM - 6.4

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.

Vendor: XenForo
Product: XenForo
Published: Apr 01, 2026
Source: NVD
CVE-2026-35055 MEDIUM - 6.1

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.

Vendor: XenForo
Product: XenForo
Published: Apr 01, 2026
Source: NVD
CVE-2026-35054 MEDIUM - 6.4

XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.

Vendor: XenForo
Product: XenForo
Published: Apr 01, 2026
Source: NVD
CVE-2025-71280 MEDIUM - 6.2

XenForo before 2.3.7 allows information disclosure via local account page caching on shared systems. On systems where multiple users share a browser or machine, cached account pages could expose sensitive user information to other local users.

Vendor: XenForo
Product: XenForo
Published: Apr 01, 2026
Source: NVD
CVE-2024-58342 MEDIUM - 6.3

XenForo before 2.2.17 and 2.3.1 allows open redirect via a specially crafted URL. The getDynamicRedirect() function does not adequately validate the redirect target, allowing attackers to redirect users to arbitrary external sites using crafted URLs containing newlines, user credentials, or host mis...

Vendor: XenForo
Product: XenForo
Published: Apr 01, 2026
Source: NVD
CVE-2026-5240 MEDIUM - 4.3

A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. This affects an unknown part of the file /admin_state.php. The manipulation of the argument statename leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclos...

Published: Apr 01, 2026
Source: NVD
CVE-2026-4668 MEDIUM - 6.5

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL Injection via the `sort` parameter in the payments listing endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied `sort` parameter and lack of ...

Published: Apr 01, 2026
Source: NVD
CVE-2026-34531 MEDIUM - 6.5

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token ver...

Vendor: pip
Product: Flask-HTTPAuth
Published: Mar 31, 2026
Source: GitHub
CVE-2026-34530 MEDIUM - 6.9

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who s...

Vendor: go
Product: github.com/filebrowser/filebrowser/v2
Published: Mar 31, 2026
Source: GitHub
CVE-2026-5236 MEDIUM - 5.3

A vulnerability was identified in Axiomatic Bento4 up to 1.6.0-641. Affected is the function AP4_BitReader::SkipBits of the file Ap4Dac4Atom.cpp of the component DSI v1 Parser. Such manipulation of the argument n_presentations leads to heap-based buffer overflow. The attack needs to be performed loc...

Published: Mar 31, 2026
Source: NVD
CVE-2026-5235 MEDIUM - 5.3

A vulnerability was determined in Axiomatic Bento4 up to 1.6.0-641. This impacts the function AP4_BitReader::ReadCache of the file Ap4Dac4Atom.cpp of the component MP4 File Parser. This manipulation causes heap-based buffer overflow. The attack needs to be launched locally. The exploit has been publ...

Published: Mar 31, 2026
Source: NVD
CVE-2026-34556 MEDIUM - 6.2

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a heap-buffer-overflow (HBO) in icAnsiToUtf8() in the XML conversion path. The issue is triggered by a crafted ICC profile which causes icAnsiToUtf8(std::string&, char ...

Vendor: InternationalColorConsortium
Product: iccDEV
Published: Mar 31, 2026
Source: NVD
CVE-2026-34555 MEDIUM - 6.2

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a stack-buffer-overflow (SBO) in CIccTagFixedNum<>::GetValues() and a related bug chain. The primary crash is an AddressSanitizer-reported WRITE of size 4 that overfl...

Vendor: InternationalColorConsortium
Product: iccDEV
Published: Mar 31, 2026
Source: NVD
CVE-2026-34554 MEDIUM - 6.2

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a heap-buffer-overflow (HBO) in CIccApplyCmmSearch::costFunc() can be triggered via malformed JSON configuration input to the iccApplySearch tool. AddressSanitizer reports an out-of...

Vendor: InternationalColorConsortium
Product: iccDEV
Published: Mar 31, 2026
Source: NVD