Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,708
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 16,141 - 16,160 of 38,432 CVEs
CVE-2026-7579 HIGH - 7.3

A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The ex...

Published: May 01, 2026
Source: NVD
CVE-2026-3772 HIGH - 8.8

The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page' and 'add_themes_page' functions. This makes it possible for unauthenticated attackers ...

Published: May 01, 2026
Source: NVD
CVE-2026-3140 MEDIUM - 4.3

The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handle_module_actions' function. This makes it possible for unauthenticated attackers to toggle...

Published: May 01, 2026
Source: NVD
CVE-2026-7578 MEDIUM - 4.7

A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The...

Published: May 01, 2026
Source: NVD
CVE-2026-42779 CRITICAL - 9.8

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the...

Vendor: Apache Software Foundation
Product: Apache MINA
Published: May 01, 2026
Source: NVD
CVE-2026-42778 CRITICAL - 9.8

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a s...

Vendor: Apache Software Foundation
Product: Apache MINA
Published: May 01, 2026
Source: NVD
CVE-2026-42404 MEDIUM - 6.5

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses....

Vendor: Apache Software Foundation
Product: Apache Neethi
Published: May 01, 2026
Source: NVD
CVE-2026-7567 CRITICAL - 9.8

The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string b...

Published: May 01, 2026
Source: NVD
CVE-2026-43003 HIGH - 8.0

An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.

Vendor: OpenStack
Product: ironic-python-agent
Published: May 01, 2026
Source: NVD
CVE-2026-43001 HIGH - 7.9

An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential ...

Vendor: OpenStack
Product: Keystone
Published: May 01, 2026
Source: NVD
CVE-2026-42403 HIGH - 7.5

Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, le...

Vendor: Apache Software Foundation
Product: Apache Neethi
Published: May 01, 2026
Source: NVD
CVE-2026-42402 HIGH - 7.5

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the...

Vendor: Apache Software Foundation
Product: Apache Neethi
Published: May 01, 2026
Source: NVD
CVE-2026-40201 MEDIUM - 5.4

@diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file.

Vendor: diplodoc-platform
Product: @diplodoc/search-extension
Published: May 01, 2026
Source: NVD
CVE-2026-7584 HIGH - 7.8

The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target ...

Vendor: zhinst
Product: labone_q
Published: May 01, 2026
Source: NVD

JS8Call through 2.3.1 and JS8Call-improved before 3.0 have a stack-based buffer overflow via a radio transmission of @APRSIS GRID followed by a long Maidenhead locator. This occurs in grid2deg in APRSISClient.cpp.

Vendor: JS8Call, JS8Call-improved
Product: JS8Call, JS8Call-improved
Published: May 01, 2026
Source: NVD
CVE-2026-7555 HIGH - 7.3

A vulnerability was identified in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /intrams/login.php. Such manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.

Published: May 01, 2026
Source: NVD
CVE-2026-7554 MEDIUM - 5.6

A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation i...

Vendor: dlink
Product: m60_firmware
Published: May 01, 2026
Source: NVD
CVE-2026-6127 MEDIUM - 6.4

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _element...

Published: May 01, 2026
Source: NVD
CVE-2024-13362 MEDIUM - 6.1

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execu...

Published: May 01, 2026
Source: NVD
CVE-2026-7553 MEDIUM - 4.7

A vulnerability was found in code-projects Gym Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/edit_exercises.php. The manipulation of the argument edit_exercise results in sql injection. It is possible to launch the attack remotely. The exploit h...

Published: May 01, 2026
Source: NVD