Total CVEs

144,202

Critical Severity

4,148

High Severity

14,963

Last 7 Days

1,660
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 17,461 - 17,480 of 40,607 CVEs
CVE-2026-43076 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an i...

Vendor: Linux
Product: Linux
Published: May 06, 2026
Source: NVD
CVE-2026-43075 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs...

Vendor: Linux
Product: Linux
Published: May 06, 2026
Source: NVD
CVE-2026-43074 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: eventpoll: defer struct eventpoll free to RCU grace period In certain situations, ep_free() in eventpoll.c will kfree the epi->ep eventpoll struct while it still being used by another concurrent thread. Defer the kfree() to an ...

Vendor: Linux
Product: Linux
Published: May 06, 2026
Source: NVD
CVE-2026-42509 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache Wicket
Published: May 06, 2026
Source: NVD
CVE-2026-40010 CRITICAL - 9.1

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 1...

Vendor: Apache Software Foundation
Product: Apache Wicket
Published: May 06, 2026
Source: NVD
CVE-2026-40001 MEDIUM - 5.2

There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traversal bypass.

Vendor: ZTE
Product: ZTE PROCESS Guard service
Published: May 06, 2026
Source: NVD
CVE-2026-35255 MEDIUM - 6.6

Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface...

Vendor: Oracle Corporation
Product: Oracle Cloud Native Environment Command Line Interface
Published: May 06, 2026
Source: NVD
CVE-2026-1719 HIGH - 7.5

The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers ...

Published: May 06, 2026
Source: NVD
CVE-2026-7841 HIGH - 8.8

A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend ...

Published: May 06, 2026
Source: NVD
CVE-2026-7457 MEDIUM - 6.4

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitizat...

Published: May 06, 2026
Source: NVD
CVE-2026-7448 HIGH - 7.2

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'first_name' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possibl...

Published: May 06, 2026
Source: NVD
CVE-2026-7332 HIGH - 7.2

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes...

Published: May 06, 2026
Source: NVD
CVE-2026-6672 MEDIUM - 6.4

The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'slicewp...

Published: May 06, 2026
Source: NVD
CVE-2026-6344 MEDIUM - 4.9

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without ve...

Published: May 06, 2026
Source: NVD
CVE-2026-35254 MEDIUM - 6.1

Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracl...

Vendor: Oracle Corporation
Product: Oracle OCI CLI of Oracle Open Source Projects
Published: May 06, 2026
Source: NVD
CVE-2026-35253 MEDIUM - 4.7

Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerabili...

Vendor: Oracle Corporation
Product: Oracle Macaron Tool of Oracle Open Source Projects
Published: May 06, 2026
Source: NVD

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript woul...

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD

A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session.

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the...

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD
CVE-2026-2306 MEDIUM - 4.3

The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subs...

Published: May 06, 2026
Source: NVD