Total CVEs

142,750

Critical Severity

4,026

High Severity

14,425

Last 7 Days

1,421
Quick preset (or use dates below)
Clear Filters
šŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 19,041 - 19,060 of 39,155 CVEs
CVE-2026-6248 HIGH - 8.1

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store a...

Published: Apr 20, 2026
Source: NVD
CVE-2026-6060 MEDIUM - 4.5

A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS:Ā  * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.3.X

Published: Apr 20, 2026
Source: NVD

Rejected reason: This CVE id was assigned as a duplicate of CVE-2025-66414.

Published: Apr 20, 2026
Source: NVD
CVE-2026-41389 MEDIUM - 5.8

OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access, potentially disclosi...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 20, 2026
Source: NVD
CVE-2026-39112 MEDIUM - 5.4

Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can inject arbitrary JavaScript that is later executed when the malicious input is viewed in manage-newvisitor...

Published: Apr 20, 2026
Source: NVD
CVE-2026-39111 HIGH - 7.5

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the email parameter of the forgot password page (forgot-password.php). This allows an unauthenticated attacker to manipulate backend SQL queries and retrieve sensitive user data.

Published: Apr 20, 2026
Source: NVD
CVE-2026-39110 HIGH - 8.2

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sen...

Published: Apr 20, 2026
Source: NVD
CVE-2026-39109 CRITICAL - 9.4

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve sensitive database c...

Published: Apr 20, 2026
Source: NVD
CVE-2026-26399 MEDIUM - 5.3

A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the functio...

Published: Apr 20, 2026
Source: NVD
CVE-2026-23758 MEDIUM - 5.4

GFI HelpDesk beforeĀ 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in Cont...

Vendor: GFI Software
Product: HelpDesk
Published: Apr 20, 2026
Source: NVD
CVE-2026-23757 MEDIUM - 5.4

GFI HelpDesk before 4.99.10Ā contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization. Attackers can inject arbitrary JavaScript into the report title field when creating or editing a re...

Vendor: GFI Software
Product: HelpDesk
Published: Apr 20, 2026
Source: NVD
CVE-2026-23756 MEDIUM - 5.4

GFI HelpDesk beforeĀ 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and EditSubmit() before being rendered by View_Step.RenderViewSteps(). An authenticated staff member can in...

Vendor: GFI Software
Product: HelpDesk
Published: Apr 20, 2026
Source: NVD
CVE-2026-23753 MEDIUM - 4.8

GFI HelpDesk beforeĀ 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create() without HTML sanitization and subsequently rendered unsanitized by View_Language.RenderGrid(). An a...

Vendor: GFI Software
Product: HelpDesk
Published: Apr 20, 2026
Source: NVD
CVE-2026-23752 MEDIUM - 4.8

GFI HelpDesk beforeĀ 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can inj...

Vendor: GFI Software
Product: HelpDesk
Published: Apr 20, 2026
Source: NVD
CVE-2026-6662 HIGH - 7.3

A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results in permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remote...

Published: Apr 20, 2026
Source: NVD
CVE-2026-41445 HIGH - 8.8

KissFFT before commitĀ 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther*(dimReal+2)*sizeof(kiss_fft_scalar) overflows signed 32-bit integer arithmetic before being widened to size_t, causing malloc()...

Vendor: mborgerding
Product: kissfft
Published: Apr 20, 2026
Source: NVD
CVE-2026-40488 HIGH - 8.8

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS uses an incomplete bloc...

Vendor: OpenMage
Product: magento-lts
Published: Apr 20, 2026
Source: NVD
CVE-2026-40098 MEDIUM - 5.4

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public `sha...

Vendor: OpenMage
Product: magento-lts
Published: Apr 20, 2026
Source: NVD
CVE-2026-35154 MEDIUM - 6.3

Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper privilege management vulnerability in IDRAC. A high privileged attacker with local access could poten...

Vendor: Dell
Product: PowerProtect Data Domain appliances
Published: Apr 20, 2026
Source: NVD
CVE-2026-30269 CRITICAL - 9.9

Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privil...

Vendor: doorman
Product: doorman
Published: Apr 20, 2026
Source: NVD