Total CVEs

143,377

Critical Severity

4,061

High Severity

14,648

Last 7 Days

1,373
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 19,821 - 19,840 of 39,782 CVEs
CVE-2026-6563 HIGH - 8.8

A vulnerability has been found in H3C Magic B1 up to 100R004. The affected element is the function SetAPWifiorLedInfoById of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to th...

Published: Apr 19, 2026
Source: NVD
CVE-2026-6562 HIGH - 7.3

A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is the function getListByPage of the file /index/Search/index.html. Executing a manipulation of the argument keyword can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. ...

Published: Apr 19, 2026
Source: NVD
CVE-2026-6561 MEDIUM - 4.7

A vulnerability was detected in EyouCMS up to 1.7.1. This issue affects the function edit_adminlogo of the file application/admin/controller/Index.php. Performing a manipulation of the argument filename results in unrestricted upload. The attack is possible to be carried out remotely. The exploit is...

Published: Apr 19, 2026
Source: NVD
CVE-2026-6560 HIGH - 8.8

A security vulnerability has been detected in H3C Magic B0 up to 100R002. This vulnerability affects the function Edit_BasicSSID of the file /goform/aspForm. Such manipulation of the argument param leads to buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly...

Published: Apr 19, 2026
Source: NVD
CVE-2026-6559 MEDIUM - 4.3

A weakness has been identified in Wavlink WL-WN579A3 220323. This affects the function sub_401F80 of the file /cgi-bin/login.cgi. This manipulation of the argument Hostname causes cross site scripting. Remote exploitation of the attack is possible. Upgrading the affected component is recommended. Th...

Published: Apr 19, 2026
Source: NVD
CVE-2026-0868 MEDIUM - 6.4

The EMC โ€“ Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

Published: Apr 19, 2026
Source: NVD

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: Apr 18, 2026
Source: NVD
CVE-2026-41242 CRITICAL - 9.8

protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 pa...

Vendor: protobufjs
Product: protobuf.js
Published: Apr 18, 2026
Source: NVD
CVE-2026-40948 MEDIUM - 5.4

The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Apr 18, 2026
Source: NVD
CVE-2026-2986 MEDIUM - 6.4

The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with c...

Published: Apr 18, 2026
Source: NVD
CVE-2026-2505 MEDIUM - 5.4

The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that conc...

Published: Apr 18, 2026
Source: NVD
CVE-2026-0894 MEDIUM - 6.4

The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-cr...

Published: Apr 18, 2026
Source: NVD
CVE-2026-41254 MEDIUM - 4.0

Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.

Vendor: littlecms
Product: little cms color engine
Published: Apr 18, 2026
Source: NVD

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apa...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Apr 18, 2026
Source: NVD
CVE-2026-32228 HIGH - 7.5

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Apr 18, 2026
Source: NVD
CVE-2026-30912 HIGH - 7.5

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Apr 18, 2026
Source: NVD
CVE-2026-30898 HIGH - 8.8

An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Apr 18, 2026
Source: NVD
CVE-2026-25917 CRITICAL - 9.8

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0, whic...

Vendor: Apache Software Foundation
Product: Apache Airflow
Published: Apr 18, 2026
Source: NVD
CVE-2026-41253 MEDIUM - 6.9

In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band...

Vendor: iTerm2
Product: iTerm2
Published: Apr 18, 2026
Source: NVD
CVE-2026-6518 HIGH - 8.8

The CMP โ€“ Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_...

Published: Apr 18, 2026
Source: NVD