Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11202
Total
755
Critical
3234
High
3640
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-25863 | HIGH | 7.5 | Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method … | May 04, 2026 |
| CVE-2026-43616 | HIGH | 7.1 | Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with … | May 04, 2026 |
| CVE-2026-42796 | CRITICAL | 9.8 | Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to … | May 04, 2026 |
| CVE-2026-42146 | MEDIUM | 5.5 | CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly … | May 04, 2026 |
| CVE-2026-42144 | MEDIUM | 6.1 | CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the W*H*D size computation inside … | May 04, 2026 |
| CVE-2026-42140 | MEDIUM | 4.4 | PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request … | May 04, 2026 |
| CVE-2026-42138 | UNKNOWN | — | Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file … | May 04, 2026 |
| CVE-2026-42092 | MEDIUM | 6.5 | titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. … | May 04, 2026 |
| CVE-2026-42091 | MEDIUM | 6.5 | goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to … | May 04, 2026 |
| CVE-2026-42088 | CRITICAL | 9.6 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script … | May 04, 2026 |
| CVE-2026-42087 | CRITICAL | 9.6 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version … | May 04, 2026 |
| CVE-2026-42086 | MEDIUM | 4.6 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command … | May 04, 2026 |
| CVE-2026-42085 | MEDIUM | 4.3 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, … | May 04, 2026 |
| CVE-2026-42084 | HIGH | 8.1 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, … | May 04, 2026 |
| CVE-2026-42052 | UNKNOWN | — | Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted … | May 04, 2026 |
| CVE-2026-41572 | MEDIUM | 5.3 | Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay … | May 04, 2026 |
| CVE-2026-41571 | CRITICAL | 9.4 | Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no … | May 04, 2026 |
| CVE-2026-41471 | HIGH | 7.5 | Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows … | May 04, 2026 |
| CVE-2026-37459 | HIGH | 7.5 | An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | May 04, 2026 |
| CVE-2026-32834 | HIGH | 7.5 | Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that … | May 04, 2026 |
| CVE-2026-2828 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … | May 04, 2026 |
| CVE-2026-29004 | HIGH | 8.1 | BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to … | May 04, 2026 |
| CVE-2026-0073 | HIGH | 8.8 | In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead … | May 04, 2026 |
| CVE-2026-42812 | CRITICAL | 9.9 | In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to … | May 04, 2026 |
| CVE-2026-42811 | CRITICAL | 9.9 | In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table … | May 04, 2026 |