Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12600
Total
849
Critical
3629
High
3944
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-6887 | CRITICAL | 9.8 | Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL … | Apr 23, 2026 |
| CVE-2026-6886 | CRITICAL | 9.8 | Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the … | Apr 23, 2026 |
| CVE-2026-6885 | CRITICAL | 9.8 | Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and … | Apr 23, 2026 |
| CVE-2026-5464 | HIGH | 7.2 | The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all … | Apr 23, 2026 |
| CVE-2026-3960 | MEDIUM | 5.9 | A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to … | Apr 23, 2026 |
| CVE-2026-3259 | UNKNOWN | — | A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated … | Apr 23, 2026 |
| CVE-2026-41564 | HIGH | 7.5 | CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking. The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed … | Apr 23, 2026 |
| CVE-2026-4512 | LOW | 3.5 | The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context … | Apr 23, 2026 |
| CVE-2026-4106 | MEDIUM | 5.3 | The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and … | Apr 23, 2026 |
| CVE-2026-41040 | HIGH | 7.5 | GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string. | Apr 23, 2026 |
| CVE-2026-34488 | HIGH | 7.3 | IP Setting Software contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code … | Apr 23, 2026 |
| CVE-2025-10549 | MEDIUM | 5.1 | EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially … | Apr 23, 2026 |
| CVE-2026-41990 | MEDIUM | 4.0 | Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data. | Apr 23, 2026 |
| CVE-2026-41989 | MEDIUM | 6.7 | Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt. | Apr 23, 2026 |
| CVE-2026-41988 | LOW | 3.2 | uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID … | Apr 23, 2026 |
| CVE-2026-41233 | MEDIUM | 5.4 | Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation … | Apr 23, 2026 |
| CVE-2026-41232 | MEDIUM | 5.0 | Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong … | Apr 23, 2026 |
| CVE-2026-40529 | MEDIUM | 4.7 | CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with … | Apr 23, 2026 |
| CVE-2026-41231 | HIGH | 7.5 | Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter … | Apr 23, 2026 |
| CVE-2026-41230 | HIGH | 8.5 | Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline … | Apr 23, 2026 |
| CVE-2026-41229 | CRITICAL | 9.1 | Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When … | Apr 23, 2026 |
| CVE-2026-41228 | CRITICAL | 9.9 | Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against … | Apr 23, 2026 |
| CVE-2026-3361 | MEDIUM | 6.4 | The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, … | Apr 23, 2026 |
| CVE-2026-3007 | MEDIUM | 5.4 | Successful exploitation of the stored cross-site scripting (XSS) vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to … | Apr 23, 2026 |
| CVE-2026-3844 | CRITICAL | 9.8 | The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions … | Apr 23, 2026 |