Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12628
Total
849
Critical
3640
High
3960
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-0930 | UNKNOWN | — | Potential read out of bounds case with wolfSSHd on Windows while handling a terminal resize request. An authenticated user could trigger the out of bounds … | Apr 20, 2026 |
| CVE-2026-5928 | UNKNOWN | — | Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte … | Apr 20, 2026 |
| CVE-2026-5450 | UNKNOWN | — | Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format … | Apr 20, 2026 |
| CVE-2026-5358 | UNKNOWN | — | The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an … | Apr 20, 2026 |
| CVE-2026-4852 | MEDIUM | 6.4 | The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment … | Apr 20, 2026 |
| CVE-2026-34403 | UNKNOWN | — | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader … | Apr 20, 2026 |
| CVE-2026-33626 | HIGH | 7.5 | LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's … | Apr 20, 2026 |
| CVE-2026-33432 | UNKNOWN | — | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, … | Apr 20, 2026 |
| CVE-2026-33431 | UNKNOWN | — | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver … | Apr 20, 2026 |
| CVE-2026-33031 | UNKNOWN | — | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can … | Apr 20, 2026 |
| CVE-2026-32613 | CRITICAL | 9.9 | Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around … | Apr 20, 2026 |
| CVE-2026-32604 | CRITICAL | 9.9 | Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands … | Apr 20, 2026 |
| CVE-2026-29648 | UNKNOWN | — | In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read … | Apr 20, 2026 |
| CVE-2026-29647 | UNKNOWN | — | In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context … | Apr 20, 2026 |
| CVE-2026-29646 | UNKNOWN | — | In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be … | Apr 20, 2026 |
| CVE-2026-29642 | UNKNOWN | — | A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in … | Apr 20, 2026 |
| CVE-2026-6550 | MEDIUM | 4.7 | Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated … | Apr 20, 2026 |
| CVE-2026-6257 | CRITICAL | 9.1 | Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows … | Apr 20, 2026 |
| CVE-2026-6249 | HIGH | 8.8 | Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by … | Apr 20, 2026 |
| CVE-2026-5478 | HIGH | 8.1 | The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due … | Apr 20, 2026 |
| CVE-2026-32311 | UNKNOWN | — | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used … | Apr 20, 2026 |
| CVE-2026-32135 | UNKNOWN | — | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function … | Apr 20, 2026 |
| CVE-2026-29649 | UNKNOWN | — | NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write … | Apr 20, 2026 |
| CVE-2026-29645 | UNKNOWN | — | NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when … | Apr 20, 2026 |
| CVE-2026-6248 | HIGH | 8.1 | The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding … | Apr 20, 2026 |