Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12651
Total
850
Critical
3653
High
3967
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-4525 | HIGH | 7.5 | If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded … | Apr 17, 2026 |
| CVE-2026-3605 | HIGH | 8.1 | An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized … | Apr 17, 2026 |
| CVE-2026-5231 | HIGH | 7.2 | The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This … | Apr 17, 2026 |
| CVE-2026-5162 | MEDIUM | 6.4 | The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up … | Apr 17, 2026 |
| CVE-2026-4817 | MEDIUM | 6.5 | The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' … | Apr 17, 2026 |
| CVE-2026-3488 | MEDIUM | 6.5 | The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability … | Apr 17, 2026 |
| CVE-2026-40922 | UNKNOWN | — | SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for … | Apr 17, 2026 |
| CVE-2026-40265 | MEDIUM | 5.9 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the … | Apr 17, 2026 |
| CVE-2026-40263 | LOW | 3.7 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, … | Apr 17, 2026 |
| CVE-2026-40262 | HIGH | 8.7 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection … | Apr 17, 2026 |
| CVE-2026-40260 | UNKNOWN | — | pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who … | Apr 17, 2026 |
| CVE-2026-22734 | HIGH | 8.6 | Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. … | Apr 17, 2026 |
| CVE-2026-40322 | CRITICAL | 9.0 | SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting … | Apr 16, 2026 |
| CVE-2026-40318 | HIGH | 8.5 | SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter … | Apr 16, 2026 |
| CVE-2026-40259 | HIGH | 8.1 | SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service … | Apr 16, 2026 |
| CVE-2026-40255 | MEDIUM | 6.1 | AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and … | Apr 16, 2026 |
| CVE-2026-40253 | MEDIUM | 6.8 | openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common … | Apr 16, 2026 |
| CVE-2024-58343 | MEDIUM | 4.3 | Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. | Apr 16, 2026 |
| CVE-2026-41113 | HIGH | 8.1 | sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c. | Apr 16, 2026 |
| CVE-2026-40308 | UNKNOWN | — | My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied … | Apr 16, 2026 |
| CVE-2026-40249 | UNKNOWN | — | free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy … | Apr 16, 2026 |
| CVE-2026-40248 | UNKNOWN | — | free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating … | Apr 16, 2026 |
| CVE-2026-40247 | UNKNOWN | — | free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence … | Apr 16, 2026 |
| CVE-2026-40246 | UNKNOWN | — | free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence … | Apr 16, 2026 |
| CVE-2026-40170 | HIGH | 7.5 | ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack … | Apr 16, 2026 |