Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12651
Total
850
Critical
3653
High
3967
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-31987 | UNKNOWN | — | JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to … | Apr 16, 2026 |
| CVE-2026-6414 | MEDIUM | 5.9 | @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers … | Apr 16, 2026 |
| CVE-2026-5968 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … | Apr 16, 2026 |
| CVE-2026-31843 | CRITICAL | 9.8 | The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. … | Apr 16, 2026 |
| CVE-2025-15621 | UNKNOWN | — | Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication | Apr 16, 2026 |
| CVE-2026-3489 | HIGH | 7.5 | The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, … | Apr 16, 2026 |
| CVE-2026-3369 | MEDIUM | 5.4 | The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, … | Apr 16, 2026 |
| CVE-2026-3155 | LOW | 3.1 | The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to … | Apr 16, 2026 |
| CVE-2025-12624 | MEDIUM | 6.0 | Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously … | Apr 16, 2026 |
| CVE-2025-6024 | MEDIUM | 6.1 | The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by … | Apr 16, 2026 |
| CVE-2024-8010 | LOW | 3.5 | The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits … | Apr 16, 2026 |
| CVE-2024-4867 | MEDIUM | 5.4 | The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to … | Apr 16, 2026 |
| CVE-2024-10242 | MEDIUM | 6.1 | The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads … | Apr 16, 2026 |
| CVE-2026-23772 | HIGH | 7.3 | Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could … | Apr 16, 2026 |
| CVE-2024-2374 | HIGH | 7.5 | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious … | Apr 16, 2026 |
| CVE-2026-0718 | MEDIUM | 5.3 | The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a … | Apr 16, 2026 |
| CVE-2025-14868 | HIGH | 8.8 | The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, … | Apr 16, 2026 |
| CVE-2026-41035 | HIGH | 7.4 | In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run … | Apr 16, 2026 |
| CVE-2026-41034 | MEDIUM | 5.0 | ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass. | Apr 16, 2026 |
| CVE-2026-41030 | MEDIUM | 6.2 | In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges. | Apr 16, 2026 |
| CVE-2026-3995 | MEDIUM | 4.4 | The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. … | Apr 16, 2026 |
| CVE-2026-3876 | HIGH | 7.2 | The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is … | Apr 16, 2026 |
| CVE-2026-3875 | MEDIUM | 6.4 | The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is … | Apr 16, 2026 |
| CVE-2026-3861 | MEDIUM | 6.5 | LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level … | Apr 16, 2026 |
| CVE-2026-3355 | MEDIUM | 6.1 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, … | Apr 16, 2026 |