Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12651
Total
850
Critical
3653
High
3967
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-6348 | HIGH | 8.8 | WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local … | Apr 16, 2026 |
| CVE-2026-41015 | HIGH | 7.4 | radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to … | Apr 16, 2026 |
| CVE-2026-3885 | MEDIUM | 6.4 | The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_box' shortcode in all versions up … | Apr 16, 2026 |
| CVE-2026-3428 | UNKNOWN | — | A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to … | Apr 16, 2026 |
| CVE-2026-1880 | UNKNOWN | — | An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources … | Apr 16, 2026 |
| CVE-2026-40962 | MEDIUM | 4.9 | FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c. | Apr 16, 2026 |
| CVE-2026-40505 | LOW | 3.3 | MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF … | Apr 16, 2026 |
| CVE-2026-40504 | CRITICAL | 9.8 | Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with … | Apr 16, 2026 |
| CVE-2026-3299 | MEDIUM | 6.4 | The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, … | Apr 16, 2026 |
| CVE-2026-40960 | HIGH | 8.1 | Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a … | Apr 16, 2026 |
| CVE-2026-40959 | CRITICAL | 9.3 | Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod. | Apr 16, 2026 |
| CVE-2026-40503 | MEDIUM | 6.5 | OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path … | Apr 16, 2026 |
| CVE-2026-40502 | HIGH | 8.8 | OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting … | Apr 16, 2026 |
| CVE-2026-5363 | UNKNOWN | — | Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side … | Apr 16, 2026 |
| CVE-2026-4880 | CRITICAL | 9.8 | The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure … | Apr 16, 2026 |
| CVE-2026-40947 | LOW | 2.9 | Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path. | Apr 16, 2026 |
| CVE-2026-40245 | HIGH | 7.5 | Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions 4.2.1 and below contain an information disclosure vulnerability in the … | Apr 16, 2026 |
| CVE-2026-40193 | HIGH | 8.2 | maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated … | Apr 16, 2026 |
| CVE-2026-4949 | MEDIUM | 4.3 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization … | Apr 15, 2026 |
| CVE-2026-40316 | HIGH | 8.8 | OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE … | Apr 15, 2026 |
| CVE-2026-40192 | UNKNOWN | — | Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making … | Apr 15, 2026 |
| CVE-2026-40179 | UNKNOWN | — | Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple … | Apr 15, 2026 |
| CVE-2026-39350 | MEDIUM | 5.4 | Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and … | Apr 15, 2026 |
| CVE-2026-6388 | CRITICAL | 9.1 | A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant … | Apr 15, 2026 |
| CVE-2026-40500 | MEDIUM | 6.8 | ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators … | Apr 15, 2026 |