Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12686
Total
851
Critical
3660
High
3983
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-28741 | MEDIUM | 6.8 | Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows … | Apr 15, 2026 |
| CVE-2026-27769 | LOW | 2.7 | Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected … | Apr 15, 2026 |
| CVE-2026-5598 | UNKNOWN | — | Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). Non-constant time comparisons risk private key leakage in … | Apr 15, 2026 |
| CVE-2026-5588 | UNKNOWN | — | : Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules). PKIX draft … | Apr 15, 2026 |
| CVE-2026-3505 | UNKNOWN | — | Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules).This issue affects BC-JAVA: before … | Apr 15, 2026 |
| CVE-2026-33808 | UNKNOWN | — | Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass … | Apr 15, 2026 |
| CVE-2026-33807 | CRITICAL | 9.1 | @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. … | Apr 15, 2026 |
| CVE-2026-0636 | UNKNOWN | — | Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov … | Apr 15, 2026 |
| CVE-2025-14813 | UNKNOWN | — | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is … | Apr 15, 2026 |
| CVE-2024-33618 | HIGH | 7.5 | Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface. | Apr 15, 2026 |
| CVE-2026-5717 | MEDIUM | 6.4 | The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions … | Apr 15, 2026 |
| CVE-2026-5694 | HIGH | 7.2 | The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and … | Apr 15, 2026 |
| CVE-2026-5617 | HIGH | 8.8 | The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the … | Apr 15, 2026 |
| CVE-2026-4091 | MEDIUM | 6.1 | The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. This is due to missing nonce … | Apr 15, 2026 |
| CVE-2026-4011 | MEDIUM | 6.4 | The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [pc] shortcode in all versions up … | Apr 15, 2026 |
| CVE-2026-4005 | MEDIUM | 6.4 | The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. … | Apr 15, 2026 |
| CVE-2026-4002 | MEDIUM | 4.3 | The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce … | Apr 15, 2026 |
| CVE-2026-3998 | MEDIUM | 6.4 | The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the [jqmath] shortcode in all versions up … | Apr 15, 2026 |
| CVE-2026-3659 | MEDIUM | 6.4 | The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode … | Apr 15, 2026 |
| CVE-2026-3649 | MEDIUM | 5.3 | The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered … | Apr 15, 2026 |
| CVE-2026-3643 | HIGH | 7.2 | The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin … | Apr 15, 2026 |
| CVE-2026-3642 | MEDIUM | 5.3 | The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks … | Apr 15, 2026 |
| CVE-2026-3461 | CRITICAL | 9.8 | The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the … | Apr 15, 2026 |
| CVE-2026-1782 | MEDIUM | 5.3 | The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the … | Apr 15, 2026 |
| CVE-2025-52641 | LOW | 2.9 | HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights … | Apr 15, 2026 |