Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12686
Total
851
Critical
3660
High
3983
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2025-40899 | HIGH | 8.9 | A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with … | Apr 15, 2026 |
| CVE-2025-40897 | HIGH | 8.1 | An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only … | Apr 15, 2026 |
| CVE-2026-5088 | UNKNOWN | — | Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then … | Apr 15, 2026 |
| CVE-2026-6293 | MEDIUM | 4.3 | The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This … | Apr 15, 2026 |
| CVE-2026-40719 | HIGH | 7.5 | Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved. | Apr 15, 2026 |
| CVE-2026-5160 | MEDIUM | 6.1 | Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates … | Apr 15, 2026 |
| CVE-2026-5397 | HIGH | 7.8 | It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow … | Apr 15, 2026 |
| CVE-2026-26291 | MEDIUM | 5.4 | Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web … | Apr 15, 2026 |
| CVE-2026-6328 | UNKNOWN | — | Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler … | Apr 15, 2026 |
| CVE-2026-4812 | MEDIUM | 5.3 | The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This … | Apr 15, 2026 |
| CVE-2026-40499 | UNKNOWN | — | radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding … | Apr 15, 2026 |
| CVE-2026-40105 | UNKNOWN | — | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and … | Apr 15, 2026 |
| CVE-2026-40104 | UNKNOWN | — | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include … | Apr 15, 2026 |
| CVE-2026-40096 | UNKNOWN | — | immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, … | Apr 15, 2026 |
| CVE-2026-40091 | MEDIUM | 6.0 | SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions 1.49.0 through 1.51.0, when SpiceDB starts with log level … | Apr 15, 2026 |
| CVE-2026-40090 | HIGH | 7.1 | Zarf is an Airgap Native Packager Manager for Kubernetes. Versions 0.23.0 through 0.74.1 contain an arbitrary file write vulnerability in the zarf package inspect sbom … | Apr 15, 2026 |
| CVE-2026-39984 | MEDIUM | 5.5 | Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse … | Apr 15, 2026 |
| CVE-2026-39971 | HIGH | 7.2 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header … | Apr 15, 2026 |
| CVE-2026-39963 | MEDIUM | 6.9 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of … | Apr 15, 2026 |
| CVE-2026-39884 | HIGH | 8.3 | mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in … | Apr 15, 2026 |
| CVE-2026-39842 | CRITICAL | 9.9 | OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution … | Apr 15, 2026 |
| CVE-2026-33806 | HIGH | 7.5 | Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is … | Apr 15, 2026 |
| CVE-2026-2834 | HIGH | 7.2 | The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ parameter in all … | Apr 15, 2026 |
| CVE-2026-2396 | MEDIUM | 4.4 | The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, … | Apr 15, 2026 |
| CVE-2026-1555 | CRITICAL | 9.8 | The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up … | Apr 15, 2026 |