Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-8463 | MEDIUM | 5.3 | Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes … | May 13, 2026 |
| CVE-2026-8369 | UNKNOWN | — | Improper Input Validation in the NAT64 translator in The OpenThread Authors OpenThread before commit 26a882d on all platforms allows an attacker on the adjacent IPv4 … | May 13, 2026 |
| CVE-2026-4609 | HIGH | 7.1 | The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pm_invite_user … | May 13, 2026 |
| CVE-2026-4608 | MEDIUM | 6.5 | The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind SQL Injection via the 'rid' parameter in all versions up … | May 13, 2026 |
| CVE-2026-4607 | MEDIUM | 4.3 | The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This … | May 13, 2026 |
| CVE-2026-39806 | UNKNOWN | — | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates … | May 13, 2026 |
| CVE-2026-39803 | UNKNOWN | — | Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':read_data/2 … | May 13, 2026 |
| CVE-2026-37430 | UNKNOWN | — | An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file. | May 13, 2026 |
| CVE-2026-37429 | MEDIUM | 6.5 | qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access … | May 13, 2026 |
| CVE-2026-37428 | MEDIUM | 6.5 | qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access … | May 13, 2026 |
| CVE-2026-6177 | HIGH | 7.2 | The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient … | May 13, 2026 |
| CVE-2026-42961 | MEDIUM | 4.3 | ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while … | May 13, 2026 |
| CVE-2026-42950 | MEDIUM | 4.3 | ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged … | May 13, 2026 |
| CVE-2026-42948 | MEDIUM | 4.8 | Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be … | May 13, 2026 |
| CVE-2026-42062 | CRITICAL | 9.8 | ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command … | May 13, 2026 |
| CVE-2026-40621 | CRITICAL | 9.8 | ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication. | May 13, 2026 |
| CVE-2026-3426 | MEDIUM | 4.3 | The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save_widget() and reset_all_widgets() … | May 13, 2026 |
| CVE-2026-3425 | HIGH | 8.8 | The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' … | May 13, 2026 |
| CVE-2026-35506 | HIGH | 7.2 | ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a … | May 13, 2026 |
| CVE-2026-25107 | MEDIUM | 6.5 | ELECOM wireless LAN access point devices use a hard-coded cryptographic key when creating backups of configuration files. An attacker who knows the encryption key can … | May 13, 2026 |
| CVE-2026-7168 | MEDIUM | 5.3 | Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second … | May 13, 2026 |
| CVE-2026-7009 | MEDIUM | 5.3 | When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is … | May 13, 2026 |
| CVE-2026-6429 | MEDIUM | 5.3 | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host … | May 13, 2026 |
| CVE-2026-6276 | HIGH | 7.5 | Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy … | May 13, 2026 |
| CVE-2026-6253 | MEDIUM | 5.9 | curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl … | May 13, 2026 |