CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-6270 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes 16.04.2026 9.1
CVE-2026-31843 16.04.2026 10
CVE-2026-3596 Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action 16.04.2026 9.8
CVE-2026-6348 Simopro Technology|WinMatrix - Missing Authentication 16.04.2026 9.3
CVE-2026-6349 HGiga|iSherlock - OS Command Injection 16.04.2026 10
CVE-2026-6350 Openfind|MailGates/MailAudit - Stack-based Buffer Overflow 16.04.2026 9.3
CVE-2026-40504 Creolabs Gravity < 0.9.6 Heap Buffer Overflow via gravity_vm_exec 16.04.2026 9.3
CVE-2026-40959 16.04.2026 9.3
CVE-2026-4880 Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication 16.04.2026 9.8
CVE-2026-6388 Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation 16.04.2026 9.1
CVE-2026-40173 Dgraph: Unauthenticated pprof endpoint leaks admin auth token 16.04.2026 9.4
CVE-2025-41118 Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection 15.04.2026 9.1
CVE-2026-5189 Nexus Repository 3 - Hardcoded Credential in Internal Database Component 16.04.2026 9.2
CVE-2025-15610 15.04.2026 9.3
CVE-2026-20147 Cisco Identity Services Engine Remote Code Execution Vulnerability 16.04.2026 9.9
CVE-2026-20180 Cisco Identity Services Engine Multiple Remote Code Execution Vulnerability 16.04.2026 9.9
CVE-2026-20184 Cisco Webex Meetings Certificate Validation Vulnerability 16.04.2026 9.8
CVE-2026-20186 Cisco Identity Services Engine Multiple Authenticated Remote Code Execution Vulnerability 16.04.2026 9.9
CVE-2026-5387 AVEVA Pipeline Simulation Missing Authorization 15.04.2026 9.3
CVE-2026-33805 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers 15.04.2026 9
CVE-2026-33807 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes 15.04.2026 9.1
CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) 15.04.2026 9.1
CVE-2025-14813 GOSTCTR implementation unable to process more than 255 blocks correctly 15.04.2026 9.3
CVE-2026-5598 Non-constant time comparisons risk private key leakage in FrodoKEM. 15.04.2026 10
CVE-2026-3461 Visa Acceptance Solutions <= 2.1.0 - Unauthenticated Authentication Bypass via Billing Email 15.04.2026 9.8
CVE-2026-1555 WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload 15.04.2026 9.8
CVE-2026-39842 OpenRemote is Vulnerable to Expression Injection 16.04.2026 10
CVE-2026-39399 NuGet Gallery: Arbitrary Blob Overwrite via Nuspec Confusion and URI Fragment Truncation 15.04.2026 9.6
CVE-2026-34457 OAuth2 Proxy: Health Check User-Agent Matching Bypasses Authentication in auth_request Mode 15.04.2026 9.1
CVE-2026-35031 Jellyfin: Potential RCE via subtitle upload path traversal + .strm chain 16.04.2026 10
CVE-2026-35033 Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection 15.04.2026 9.3
CVE-2026-27304 ColdFusion | Improper Input Validation (CWE-20) 15.04.2026 9.3
CVE-2026-27243 Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79) 14.04.2026 9.3
CVE-2026-27245 Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79) 14.04.2026 9.3
CVE-2026-27246 Adobe Connect | Cross-site Scripting (DOM-based XSS) (CWE-79) 14.04.2026 9.3
CVE-2026-27303 Adobe Connect | Deserialization of Untrusted Data (CWE-502) 15.04.2026 9.6
CVE-2026-34615 Adobe Connect | Deserialization of Untrusted Data (CWE-502) 15.04.2026 9.3
CVE-2026-26149 Microsoft Power Apps Security Feature Bypass 16.04.2026 9
CVE-2026-33824 Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability 16.04.2026 9.8
CVE-2026-39808 15.04.2026 9.1
CVE-2026-39813 15.04.2026 9.1
CVE-2025-63939 14.04.2026 9.8
CVE-2025-65135 14.04.2026 9.8
CVE-2026-38526 14.04.2026 9.9
CVE-2025-8095 Recoverable obfuscation using the OECH1 prefix encoding in OpenEdge 15.04.2026 9.1
CVE-2026-2449 14.04.2026 9
CVE-2026-40288 PraisonAI: Critical RCE via `type: job` workflow YAML 14.04.2026 9.8
CVE-2026-40289 PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions 14.04.2026 9.1
CVE-2026-40313 PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence 14.04.2026 9.1
CVE-2026-6264 Critical Security fix for the Talend JobServer and Talend Runtime 16.04.2026 9.8
CVE-2026-4365 LearnPress <= 4.3.2.8 - Missing Authorization to Unauthenticated Arbitrary Quiz Answer Deletion 14.04.2026 9.1
CVE-2026-27681 SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse 14.04.2026 9.9
CVE-2026-22562 14.04.2026 9.8
CVE-2026-22563 14.04.2026 9.8
CVE-2026-22564 14.04.2026 9.8
CVE-2026-40042 Pachno 1.0.6 Wiki TextParser XML External Entity Injection 14.04.2026 9.3
CVE-2026-40044 Pachno 1.0.6 FileCache Deserialization Remote Code Execution 13.04.2026 9.3
CVE-2026-6100 Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure 14.04.2026 9.1
CVE-2026-6195 Totolink A7100RU CGI cstecgi.cgi setPasswordCfg os command injection 13.04.2026 9.3
CVE-2026-23891 Decidim has a Cross-site scripting (XSS) vulnerability via user name field 14.04.2026 9.3
CVE-2026-4810 Remote Code Execution in Google Agent Development Kit (ADK) 13.04.2026 9.3
CVE-2026-34865 13.04.2026 10
CVE-2026-6154 Totolink A7100RU CGI cstecgi.cgi setWizardCfg os command injection 13.04.2026 9.3
CVE-2026-6155 Totolink A7100RU CGI cstecgi.cgi setWanCfg os command injection 14.04.2026 9.3
CVE-2026-6156 Totolink A7100RU CGI cstecgi.cgi setIpQosRules os command injection 13.04.2026 9.3
CVE-2026-6139 Totolink A7100RU CGI cstecgi.cgi UploadOpenVpnCert os command injection 14.04.2026 9.3
CVE-2026-6140 Totolink A7100RU CGI cstecgi.cgi UploadFirmwareFile os command injection 13.04.2026 9.3
CVE-2026-6138 Totolink A7100RU CGI cstecgi.cgi setAccessDeviceCfg os command injection 13.04.2026 9.3
CVE-2026-6132 Totolink A7100RU CGI cstecgi.cgi setLedCfg os command injection 13.04.2026 9.3
CVE-2026-6131 Totolink A7100RU CGI cstecgi.cgi setTracerouteCfg os command injection 14.04.2026 9.3
CVE-2019-25709 CF Image Hosting Script 1.6.5 Unauthorized Database Access 15.04.2026 9.3
CVE-2026-6115 Totolink A7100RU CGI cstecgi.cgi setAppCfg os command injection 13.04.2026 9.3
CVE-2026-6116 Totolink A7100RU CGI cstecgi.cgi setDiagnosisCfg os command injection 13.04.2026 9.3
CVE-2026-6112 Totolink A7100RU CGI cstecgi.cgi setRadvdCfg os command injection 15.04.2026 9.3
CVE-2026-6113 Totolink A7100RU CGI cstecgi.cgi setTtyServiceCfg os command injection 14.04.2026 9.3
CVE-2026-6114 Totolink A7100RU CGI cstecgi.cgi setNetworkCfg os command injection 14.04.2026 9.3
CVE-2026-31845 13.04.2026 9.3
CVE-2026-4149 Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability 13.04.2026 10
CVE-2026-5058 aws-mcp-server Command Injection Remote Code Execution Vulnerability 13.04.2026 9.8
CVE-2026-5059 aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability 13.04.2026 9.8
CVE-2026-40189 goshs has a file-based ACL authorization bypass in goshs state-changing routes 13.04.2026 9.3
CVE-2026-40175 Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain 14.04.2026 10
CVE-2026-40177 Password bypass when 2FA is activated 14.04.2026 9.3
CVE-2026-33707 Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms 13.04.2026 9.4
CVE-2026-33698 Chamilo LMS affected by unauthenticated RCE in main/install folder 15.04.2026 9.3
CVE-2026-32892 OS Command Injection in Chamilo LMS 1.11.36 14.04.2026 9.1
CVE-2026-40157 PraisonAI affected by arbitrary file write via path traversal in `praisonai recipe unpack` 14.04.2026 9.4
CVE-2026-5412 Juju CloudSpec API could leak senstive information 10.04.2026 9.9
CVE-2026-1115 Stored XSS in parisneo/lollms 10.04.2026 9.6
CVE-2026-6028 Totolink A7100RU CGI cstecgi.cgi setPptpServerCfg os command injection 10.04.2026 9.3
CVE-2026-6029 Totolink A7100RU CGI cstecgi.cgi setVpnAccountCfg os command injection 10.04.2026 9.3
CVE-2026-6026 Totolink A7100RU CGI cstecgi.cgi setPortalConfWeChat os command injection 10.04.2026 9.3
CVE-2026-6027 Totolink A7100RU CGI cstecgi.cgi setUrlFilterRules os command injection 14.04.2026 9.3
CVE-2026-6025 Totolink A7100RU CGI cstecgi.cgi setSyslogCfg os command injection 10.04.2026 9.3
CVE-2026-5996 Totolink A7100RU CGI cstecgi.cgi setAdvancedInfoShow os command injection 14.04.2026 9.3
CVE-2026-5997 Totolink A7100RU CGI cstecgi.cgi setLoginPasswordCfg os command injection 10.04.2026 9.3
CVE-2026-5993 Totolink A7100RU CGI cstecgi.cgi setWiFiGuestCfg os command injection 14.04.2026 9.3
CVE-2026-5994 Totolink A7100RU CGI cstecgi.cgi setTelnetCfg os command injection 10.04.2026 9.3
CVE-2026-5995 Totolink A7100RU CGI cstecgi.cgi setMiniuiHomeInfoShow os command injection 10.04.2026 9.3
CVE-2026-34424 Smart Slider 3 Pro 3.5.1.35 Supply Chain Attack Remote Access Toolkit 14.04.2026 9.3
CVE-2026-33771 CTP OS: Configuring password requirements does not work which permits the use of weak passwords 13.04.2026 9.1
CVE-2026-33784 JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access 13.04.2026 9.3
CVE-2026-40154 PraisonAI Affected by Untrusted Remote Template Code Execution 10.04.2026 9.3
CVE-2026-40111 PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py) 13.04.2026 9.3
CVE-2026-5977 Totolink A7100RU CGI cstecgi.cgi setWiFiBasicCfg os command injection 14.04.2026 9.3
CVE-2026-5978 Totolink A7100RU CGI cstecgi.cgi setWiFiAclRules os command injection 14.04.2026 9.3
CVE-2026-5976 Totolink A7100RU CGI cstecgi.cgi setStorageCfg os command injection 13.04.2026 9.3
CVE-2025-13926 Contemporary Controls BASC 20T Reliance on Untrusted Inputs in a Security Decision 10.04.2026 9.3
CVE-2026-40088 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai 09.04.2026 9.7
CVE-2026-40089 Sonicverse has Server-Side Request Forgery via user-controlled URLs in dashboard API client 13.04.2026 9.9
CVE-2026-5194 wolfSSL ECDSA Certificate Verification 10.04.2026 9.3
CVE-2026-5975 Totolink A7100RU CGI cstecgi.cgi setDmzCfg os command injection 09.04.2026 9.3
CVE-2026-28205 Initialization of a resource with an insecure default in OpenPLC_V3 10.04.2026 9.2
CVE-2026-34971 Wasmtime miscompiled guest heap access enables sandbox escape on aarch64 Cranelift 13.04.2026 9
CVE-2026-34987 Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access 10.04.2026 9
CVE-2026-35556 Plaintext storage of a password in OpenPLC_V3 10.04.2026 9.2
CVE-2026-39912 v2board / Xboard Authentication Token Exposure via loginWithMailLink 13.04.2026 9.1

Latest Updates

CVE Title Updated Score
CVE-2026-37100 16.04.2026
CVE-2026-5426 KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value 16.04.2026
CVE-2026-30656 16.04.2026
CVE-2026-37336 16.04.2026
CVE-2026-37337 16.04.2026
CVE-2026-37338 16.04.2026
CVE-2026-37339 16.04.2026
CVE-2026-37340 16.04.2026
CVE-2026-37341 16.04.2026
CVE-2026-37342 16.04.2026
CVE-2026-37343 16.04.2026
CVE-2026-37344 16.04.2026
CVE-2026-37345 16.04.2026
CVE-2026-37346 16.04.2026
CVE-2026-37347 16.04.2026
CVE-2026-3324 Authentication Bypass 16.04.2026 8.2
CVE-2026-6409 Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input 16.04.2026
CVE-2026-2840 Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode 16.04.2026 6.4
CVE-2026-30459 16.04.2026
CVE-2026-33804 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option 16.04.2026 7.4
CVE-2026-31987 Apache Airflow: JWT token appearing in logs 16.04.2026
CVE-2026-4160 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification 16.04.2026 5.3
CVE-2026-5785 SQL Injection 16.04.2026 8.1
CVE-2026-6270 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes 16.04.2026 9.1
CVE-2026-6410 @fastify/static vulnerable to path traversal in directory listing 16.04.2026 5.3
CVE-2026-31843 16.04.2026
CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators 16.04.2026 5.9
CVE-2025-15621 Sparx Enterprise Architect Client does not verify the receiver of OAuth2 credentials during OpenID authentication 16.04.2026
CVE-2026-5968 16.04.2026
CVE-2026-3155 OneSignal – Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id' 16.04.2026 3.1
CVE-2026-3369 Better Find and Replace – AI-Powered Suggestions <= 1.7.9 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Title 16.04.2026 5.4
CVE-2026-3489 DirectoryPress – Business Directory And Classified Ad Listing <= 3.6.26 - Unauthenticated SQL Injection via 'packages' 16.04.2026 7.5
CVE-2025-12624 Improper Token Invalidation in WSO2 Identity Server Allows Access After Account Lock 16.04.2026 6
CVE-2024-10242 Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 API Manager Allows UI Modification and Redirection 16.04.2026 6.1
CVE-2024-4867 Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval 16.04.2026 5.4
CVE-2024-8010 XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files 16.04.2026 3.5
CVE-2025-6024 Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites 16.04.2026 6.1
CVE-2026-23772 16.04.2026 7.3
CVE-2024-2374 XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service 16.04.2026 7.5
CVE-2025-14868 Career Section <= 1.6 - Cross-Site Request Forgery to Arbitrary File Deletion 16.04.2026 8.8
CVE-2026-0718 Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification 16.04.2026 5.3
CVE-2025-13364 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'put_wpgm' Shortcode 16.04.2026 6.4
CVE-2026-1572 Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings 16.04.2026 6.4
CVE-2026-1620 Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter 16.04.2026 8.8
CVE-2026-3355 Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch' 16.04.2026 6.1
CVE-2026-3875 BetterDocs <= 4.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 16.04.2026 6.4
CVE-2026-3876 Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode 16.04.2026 7.2
CVE-2026-3995 OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting 16.04.2026 4.4
CVE-2026-41035 16.04.2026 7.4
CVE-2026-3861 16.04.2026 6.5
CVE-2026-41030 16.04.2026 6.2
CVE-2026-41034 16.04.2026 5
CVE-2026-22617 16.04.2026 5.7
CVE-2026-22618 16.04.2026 5.9
CVE-2026-22619 16.04.2026 7.8
CVE-2026-3551 Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting 16.04.2026 4.4
CVE-2026-3581 Basic Google Maps Placemarks <= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update 16.04.2026 5.3
CVE-2026-3595 Riaxe Product Customizer <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter 16.04.2026 5.3
CVE-2026-3596 Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action 16.04.2026 9.8
CVE-2026-3599 Riaxe Product Customizer <= 2.1.2 - Unauthenticated SQL Injection via 'options' Parameter Keys in product_data 16.04.2026 7.5
CVE-2026-3614 AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation 16.04.2026 8.8
CVE-2026-3773 Accessibility Suite by Ability, Inc <= 4.20 - Authenticated (Subscriber+) SQL Injection via 'scan_id' Parameter 16.04.2026 6.5
CVE-2026-5050 Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation 16.04.2026 7.5
CVE-2023-3634 Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions 16.04.2026 8.8
CVE-2023-5872 Wago: Vulnerability in Smart Designer Web-Application 16.04.2026 4.3
CVE-2026-22615 16.04.2026 6
CVE-2026-22616 16.04.2026 6.5
CVE-2026-40118 16.04.2026
CVE-2026-3878 WP Docs <= 2.2.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'wpdocs_options[icon_size]' 16.04.2026 6.4
CVE-2026-4032 CodeColorer <= 0.10.1 - Unauthenticated Stored Cross-Site Scripting via 'class' attribute in 'cc' Comment Shortcode 16.04.2026 6.1
CVE-2026-5070 Vantage <= 1.20.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Block Text Content 16.04.2026 6.4
CVE-2026-1880 16.04.2026
CVE-2026-3428 16.04.2026
CVE-2026-3885 WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_box Shortcode 16.04.2026 6.4
CVE-2026-41015 16.04.2026 7.4
CVE-2026-6348 Simopro Technology|WinMatrix - Missing Authentication 16.04.2026
CVE-2026-6349 HGiga|iSherlock - OS Command Injection 16.04.2026
CVE-2026-6350 Openfind|MailGates/MailAudit - Stack-based Buffer Overflow 16.04.2026
CVE-2026-6351 Openfind|MailGates/MailAudit - CRLF Injection 16.04.2026
CVE-2026-3299 WP YouTube Lyte <= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode 16.04.2026 6.4
CVE-2026-40504 Creolabs Gravity < 0.9.6 Heap Buffer Overflow via gravity_vm_exec 16.04.2026
CVE-2026-40505 MuPDF mutool ANSI Injection via Metadata 16.04.2026
CVE-2026-40962 16.04.2026 4.9
CVE-2026-40502 OpenHarness Remote Administrative Command Injection via Gateway Handler 16.04.2026
CVE-2026-40503 OpenHarness Path Traversal Information Disclosure via /memory show 16.04.2026
CVE-2026-40959 16.04.2026 9.3
CVE-2026-40960 16.04.2026 8.1
CVE-2026-5363 Use of weak cryptographic key in TP-Link Archer C7 16.04.2026
CVE-2026-40193 Maddy Mail Server: LDAP Filter Injection via Unsanitized Username 16.04.2026 8.2
CVE-2026-40245 Free5GC: UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication 16.04.2026 7.5
CVE-2026-40947 16.04.2026 2.9
CVE-2026-4880 Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication 16.04.2026 9.8
CVE-2026-40192 Pillow is vulnerable to a FITS GZIP decompression bomb 16.04.2026
CVE-2026-39350 Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass 16.04.2026 5.4
CVE-2026-40316 OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow 16.04.2026 8.8
CVE-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer 16.04.2026
CVE-2026-4949 ProfilePress <= 4.16.12 - Missing Authorization to Authenticated (Subscriber+) Inactive Membership Plan Subscription 16.04.2026 4.3
CVE-2026-6388 Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation 16.04.2026
CVE-2026-1564 Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role. 16.04.2026
CVE-2026-1711 Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role. 16.04.2026
CVE-2026-40500 ProcessWire CMS SSRF via Add Module From URL 16.04.2026
CVE-2026-40261 Composer has Command Injection via Malicious Perforce Reference 16.04.2026 8.8
CVE-2026-22676 Barracuda RMM < 2025.2.2 Privilege Escalation via Insecure Directory Permissions 16.04.2026
CVE-2026-40173 Dgraph: Unauthenticated pprof endpoint leaks admin auth token 16.04.2026 9.4
CVE-2026-40176 Composer is vulnerable to Command Injection via Malicious Perforce Repository 16.04.2026 7.8
CVE-2026-40186 ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements 16.04.2026 6.1
CVE-2026-6398 15.04.2026
CVE-2026-21726 Loki Path Traversal - CVE-2021-36156 Bypass 15.04.2026 5.3
CVE-2026-33888 ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API 15.04.2026 5.3
CVE-2026-33889 ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context 16.04.2026 5.4
CVE-2026-35569 ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS 16.04.2026 8.7
CVE-2026-39857 Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions 16.04.2026 5.3
CVE-2025-41118 Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection 15.04.2026 9.1
CVE-2026-21727 Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record 15.04.2026 3.3
CVE-2026-33877 ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint 15.04.2026 3.7
CVE-2026-40915 Gimp: gimp: heap buffer overflow due to integer overflow in fits image loader 15.04.2026
CVE-2026-40916 Gimp: gimp: denial of service due to stack buffer overflow in tim image loader 15.04.2026
CVE-2026-40917 Gimp: gimp: application crashes or information disclosure via crafted icns image files 15.04.2026
CVE-2026-40918 Gimp: gimp: denial of service via crafted pvr image file 16.04.2026
CVE-2026-40919 Gimp: gimp: denial of service via specially crafted seattle filmworks file 15.04.2026
CVE-2026-6296 16.04.2026
CVE-2026-6297 16.04.2026
CVE-2026-6298 15.04.2026
CVE-2026-6299 16.04.2026
CVE-2026-6300 16.04.2026
CVE-2026-6301 16.04.2026
CVE-2026-6302 16.04.2026
CVE-2026-6303 16.04.2026
CVE-2026-6304 16.04.2026
CVE-2026-6305 16.04.2026
CVE-2026-6306 16.04.2026
CVE-2026-6307 16.04.2026
CVE-2026-6308 16.04.2026
CVE-2026-6309 16.04.2026
CVE-2026-6310 16.04.2026
CVE-2026-6311 16.04.2026
CVE-2026-6312 15.04.2026
CVE-2026-6313 15.04.2026
CVE-2026-6314 16.04.2026
CVE-2026-6315 16.04.2026
CVE-2026-6316 16.04.2026
CVE-2026-6317 16.04.2026
CVE-2026-6318 16.04.2026
CVE-2026-6319 16.04.2026
CVE-2026-6358 16.04.2026
CVE-2026-6359 16.04.2026
CVE-2026-6360 16.04.2026
CVE-2026-6361 16.04.2026
CVE-2026-6362 16.04.2026
CVE-2026-6363 16.04.2026
CVE-2026-6364 16.04.2026
CVE-2026-6384 Gimp: gimp: arbitrary code execution or denial of service via buffer overflow in gif image processing 16.04.2026
CVE-2026-6385 Ffmpeg: ffmpeg: denial of service and potential arbitrary code execution via signed integer overflow in dvd subtitle parser 15.04.2026