CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-14815 Information Disclosure, Tampering, and Denial-of-Service Vulnerabilities in GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64 08.04.2026 9.3
CVE-2025-14816 Information Disclosure, Tampering, and Denial-of-Service Vulnerabilities in GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64 08.04.2026 9.3
CVE-2026-25776 08.04.2026 9.3
CVE-2026-3535 DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter 08.04.2026 9.8
CVE-2026-4003 Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action 08.04.2026 9.8
CVE-2026-3296 Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata 08.04.2026 9.8
CVE-2026-1346 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 08.04.2026 9.3
CVE-2026-39933 Multiple XSS vulnerabilities in GlobalWatchlist 08.04.2026 10
CVE-2026-34078 Flatpak has a complete sandbox escape leading to host file access and code execution in the host context 08.04.2026 9.3
CVE-2026-39846 SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions 08.04.2026 9.1
CVE-2026-39847 Emmett has a path traversal in internal assets handler 08.04.2026 9.1
CVE-2026-34580 Botan has a certificate authentication bypass due to trust anchor confusion 08.04.2026 9.3
CVE-2026-33439 Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM 07.04.2026 9.3
CVE-2026-39397 @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections 07.04.2026 9.4
CVE-2026-39382 dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output 07.04.2026 9.3
CVE-2026-39322 PolarLearn: Any password authenticates banned accounts and grants API access 07.04.2026 9.2
CVE-2026-39355 Genealogy is Missing Authorization in `TeamController::transferOwnership()` Allows Any Authenticated User to Hijack Any Team (Broken Access Control) 07.04.2026 10
CVE-2026-39324 Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization 07.04.2026 9.3
CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard 07.04.2026 10
CVE-2026-39339 ChurchCRM has an API Authentication Bypass 07.04.2026 9.1
CVE-2026-39342 ChurchCRM has a SQL injection searchwhat parameter via QueryView.php 07.04.2026 9.4
CVE-2026-35573 ChurchCRM has a Path traversal leads to RCE 07.04.2026 9.1
CVE-2026-23696 Windmill < 1.603.3 File Ownership Handling SQLi RCE 08.04.2026 9.4
CVE-2026-35614 Frappe has a SQL injection in bulk_update 07.04.2026 9.3
CVE-2026-35615 PraisonAI has a Path Traversal in FileTools 07.04.2026 9.2
CVE-2026-39305 Arbitrary File Write / Path Traversal in Action Orchestrator 07.04.2026 9
CVE-2026-4631 Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection 08.04.2026 9.8
CVE-2026-35580 Emissary has GitHub Actions Shell Injection via Workflow Inputs 07.04.2026 9.1
CVE-2026-35490 changedetection.io has an Authentication Bypass via Decorator Ordering 07.04.2026 9.8
CVE-2026-20889 08.04.2026 9.8
CVE-2026-20911 08.04.2026 9.8
CVE-2026-21413 08.04.2026 9.8
CVE-2026-5627 Path Traversal in mintplex-labs/anything-llm 07.04.2026 9.1
CVE-2021-4473 Tianxin Internet Behavior Management System Command Injection via toQuery.php 08.04.2026 9.3
CVE-2026-22679 Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint 07.04.2026 9.3
CVE-2025-39666 omd: Local privilege escalation when executing omd commands as root 07.04.2026 9.3
CVE-2026-1114 Improper Access Control via Weak JWT Token in parisneo/lollms 07.04.2026 9.8
CVE-2026-0740 Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload 07.04.2026 9.8
CVE-2026-35471 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs 07.04.2026 9.8
CVE-2026-35392 goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload 07.04.2026 9.8
CVE-2026-35393 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload 08.04.2026 9.8
CVE-2026-35459 pyLoad has SSRF fix bypass via HTTP redirect 07.04.2026 9.3
CVE-2026-35022 Anthropic Claude Code & Agent SDK OS Command Injection via Authentication Helper 07.04.2026 9.3
CVE-2026-35178 Workbench Affected by Remote Code Execution (RCE) via Malicious Cookie in Timezone Conversion 07.04.2026 9.3
CVE-2026-35174 Chyrp Lite has a Path Traversal to Remote Code Execution 07.04.2026 9.1
CVE-2026-35050 text-generation-webui affected by Remote Code Execution (RCE) through Path Traversal at "Session -> Save extention settings to user_data/settings.yaml". 07.04.2026 9.1
CVE-2026-35171 Arbitrary Code Execution via Malicious Logging Configuration in Kedro 07.04.2026 9.8
CVE-2026-35047 Brave CMS has Unrestricted File Upload in BraveCMS via CKEditor Endpoint 07.04.2026 9.3
CVE-2026-35030 LiteLLM has an authentication bypass via OIDC userinfo cache key collision 07.04.2026 9.4
CVE-2026-35039 fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) 08.04.2026 9.1
CVE-2026-34989 CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 07.04.2026 9.4
CVE-2026-34841 Axios npm Supply Chain Incident Impacting @usebruno/cli 08.04.2026 9.8
CVE-2026-34976 Dgraph Affected by Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization 07.04.2026 10
CVE-2026-34977 Aperi'Solve Affected by Unauthenticated RCE via JPSeek Analyzer Command 07.04.2026 9.3
CVE-2026-34950 fast-jwt has an incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key 06.04.2026 9.1
CVE-2026-34208 SandboxJS: Sandbox integrity escape 06.04.2026 10
CVE-2026-26026 GLPI has a Server-Side Template Injection via Double-Compilation 07.04.2026 9.1
CVE-2019-25687 Pegasus CMS 1.0 Remote Code Execution via extra_fields.php 06.04.2026 9.3
CVE-2016-20052 Snews CMS 1.7 Unrestricted File Upload via snews_files 06.04.2026 9.3
CVE-2018-25254 NICO-FTP 3.0.1.19 Buffer Overflow SEH 06.04.2026 9.3
CVE-2026-35616 07.04.2026 9.1
CVE-2017-20236 ProSoft Technology ICX35-HWC Command Injection via Web Interface 06.04.2026 9.3
CVE-2026-34938 PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code 06.04.2026 10
CVE-2026-34952 PraisonAI: Missing Authentication in WebSocket Gateway 06.04.2026 9.1
CVE-2026-34953 PraisonAI: Authentication Bypass in OAuthManager.validate_token() 06.04.2026 9.1
CVE-2017-20234 GarrettCom Magnum 6K and 10K Authentication Bypass via Hardcoded String 06.04.2026 9.3
CVE-2018-25236 Hirschmann HiOS HiSecOS Authentication Bypass via HTTP Management 06.04.2026 9.3
CVE-2021-4477 Hirschmann HiLCOS OpenBAT BAT450 IPv6 IPsec Firewall Bypass 06.04.2026 9.3
CVE-2026-34612 Kestra: Remote Code Execution via SQL Injection 06.04.2026 10
CVE-2026-34934 PraisonAI: Second-Order SQL Injection in `get_all_user_threads` 06.04.2026 9.8
CVE-2026-34935 PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command() 06.04.2026 9.8
CVE-2018-25237 Hirschmann HiSecOS Buffer Overflow via HTTPS Login 06.04.2026 9.3
CVE-2017-20237 Hirschmann Industrial HiVision Authentication Bypass Remote Code Execution 06.04.2026 9.3
CVE-2026-25197 Gardyn Cloud API Authorization Bypass Through User-Controlled Key 07.04.2026 9.3
CVE-2026-28766 Gardyn Cloud API Missing Authentication for Critical Function 07.04.2026 9.2
CVE-2026-35560 Improper certificate validation in identity provider connection components in Amazon Athena ODBC driver 07.04.2026 9.1
CVE-2026-35561 Insufficient authentication security controls in browser-based authentication components in Amazon Athena ODBC driver 07.04.2026 9.1
CVE-2026-28798 Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS 06.04.2026 9.1
CVE-2026-32186 Microsoft Bing Elevation of Privilege Vulnerability 07.04.2026 10
CVE-2026-0545 Missing Authentication for Critical Function in mlflow/mlflow 03.04.2026 9.1
CVE-2026-35216 Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step 03.04.2026 9.1
CVE-2026-31818 Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist 03.04.2026 9.6
CVE-2026-5463 03.04.2026 9.3
CVE-2026-26135 Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability 07.04.2026 9.6
CVE-2026-32211 Azure MCP Server Information Disclosure Vulnerability 07.04.2026 9.1
CVE-2026-32213 Azure AI Foundry Elevation of Privilege Vulnerability 07.04.2026 10
CVE-2026-33105 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability 07.04.2026 10
CVE-2026-33107 Azure Databricks Elevation of Privilege Vulnerability 07.04.2026 10
CVE-2025-15620 HiOS Switch Platform Denial-of-Service via Web Interface 03.04.2026 9.2
CVE-2024-14034 Hirschmann HiEOS Authentication Bypass via HTTP Management Module 03.04.2026 9.3
CVE-2026-34838 Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection` 03.04.2026 10
CVE-2026-35053 OneUptime: Unauthenticated Workflow Execution via ManualAPI 03.04.2026 9.2
CVE-2026-34745 Unauthenticated Path Traversal Arbitrary File Write in /api/uploadChunked/public 02.04.2026 9.1
CVE-2026-34758 OneUptime: Missing Authentication on Notification Endpoints 03.04.2026 9.1
CVE-2026-34759 OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure 03.04.2026 9.2
CVE-2026-34717 OpenProject: SQL Injection in Cost Reporting =n Operator via parse_number_string 03.04.2026 9.9
CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity 03.04.2026 9.4
CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users 02.04.2026 9.8
CVE-2026-32871 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability 02.04.2026 10
CVE-2026-35002 Agno < 2.3.24 field_type Eval Injection Arbitrary Code Execution 02.04.2026 9.3
CVE-2026-2699 EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC) 08.04.2026 9.8
CVE-2026-2701 RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC) 03.04.2026 9.1
CVE-2026-33615 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the setinfo Endpoint 02.04.2026 9.1
CVE-2026-34563 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS 02.04.2026 9.1
CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34566 CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 04.04.2026 9.1
CVE-2026-34567 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34568 CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34569 CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 10
CVE-2026-34571 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise 02.04.2026 10
CVE-2026-34559 CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34560 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34456 Reviactyl: OAuth account takeover via auto-linking 02.04.2026 9.1

Latest Updates

CVE Title Updated Score
CVE-2026-31040 08.04.2026
CVE-2026-33229 XWiki Platform affected by remote code execution with script right through unprotected Velocity scripting API 08.04.2026
CVE-2026-33753 Improper Certificate Validation in rfc3161-client 08.04.2026 6.2
CVE-2026-39389 CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files 08.04.2026 6.7
CVE-2026-39390 CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting 08.04.2026 5.5
CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List 08.04.2026 4.8
CVE-2026-39392 CI4MS has Stored XSS in Pages Content Due to Missing html_purify Sanitization 08.04.2026 5.5
CVE-2026-39393 Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms 08.04.2026 8.1
CVE-2026-39394 CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller 08.04.2026 8.1
CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic 08.04.2026 5.3
CVE-2026-39407 Hono has a middleware bypass via repeated slashes in serveStatic 08.04.2026 5.3
CVE-2026-39408 Hono has a path traversal in toSSG() allows writing files outside the output directory 08.04.2026
CVE-2026-39409 Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses 08.04.2026
CVE-2026-39410 Hono has a non-breaking space prefix bypass in cookie name handling in getCookie() 08.04.2026 4.8
CVE-2026-39865 Axios HTTP/2 Session Cleanup State Corruption Vulnerability 08.04.2026 5.9
CVE-2025-57847 Ansible-automation-platform: privilege escalation via excessive group writable /etc/passwd permissions 08.04.2026
CVE-2025-57851 Mce: privilege escalation via excessive /etc/passwd permissions 08.04.2026
CVE-2025-57853 Web-terminal: privilege escalation via excessive /etc/passwd permissions 08.04.2026
CVE-2025-57854 Osus-operator: privilege escalation via excessive /etc/passwd permissions 08.04.2026
CVE-2025-58713 Rhpam: privilege escalation via excessive /etc/passwd permissions 08.04.2026
CVE-2025-14815 Information Disclosure, Tampering, and Denial-of-Service Vulnerabilities in GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64 08.04.2026
CVE-2025-14816 Information Disclosure, Tampering, and Denial-of-Service Vulnerabilities in GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64 08.04.2026
CVE-2026-2509 Page Builder: Pagelayer <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes 08.04.2026 6.4
CVE-2026-31411 net: atm: fix crash due to unvalidated vcc pointer in sigd_send() 08.04.2026
CVE-2026-35023 Wimi Teamwork On-Premises < 8.2.0 IDOR via preview.php 08.04.2026
CVE-2026-5795 08.04.2026 7.4
CVE-2026-28261 08.04.2026 7.8
CVE-2026-4402 08.04.2026
CVE-2026-24511 08.04.2026 4.4
CVE-2026-27102 08.04.2026 6.6
CVE-2026-5300 Missing Authentication for Critical Function in coolercontrold 08.04.2026 5.9
CVE-2026-5301 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in coolercontrol-ui 08.04.2026 7.6
CVE-2026-5302 Permissive Cross-domain Policy with Untrusted Domains in coolercontrold 08.04.2026 6.3
CVE-2026-5600 08.04.2026
CVE-2026-1672 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Product Data Modification 08.04.2026 6.5
CVE-2026-1673 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion 08.04.2026 4.3
CVE-2026-1865 User Registration & Membership <= 5.1.2 - Authenticated (Subscriber+) SQL Injection via membership_ids[] 08.04.2026 6.5
CVE-2026-28264 08.04.2026 3.3
CVE-2026-2481 Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]' 08.04.2026 6.4
CVE-2026-3243 Advanced Members for ACF <= 1.2.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Path Traversal 08.04.2026 8.8
CVE-2026-3396 WCAPF – WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection 08.04.2026 7.5
CVE-2026-5208 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coolercontrold 08.04.2026 8.2
CVE-2026-4025 PrivateContent Free <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Shortcode Attribute 08.04.2026 6.4
CVE-2026-4073 pdfl.io <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute 08.04.2026 6.4
CVE-2026-4300 Robo Gallery <= 5.1.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'Loading Label' Setting 08.04.2026 6.4
CVE-2026-4303 WP Visitor Statistics (Real Time Traffic) <= 8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height' Shortcode Attribute 08.04.2026 6.4
CVE-2026-25776 08.04.2026
CVE-2026-33088 08.04.2026
CVE-2026-1396 Magic Conversation For Gravity Forms <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 08.04.2026 6.4
CVE-2026-39464 WordPress Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin <= 6.19.8 - Server Side Request Forgery (SSRF) vulnerability 08.04.2026
CVE-2026-39466 WordPress Broken Link Checker plugin <= 2.4.7 - SQL Injection vulnerability 08.04.2026
CVE-2026-39469 WordPress PageLayer plugin <= 2.0.8 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39473 WordPress Simple History plugin <= 5.24.0 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39475 WordPress User Feedback plugin <= 1.10.1 - SQL Injection vulnerability 08.04.2026
CVE-2026-39476 WordPress User Feedback plugin <= 1.10.1 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39477 WordPress CartFlows plugin <= 2.2.3 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39479 WordPress OttoKit plugin <= 1.1.20 - SQL Injection vulnerability 08.04.2026
CVE-2026-39482 WordPress Post Expirator plugin <= 4.9.4 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39483 WordPress VK All in One Expansion Unit plugin <= 9.113.3 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39484 WordPress Hide My WP Ghost plugin < 7.0.00 - Open Redirection vulnerability 08.04.2026
CVE-2026-39485 WordPress Youtube Embed Plus plugin <= 14.2.4 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39486 WordPress Download Monitor plugin <= 5.1.8 - SQL Injection vulnerability 08.04.2026
CVE-2026-39487 WordPress Amelia plugin <= 2.1.1 - SQL Injection vulnerability 08.04.2026
CVE-2026-39488 WordPress SureCart plugin <= 4.0.2 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39495 WordPress Simply Schedule Appointments plugin <= 1.6.9.27 - SQL Injection vulnerability 08.04.2026
CVE-2026-39496 WordPress YayMail plugin <= 4.3.3 - SQL Injection vulnerability 08.04.2026
CVE-2026-39497 WordPress FOX plugin <= 1.4.5 - SQL Injection vulnerability 08.04.2026
CVE-2026-39500 WordPress themesflat-addons-for-elementor plugin <= 2.3.2 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39501 WordPress FOX plugin <= 1.4.5 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39504 WordPress InstaWP Connect plugin <= 0.1.2.5 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39505 WordPress Seriously Simple Podcasting plugin <= 3.14.2 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39506 WordPress AI Engine (Pro) plugin < 3.4.2 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39508 WordPress Advanced Coupons for WooCommerce Coupons plugin <= 4.7.1.1 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39509 WordPress Directorist plugin <= 8.5.10 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39510 WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.11 - Insecure Direct Object References (IDOR) vulnerability 08.04.2026
CVE-2026-39516 WordPress Nexter Blocks plugin <= 4.7.0 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39517 WordPress Blog Filter plugin <= 1.7.6 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39520 WordPress weDocs plugin <= 2.1.18 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39521 WordPress Nelio Content plugin <= 4.3.1 - Server Side Request Forgery (SSRF) vulnerability 08.04.2026
CVE-2026-39526 WordPress WpStream plugin < 4.11.2 - Insecure Direct Object References (IDOR) vulnerability 08.04.2026
CVE-2026-39528 WordPress WP Delicious plugin <= 1.9.5 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39535 WordPress Display Eventbrite Events plugin <= 6.5.6 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39536 WordPress RSVP and Event Management plugin <= 2.7.16 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39538 WordPress Mikado Core plugin <= 1.6 - Local File Inclusion vulnerability 08.04.2026
CVE-2026-39541 WordPress Hydra Booking plugin <= 1.1.38 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39542 WordPress Doofinder for WooCommerce plugin <= 2.10.13 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39543 WordPress Tourfic plugin <= 2.21.4 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39544 WordPress LabtechCO theme <= 8.3 - Local File Inclusion vulnerability 08.04.2026
CVE-2026-39561 WordPress Revive.so plugin <= 2.0.7 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39562 WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.10 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39563 WordPress Share This Image plugin <= 2.12 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39564 WordPress Sunshine Photo Cart plugin < 3.6.2 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39565 WordPress WpTravelly plugin <= 2.1.7 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39566 WordPress DirectoryPress plugin <= 3.6.26 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39569 WordPress 12 Step Meeting List plugin <= 3.19.9 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39570 WordPress 12 Step Meeting List plugin <= 3.19.9 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39571 WordPress Instantio plugin <= 3.3.30 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39572 WordPress Bus Ticket Booking with Seat Reservation plugin < 5.6.5 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39575 WordPress Custom Query Blocks plugin <= 5.5.0 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39585 WordPress Booktics plugin <= 1.0.16 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39586 WordPress RepairBuddy plugin <= 4.1132 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39588 WordPress NM Gift Registry and Wishlist Lite plugin <= 5.13 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39592 WordPress DEPART plugin <= 1.0.7 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39602 WordPress Order Tracking plugin <= 3.4.3 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39603 WordPress Grand Photography theme <= 5.7.8 - Cross Site Request Forgery (CSRF) vulnerability 08.04.2026
CVE-2026-39604 WordPress MyBookTable Bookstore plugin <= 3.6.0 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39605 WordPress Super Custom Login plugin <= 1.1 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39606 WordPress BizReview plugin <= 1.5.13 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39607 WordPress Filter Plus plugin <= 1.1.17 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39608 WordPress iPOSpays Gateways WC plugin <= 1.3.7 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39609 WordPress Wava Payment plugin <= 0.3.7 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39610 WordPress WpXmas-Snow plugin <= 1.1 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39611 WordPress KuteShop theme <= 4.2.9 - Local File Inclusion vulnerability 08.04.2026
CVE-2026-39612 WordPress KuteShop theme <= 4.2.9 - Arbitrary Shortcode Execution vulnerability 08.04.2026
CVE-2026-39613 WordPress Boutique theme <= 2.3.3 - Local File Inclusion vulnerability 08.04.2026
CVE-2026-39614 WordPress JW Player for WordPress plugin <= 2.3.6 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39615 WordPress Download Manager plugin <= 3.3.53 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39616 WordPress Download Attachments plugin <= 1.4.0 - Insecure Direct Object References (IDOR) vulnerability 08.04.2026
CVE-2026-39617 WordPress Bluestreet theme <= 1.7.3 - Cross Site Request Forgery (CSRF) to Arbitrary Plugin Installation vulnerability 08.04.2026
CVE-2026-39618 WordPress NewsExo theme <= 7.1 - Cross Site Request Forgery (CSRF) vulnerability 08.04.2026
CVE-2026-39619 WordPress Busiprof theme <= 2.5.2 - Cross Site Request Forgery (CSRF) to Arbitrary File Upload vulnerability 08.04.2026
CVE-2026-39620 WordPress Appointment theme <= 3.5.5 - Cross Site Request Forgery (CSRF) to Arbitrary File Upload vulnerability 08.04.2026
CVE-2026-39621 WordPress SpicePress theme <= 2.3.2.5 - CSRF to Arbitrary Plugin Installation vulnerability 08.04.2026
CVE-2026-39622 WordPress Education Base theme <= 3.0.8 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39623 WordPress Biolife theme <= 3.2.3 - Local File Inclusion vulnerability 08.04.2026
CVE-2026-39624 WordPress Biolife theme <= 3.2.3 - Arbitrary Shortcode Execution vulnerability 08.04.2026
CVE-2026-39625 WordPress TechOne theme <= 3.0.3 - Arbitrary Shortcode Execution vulnerability 08.04.2026
CVE-2026-39626 WordPress Armania theme <= 1.4.8 - Arbitrary Shortcode Execution vulnerability 08.04.2026
CVE-2026-39627 WordPress Ashe theme <= 2.266 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39628 WordPress DukaMarket theme <= 1.3.0 - Arbitrary Shortcode Execution vulnerability 08.04.2026
CVE-2026-39629 WordPress Uminex theme <= 1.0.9 - Arbitrary Shortcode Execution vulnerability 08.04.2026
CVE-2026-39630 WordPress Getty Images plugin <= 4.1.0 - Server Side Request Forgery (SSRF) vulnerability 08.04.2026
CVE-2026-39631 WordPress WPSchoolPress plugin <= 2.2.35 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39632 WordPress Grand Blog theme <= 3.1 - Cross Site Request Forgery (CSRF) vulnerability 08.04.2026
CVE-2026-39633 WordPress Grand Car Rental theme <= 3.6.9 - Cross Site Request Forgery (CSRF) vulnerability 08.04.2026
CVE-2026-39634 WordPress Grand Portfolio theme <= 3.3 - Cross Site Request Forgery (CSRF) vulnerability 08.04.2026
CVE-2026-39635 WordPress Grand Magazine theme <= 3.5.5 - Cross Site Request Forgery (CSRF) vulnerability 08.04.2026
CVE-2026-39636 WordPress Livemesh Addons for Elementor plugin <= 9.0 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39637 WordPress Mogi theme <= 1.2.3 - Arbitrary Shortcode Execution vulnerability 08.04.2026
CVE-2026-39638 WordPress Qubely plugin <= 1.8.14 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39639 WordPress RPS Include Content plugin <= 1.2.2 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39640 WordPress Theme Editor plugin <= 3.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution vulnerability 08.04.2026
CVE-2026-39641 WordPress Blackfyre theme <= 2.5.4 - Cross Site Request Forgery (CSRF) vulnerability 08.04.2026
CVE-2026-39643 WordPress Payment Plugins for PayPal WooCommerce plugin <= 2.0.13 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39644 WordPress Wp Ultimate Review plugin <= 2.3.8 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39645 WordPress GlobalPayments WooCommerce plugin <= 1.18.0 - Server Side Request Forgery (SSRF) vulnerability 08.04.2026
CVE-2026-39646 WordPress Leaflet Map plugin <= 3.4.4 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39647 WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin <= 5.11 - Server Side Request Forgery (SSRF) vulnerability 08.04.2026
CVE-2026-39648 WordPress Cream Blog theme <= 2.1.7 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39649 WordPress Royale News theme <= 2.2.4 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39650 WordPress UnitechPay plugin <= 1.0.2 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39651 WordPress Total Poll Lite plugin <= 4.12.0 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39652 WordPress iGMS Direct Booking plugin <= 1.3 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39653 WordPress Video Conferencing with Zoom plugin <= 4.6.6 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39654 WordPress WP Simple HTML Sitemap plugin <= 3.8 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39656 WordPress Razorpay for WooCommerce plugin <= 4.8.2 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39657 WordPress leadlovers forms plugin <= 1.0.2 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39658 WordPress Panda Pods Repeater Field plugin <= 1.5.12 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39659 WordPress Ultimate Member plugin <= 2.11.3 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39660 WordPress WP Job Manager plugin <= 2.4.1 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39662 WordPress Product Price by Formula for WooCommerce plugin <= 2.5.6 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39663 WordPress TrueBooker plugin <= 1.1.5 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39664 WordPress Leadrebel plugin <= 1.0.2 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39665 WordPress SEO Friendly Images plugin <= 3.0.5 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39666 WordPress Hello Bar Popup Builder plugin <= 1.5.1 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39667 WordPress Korea SNS plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39668 WordPress Book Previewer for Woocommerce plugin <= 1.0.6 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39669 WordPress NitroPack plugin <= 1.19.3 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39670 WordPress Visual Link Preview plugin <= 2.3.0 - Server Side Request Forgery (SSRF) vulnerability 08.04.2026
CVE-2026-39671 WordPress Extra Fees Plugin for WooCommerce plugin <= 4.3.3 - Cross Site Request Forgery (CSRF) vulnerability 08.04.2026
CVE-2026-39672 WordPress ShipTime: Discounted Shipping Rates plugin <= 1.1.1 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39673 WordPress iZooto plugin <= 3.7.20 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39674 WordPress MK Google Directions plugin <= 3.1.1 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39675 WordPress Court Reservation plugin <= 1.10.11 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39676 WordPress Download Manager plugin <= 3.3.52 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39677 WordPress Emphires theme <= 3.9 - Local File Inclusion vulnerability 08.04.2026
CVE-2026-39678 WordPress Pinpoint Booking System plugin <= 2.9.9.6.5 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39679 WordPress Freeio theme <= 1.3.21 - Local File Inclusion vulnerability 08.04.2026
CVE-2026-39680 WordPress Diet Calorie Calculator plugin <= 1.1.1 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39681 WordPress Homeo theme <= 1.2.59 - Local File Inclusion vulnerability 08.04.2026
CVE-2026-39682 WordPress linkPizza-Manager plugin <= 5.5.5 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39683 WordPress Garden Gnome Package plugin <= 2.4.1 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39684 WordPress OrganicFood theme <= 3.6.4 - Local File Inclusion vulnerability 08.04.2026
CVE-2026-39685 WordPress The Moneytizer plugin <= 10.0.10 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39686 WordPress BSK PDF Manager plugin <= 3.7.2 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39687 WordPress Rapid Car Check Vehicle Data plugin <= 2.0 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39688 WordPress WP Frontend Profile plugin <= 1.3.9 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39689 WordPress eShipper Commerce plugin <= 2.16.12 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39690 WordPress Author Avatars List/Block plugin <= 2.1.25 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39691 WordPress Cryptocurrency Donation Box – Bitcoin & Crypto Donations plugin <= 2.2.13 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39692 WordPress tagDiv Composer plugin <= 5.4.3 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39693 WordPress FSM Custom Featured Image Caption plugin <= 1.25.1 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39694 WordPress Simply Schedule Appointments plugin <= 1.6.10.2 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39695 WordPress Podigee plugin <= 1.4.0 - Server Side Request Forgery (SSRF) vulnerability 08.04.2026
CVE-2026-39696 WordPress Elfsight WhatsApp Chat CC plugin <= 1.2.0 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39697 WordPress MAIO – The new AI GEO / SEO tool plugin <= 6.2.8 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39698 WordPress The Publisher Desk ads.txt plugin <= 1.5.0 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39699 WordPress AI Workflow Automation plugin <= 1.4.2 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39700 WordPress WowOptin plugin <= 1.4.32 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39701 WordPress ShopWP plugin <= 5.2.4 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39702 WordPress Animation Addons for Elementor plugin <= 2.6.1 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39703 WordPress WPBITS Addons For Elementor Page Builder plugin <= 1.8.1 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39704 WordPress Precious Metals Automated Product Pricing – Pro plugin <= 4.0.5 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39705 WordPress MIPL WC Multisite Sync plugin <= 1.4.4 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39706 WordPress Make My Trivia plugin <= 1.1.0 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39707 WordPress Accept PayPal Payments using Contact Form 7 plugin <= 4.0.4 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39708 WordPress UiCore Elements plugin <= 1.3.14 - Cross Site Scripting (XSS) vulnerability 08.04.2026
CVE-2026-39709 WordPress The Tribal plugin <= 1.3.4 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39710 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - Cross Site Request Forgery (CSRF) vulnerability 08.04.2026
CVE-2026-39711 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - Sensitive Data Exposure vulnerability 08.04.2026
CVE-2026-39712 WordPress tagDiv Composer plugin <= 5.4.3 - Arbitrary Shortcode Execution vulnerability 08.04.2026
CVE-2026-39713 WordPress Mailercloud – Integrate webforms and synchronize website contacts plugin <= 1.0.7 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39714 WordPress G5Plus April theme <= 6.8 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39715 WordPress AnyTrack Affiliate Link Manager plugin <= 1.5.5 - Broken Access Control vulnerability 08.04.2026
CVE-2026-39716 WordPress Flipmart theme <= 2.8 - Broken Access Control vulnerability 08.04.2026
CVE-2026-4330 Blog2Social: Social Media Auto Post & Scheduler <= 8.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter 08.04.2026 4.3
CVE-2026-4654 Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter 08.04.2026 5.3
CVE-2026-4655 Element Pack Addons for Elementor <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget 08.04.2026 6.4
CVE-2026-4483 08.04.2026
CVE-2025-1794 AM LottiePlayer <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG 08.04.2026 5.4
CVE-2026-2838 Whole Enquiry Cart for WooCommerce <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter 08.04.2026 4.4
CVE-2026-3142 Pinterest Site Verification plugin using Meta Tag <= 1.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'post_var' 08.04.2026 6.4
CVE-2026-3477 PZ Frontend Manager <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter 08.04.2026 5.3
CVE-2026-3480 WP Blockade <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter 08.04.2026 6.5
CVE-2026-3535 DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter 08.04.2026 9.8
CVE-2026-3594 Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint 08.04.2026 5.3
CVE-2026-3618 Columns by BestWebSoft <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute 08.04.2026 6.4
CVE-2026-3781 Attendance Manager <= 0.6.2 - Authenticated (Subscriber+) SQL Injection via 'attmgr_off' Parameter 08.04.2026 5.4
CVE-2026-4141 Quran Translations <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form 08.04.2026 4.3
CVE-2026-4808 Gerador de Certificados – DevApps <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload 08.04.2026 7.2
CVE-2026-4871 Sports Club Management <= 1.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' Attribute 08.04.2026 6.4
CVE-2026-5167 Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint 08.04.2026 5.3
CVE-2026-5169 Inquiry form to posts or pages <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field 08.04.2026 4.4
CVE-2026-5506 Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 08.04.2026 6.4
CVE-2026-5508 WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 08.04.2026 6.4
CVE-2026-4338 ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure 08.04.2026
CVE-2026-3311 The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar 08.04.2026 6.4
CVE-2026-5082 Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id 08.04.2026
CVE-2026-5083 Ado::Sessions versions through 0.935 for Perl generates insecure session ids 08.04.2026
CVE-2026-24913 08.04.2026
CVE-2026-27787 08.04.2026
CVE-2026-33273 08.04.2026
CVE-2026-3239 Strong Testimonials <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode 08.04.2026 6.4
CVE-2026-3513 TableOn – WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute 08.04.2026 6.4
CVE-2026-3600 Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute 08.04.2026 6.4
CVE-2026-3646 LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update 08.04.2026 5.3
CVE-2026-4003 Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action 08.04.2026 9.8
CVE-2026-4299 MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API 08.04.2026 5.3
CVE-2026-4333 LearnPress <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute 08.04.2026 6.4
CVE-2026-4341 Prime Slider <= 4.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'follow_us_text' Parameter 08.04.2026 6.4
CVE-2026-4785 LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 08.04.2026 6.4
CVE-2026-2988 Blubrry PowerPress <= 11.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via powerpress and podcast Shortcodes 08.04.2026 6.4
CVE-2026-4379 LightPress Lightbox <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute 08.04.2026 6.4
CVE-2026-1163 Insufficient Session Expiration in parisneo/lollms 08.04.2026
CVE-2026-5726 ASDA-Soft Stack-based Buffer Overflow Vulnerability 08.04.2026 7.8
CVE-2025-14732 Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API 08.04.2026 6.4
CVE-2026-27140 Code execution vulnerability in SWIG code generation in cmd/go 08.04.2026
CVE-2026-27143 Missing bound checks can lead to memory corruption in safe Go in cmd/compile 08.04.2026
CVE-2026-27144 Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile 08.04.2026
CVE-2026-32280 Unexpected work during chain building in crypto/x509 08.04.2026
CVE-2026-32281 Inefficient policy validation in crypto/x509 08.04.2026
CVE-2026-32282 TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix 08.04.2026
CVE-2026-32283 Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls 08.04.2026
CVE-2026-32288 Unbounded allocation for old GNU sparse in archive/tar 08.04.2026
CVE-2026-32289 JsBraceDepth Context Tracking Bugs (XSS) in html/template 08.04.2026
CVE-2026-33810 Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509 08.04.2026
CVE-2026-3296 Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata 08.04.2026 9.8
CVE-2026-3499 Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce 13.4.6 - 13.5.2.1 - Cross-Site Request Forgery to Multiple Administrative Actions 08.04.2026 8.8
CVE-2026-1343 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 08.04.2026 7.2
CVE-2026-1346 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 08.04.2026 9.3
CVE-2026-3357 IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file 08.04.2026 8.8
CVE-2026-4788 Multiple Vulnerabilities affect IBM Tivoli Netcool Impact 08.04.2026 8.4
CVE-2026-1342 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access 08.04.2026 8.5
CVE-2026-2263 Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation 07.04.2026 5.3
CVE-2026-4394 Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field 07.04.2026 6.1
CVE-2026-4401 Download Monitor <= 5.1.10 - Cross-Site Request Forgery to Download Path Deletion and Disabling 07.04.2026 5.4
CVE-2026-4406 Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter 08.04.2026 4.7
CVE-2026-5747 Out-of-bounds Write in Firecracker virtio-pci Transport 08.04.2026 7.5
CVE-2025-20628 Insufficient granularity of access control for Remote Connector Servers in client mode 08.04.2026
CVE-2026-39935 XSS-via-i18n in localised wiki names 08.04.2026
CVE-2026-39936 Stored XSS in Score due to usage of non-reserved data attributes 08.04.2026
CVE-2026-4656 07.04.2026
CVE-2026-28386 Out-of-bounds Read in AES-CFB-128 on X86-64 with AVX-512 Support 07.04.2026
CVE-2026-28387 Potential Use-after-free in DANE Client Code 07.04.2026
CVE-2026-28388 NULL Pointer Dereference When Processing a Delta CRL 07.04.2026
CVE-2026-28389 Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo 07.04.2026
CVE-2026-28390 Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo 07.04.2026
CVE-2026-31789 Heap Buffer Overflow in Hexadecimal Conversion 07.04.2026
CVE-2026-31790 Incorrect Failure Handling in RSA KEM RSASVE Encapsulation 08.04.2026
CVE-2026-39933 Multiple XSS vulnerabilities in GlobalWatchlist 08.04.2026
CVE-2026-39934 Growth Experiments ReassignMenteesJob runs as an infinite loop 08.04.2026
CVE-2026-34078 Flatpak has a complete sandbox escape leading to host file access and code execution in the host context 08.04.2026
CVE-2026-34079 Flatpak affected by arbitrary file deletion on the host filesystem 07.04.2026
CVE-2026-35406 Aardvark-dns has incorrect error handling for malformed tcp packets 07.04.2026 6.2
CVE-2026-39846 SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions 08.04.2026 9.1
CVE-2026-39847 Emmett has a path traversal in internal assets handler 08.04.2026 9.1
CVE-2026-39937 Global vanishing does not completely remove user email 08.04.2026
CVE-2026-34371 LibreChat Affected by Arbitrary File Write via `execute_code` Artifact Filename Traversal 07.04.2026 6.3
CVE-2026-34580 Botan has a certificate authentication bypass due to trust anchor confusion 08.04.2026
CVE-2026-34582 Botan has a TLS 1.3 certificate authentication bypass 08.04.2026
CVE-2026-34765 Electron named window.open targets not scoped to the opener's browsing context 08.04.2026 6
CVE-2026-34781 Electron crashes in clipboard.readImage() on malformed clipboard image data 07.04.2026 2.8
CVE-2026-35568 MCP Java-SDK has a DNS Rebinding Vulnerability 08.04.2026
CVE-2026-4065 Smart Slider 3 <= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation 08.04.2026 5.4
CVE-2026-33439 Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM 07.04.2026
CVE-2026-34045 Podman Desktop WebView Server Exposed 08.04.2026 8.2
CVE-2026-34080 xdg-dbus-proxy has an eavesdrop filter bypass allowing message interception 08.04.2026
CVE-2026-35533 mise has a local settings bypass config trust checks 08.04.2026 7.8
CVE-2026-27949 Plane Exposes User Email (PII and part of credential) in GET Parameter 08.04.2026 2
CVE-2026-29181 OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification) 08.04.2026 7.5
CVE-2026-32712 Open Source Point of Sale has Stored XSS in Customer Name (Sales) 08.04.2026 5.4
CVE-2026-39397 @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections 07.04.2026 9.4
CVE-2026-39400 Stored XSS via Job HTML/Table Output in Cronicle 07.04.2026
CVE-2026-39401 Privilege Escalation via update_event Job Output in Cronicle 07.04.2026
CVE-2025-14857 Semtech LR11xx Memory Write Access Control Bypass 07.04.2026
CVE-2025-14858 Semtech LR11xx Encrypted Firmware Disclosure 07.04.2026
CVE-2025-14859 Semtech LR11xx Secure Boot Bypass 07.04.2026
CVE-2026-32864 Out-of-Bounds Read in mgcore_SH_25_3!aligned_free() 08.04.2026 7.8
CVE-2026-39356 SQL Injection via escapeName() in all Drizzle ORM SQL dialects 08.04.2026 7.5
CVE-2026-39382 dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output 07.04.2026
CVE-2026-39395 Cosign's verify-blob-attestation reports false positive when payload parsing fails 08.04.2026 4.3
CVE-2026-5741 suvarchal docker-mcp-server HTTP index.ts pull_image os command injection 07.04.2026
CVE-2026-32860 Out-of-Bounds Write Vulnerability in NI LabVIEW when loading lvlib file 08.04.2026 7.8
CVE-2026-32861 Out-of-Bounds Write Vulnerability in NI LabVIEW when loading lvclass file 08.04.2026 7.8
CVE-2026-32862 Out-of-Bounds Write in ResFileFactory::InitResourceMgr() 08.04.2026 7.8
CVE-2026-32863 Out-of-Bounds Read in sentry_transaction_context_set_operation() 08.04.2026 7.8
CVE-2026-39373 JWCrypto: JWE ZIP decompression bomb 07.04.2026 5.3
CVE-2026-39374 Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint 08.04.2026 6.5
CVE-2026-39376 FastFeedParser has an infinite redirect loop DoS via meta-refresh chain 07.04.2026 7.5
CVE-2026-39380 Open Source Point of Sale has Stored XSS in Stock Location (Configuration) 08.04.2026 5.4
CVE-2026-39381 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` 07.04.2026
CVE-2026-39837 Stored XSS through the dynamic table format in Cargo 07.04.2026
CVE-2026-39840 CSS injection in multiple Cargo display formats 07.04.2026
CVE-2026-39841 Stored XSS through list fields on Cargo's page values and Special:CargoTables 07.04.2026
CVE-2025-56015 07.04.2026
CVE-2025-69515 07.04.2026
CVE-2026-39322 PolarLearn: Any password authenticates banned accounts and grants API access 07.04.2026
CVE-2026-39361 OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url 07.04.2026 7.7
CVE-2026-39363 Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket 07.04.2026
CVE-2026-39364 Vite has a `server.fs.deny` bypass with queries 07.04.2026
CVE-2026-39365 Vite has a Path Traversal in Optimized Deps `.map` Handling 07.04.2026
CVE-2026-39366 WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php 07.04.2026 6.5
CVE-2026-39367 WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page 07.04.2026 5.4
CVE-2026-39368 WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services 07.04.2026 6.5
CVE-2026-39369 WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs 08.04.2026 7.6
CVE-2026-39370 WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732) 07.04.2026 7.1
CVE-2026-39371 RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests 07.04.2026 8.1
CVE-2026-39838 ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS 07.04.2026
CVE-2026-39839 Stored XSS through URLs in Cargo's map format 07.04.2026
CVE-2026-3566 07.04.2026
CVE-2026-5739 PowerJob OpenAPI Endpoint addWorkflowNode GroovyEvaluator.evaluate code injection 07.04.2026
CVE-2025-71058 07.04.2026
CVE-2026-22711 Stored XSS through system messages in WikiLove 07.04.2026
CVE-2026-39351 Frappe allows unrestricted Doctype access via API exploit 07.04.2026
CVE-2026-39354 Scoold has an Authenticated Arbitrary Question Overwrite via Client-Controlled postId in POST /questions/ask 07.04.2026 6.5
CVE-2026-39355 Genealogy is Missing Authorization in `TeamController::transferOwnership()` Allows Any Authenticated User to Hijack Any Team (Broken Access Control) 07.04.2026 10
CVE-2026-39360 RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration 07.04.2026
CVE-2026-5736 PowerJob detailPlus Endpoint InstanceController.java sql injection 07.04.2026
CVE-2026-5762 ReportIncident DiscussionTools integration causes slow requests 07.04.2026