149
CVEs
18
Threats
0
News
32
Critical
30
CISA KEV
🛡 Security Vulnerabilities (CVE)
Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1340
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
Required Action: Apply mitigations per vendor instructions, follow app…
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate the…
CVE-2017-12238
Cisco Catalyst 6800 Series Switches VPLS Denial-of-Service Vulnerability — A vulnerability in the Virtual Private LAN Se
11:01 KSA
Cisco Catalyst 6800 Series Switches VPLS Denial-of-Service Vulnerability — A vulnerability in the Virtual Private LAN Service (VPLS) code of Cisco IOS for Cisco Catalyst 6800 Series Switches could allow an unauthenticated, adjacent attacker to cause a denial of service.
CVE-2017-12240
Cisco IOS and IOS XE Software DHCP Remote Code Execution Vulnerability — The Dynamic Host Configuration Protocol (DHCP)
11:01 KSA
Cisco IOS and IOS XE Software DHCP Remote Code Execution Vulnerability — The Dynamic Host Configuration Protocol (DHCP) relay subsystem of Cisco IOS and Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code a…
CVE-2017-12319
Cisco IOS XE Software Ethernet Virtual Private Network Border Gateway Protocol Denial-of-Service Vulnerability — A vulne
11:01 KSA
Cisco IOS XE Software Ethernet Virtual Private Network Border Gateway Protocol Denial-of-Service Vulnerability — A vulnerability in the Border Gateway Protocol (BGP) over an Ethernet Virtual Private Network (EVPN) for Cisco IOS XE Software could allow an unauthenticated, remote a…
CVE-2017-12615
Apache Tomcat on Windows Remote Code Execution Vulnerability — When running Apache Tomcat on Windows with HTTP PUTs enab
11:01 KSA
Apache Tomcat on Windows Remote Code Execution Vulnerability — When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be exec…
CVE-2017-12617
Apache Tomcat Remote Code Execution Vulnerability — When running Apache Tomcat, it is possible to upload a JSP file to t
11:01 KSA
Apache Tomcat Remote Code Execution Vulnerability — When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12637
SAP NetWeaver Directory Traversal Vulnerability — SAP NetWeaver Application Server (AS) Java contains a directory traver
11:01 KSA
SAP NetWeaver Directory Traversal Vulnerability — SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query s…
CVE-2017-15944
Palo Alto Networks PAN-OS Remote Code Execution Vulnerability — Palo Alto Networks PAN-OS contains multiple, unspecified
11:01 KSA
Palo Alto Networks PAN-OS Remote Code Execution Vulnerability — Palo Alto Networks PAN-OS contains multiple, unspecified vulnerabilities which can allow for remote code execution when chained.
CVE-2017-16651
Roundcube Webmail File Disclosure Vulnerability — Roundcube Webmail contains a file disclosure vulnerability caused by i
11:01 KSA
Roundcube Webmail File Disclosure Vulnerability — Roundcube Webmail contains a file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default.
CVE-2017-17562
Embedthis GoAhead Remote Code Execution Vulnerability — Embedthis GoAhead before 3.6.5 allows remote code execution if C
11:01 KSA
Embedthis GoAhead Remote Code Execution Vulnerability — Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
CVE-2017-18362
Kaseya VSA SQL Injection Vulnerability — ConnectWise ManagedITSync integration for Kaseya VSA is vulnerable to unauthent
11:01 KSA
Kaseya VSA SQL Injection Vulnerability — ConnectWise ManagedITSync integration for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database.
CVE-2017-18368
Zyxel P660HN-T1A Routers Command Injection Vulnerability — Zyxel P660HN-T1A routers contain a command injection vulnerab
11:01 KSA
Zyxel P660HN-T1A Routers Command Injection Vulnerability — Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.as…
CVE-2017-3066
Adobe ColdFusion Deserialization Vulnerability — Adobe ColdFusion contains a deserialization vulnerability in the Apache
11:01 KSA
Adobe ColdFusion Deserialization Vulnerability — Adobe ColdFusion contains a deserialization vulnerability in the Apache BlazeDS library that allows for arbitrary code execution.
CVE-2017-3506
Oracle WebLogic Server OS Command Injection Vulnerability — Oracle WebLogic Server, a product within the Fusion Middlewa
11:01 KSA
Oracle WebLogic Server OS Command Injection Vulnerability — Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a …
CVE-2017-3881
Cisco IOS and IOS XE Remote Code Execution Vulnerability — A vulnerability in the Cisco Cluster Management Protocol (CMP
11:01 KSA
Cisco IOS and IOS XE Remote Code Execution Vulnerability — A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely exe…
CVE-2017-5030
Google Chromium V8 Memory Corruption Vulnerability — Google Chromium V8 Engine contains a memory corruption vulnerabilit
11:01 KSA
Google Chromium V8 Memory Corruption Vulnerability — Google Chromium V8 Engine contains a memory corruption vulnerability that allows a remote attacker to execute code via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including,…
CVE-2017-5070
Google Chromium V8 Type Confusion Vulnerability — Google Chromium V8 Engine contains a type confusion vulnerability that
11:01 KSA
Google Chromium V8 Type Confusion Vulnerability — Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium,…
CVE-2017-5521
NETGEAR Multiple Devices Exposure of Sensitive Information Vulnerability — Multiple NETGEAR devices are prone to admin p
11:01 KSA
NETGEAR Multiple Devices Exposure of Sensitive Information Vulnerability — Multiple NETGEAR devices are prone to admin password disclosure via simple crafted requests to the web management server.
CVE-2017-5638
Apache Struts Remote Code Execution Vulnerability — Apache Struts Jakarta Multipart parser allows for malicious file upl
11:01 KSA
Apache Struts Remote Code Execution Vulnerability — Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.
CVE-2017-5689
Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalati
11:01 KSA
Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability — Intel products contain a vulnerability which can allow attackers to perform privilege escalation.
CVE-2017-6077
NETGEAR DGN2200 Remote Code Execution Vulnerability — NETGEAR DGN2200 wireless routers contain a vulnerability that allo
11:01 KSA
NETGEAR DGN2200 Remote Code Execution Vulnerability — NETGEAR DGN2200 wireless routers contain a vulnerability that allows for remote code execution.
CVE-2017-6316
Citrix Multiple Products Remote Code Execution Vulnerability — A vulnerability has been identified in the management int
11:01 KSA
Citrix Multiple Products Remote Code Execution Vulnerability — A vulnerability has been identified in the management interface of Citrix NetScaler SD-WAN Enterprise and Standard Edition and Citrix CloudBridge Virtual WAN Edition that could result in an unauthenticated, remote att…
CVE-2017-6327
Symantec Messaging Gateway Remote Code Execution Vulnerability — Symantec Messaging Gateway contains an unspecified vuln
11:01 KSA
Symantec Messaging Gateway Remote Code Execution Vulnerability — Symantec Messaging Gateway contains an unspecified vulnerability which can allow for remote code execution. With the ability to perform remote code execution, an attacker may also desire to perform privilege escalat…
CVE-2017-6627
Cisco IOS Software and Cisco IOS XE Software UDP Packet Processing Denial-of-Service Vulnerability — A vulnerability in
11:01 KSA
Cisco IOS Software and Cisco IOS XE Software UDP Packet Processing Denial-of-Service Vulnerability — A vulnerability in the UDP processing code of Cisco IOS and IOS XE could allow an unauthenticated, remote attacker to cause the input queue of an affected system to hold UDP packe…
CVE-2017-6737
Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability — The Simple Network Management Protocol (SNMP) s
11:01 KSA
Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability — The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code.
CVE-2017-6738
Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability — The Simple Network Management Protocol (SNMP) s
11:01 KSA
Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability — The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code.
CVE-2017-6744
Cisco IOS Software SNMP Remote Code Execution Vulnerability — The Simple Network Management Protocol (SNMP) subsystem of
11:01 KSA
Cisco IOS Software SNMP Remote Code Execution Vulnerability — The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 contains a vulnerability that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected sys…
CVE-2017-6862
NETGEAR Multiple Devices Buffer Overflow Vulnerability — Multiple NETGEAR devices contain a buffer overflow vulnerabilit
11:01 KSA
NETGEAR Multiple Devices Buffer Overflow Vulnerability — Multiple NETGEAR devices contain a buffer overflow vulnerability that allows for authentication bypass and remote code execution.
CVE-2017-6884
Zyxel EMG2926 Routers Command Injection Vulnerability — Zyxel EMG2926 routers contain a command injection vulnerability
11:01 KSA
Zyxel EMG2926 Routers Command Injection Vulnerability — Zyxel EMG2926 routers contain a command injection vulnerability located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute malicious commands on the router, …
CVE-2017-7269
Microsoft Windows Server Buffer Overflow Vulnerability — Microsoft Windows Server 2003 R2 contains a buffer overflow vul
11:01 KSA
Microsoft Windows Server Buffer Overflow Vulnerability — Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in Internet Information Services (IIS) 6.0 which allows remote attackers to execute code via a long header beginning with "If: <http://" in a PROPFIN…
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlin…
CVE-2026-0522
A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated att
04:00 KSA
A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attack…
CVE-2026-24096
Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5
04:00 KSA
Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information
CVE-2026-3243
The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path
00:18 KSA
The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level a…
CVE-2026-3357
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the sys
00:18 KSA
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
CVE-2026-3499
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to C
00:18 KSA
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, aja…
CVE-2026-3692
In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may cr
04:00 KSA
In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server.
CVE-2026-5566
A vulnerability was detected in UTT HiPER 1250GW up to 3.2.7-210907-180535. This affects the function strcpy of the file
17:36 KSA
A vulnerability was detected in UTT HiPER 1250GW up to 3.2.7-210907-180535. This affects the function strcpy of the file /goform/formNatStaticMap. Performing a manipulation of the argument NatBind results in buffer overflow. Remote exploitation of the attack is possible. The expl…
CVE-2026-5567
A flaw has been found in Tenda M3 1.0.0.10. This vulnerability affects the function setAdvPolicyData of the file /goform
17:36 KSA
A flaw has been found in Tenda M3 1.0.0.10. This vulnerability affects the function setAdvPolicyData of the file /goform/setAdvPolicyData of the component Destination Handler. Executing a manipulation of the argument policyType can lead to buffer overflow. The attack can be execu…
CVE-2026-1342
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1
18:17 KSA
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute mali…
CVE-2019-25656
R i386 3.5.0 contains a local buffer overflow vulnerability in the GUI Preferences dialog that allows local attackers to
22:36 KSA
R i386 3.5.0 contains a local buffer overflow vulnerability in the GUI Preferences dialog that allows local attackers to trigger a structured exception handler (SEH) overwrite by supplying malicious input. Attackers can craft a payload string in the 'Language for menus and messag…
CVE-2026-4788
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that could be read by a loc
00:18 KSA
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that could be read by a local user.
CVE-2019-25662
ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL
22:36 KSA
ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Attackers can send GET requests to the watched_searches.php endpoint with crafted SQL payloads…
CVE-2026-5436
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1.
00:18 KSA
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's pa…
CVE-2026-30814
A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attac
02:16 KSA
A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to trigger a segmentation fault and potentially execute arbitrary code via a specially crafted configuration file. Successful exploitation may cause a crash…
CVE-2026-30815
An OS command injection vulnerability in the OpenVPN module
of TP-Link Archer AX53 v1.0 allows an authenticated adjacent
02:16 KSA
An OS command injection vulnerability in the OpenVPN module
of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute system commands when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may …
CVE-2026-30818
An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent
02:16 KSA
An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may a…
CVE-2026-40029
parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsa
00:18 KSA
parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft…
CVE-2026-40030
parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is
03:00 KSA
parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharact…
CVE-2026-40031
MemProcFS before 5.17 contains multiple unsafe library-loading patterns that enable DLL and shared-library hijacking acr
06:32 KSA
MemProcFS before 5.17 contains multiple unsafe library-loading patterns that enable DLL and shared-library hijacking across six attack surfaces, including bare-name LoadLibraryU and dlopen calls without path qualification for vmmpyc, libMSCompression, and plugin DLLs. An attacker…
CVE-2026-40032
UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder subst
06:32 KSA
UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed command strings directly to eval without proper sanitization. Attack…
CVE-2026-5271
pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current
04:00 KSA
pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a user executes a pymanager-generated command (e.g., pip, pytest)
from an attacker-controlled directory, a malicious module…
ASDA-Soft Stack-based Buffer Overflow Vulnerability
CVE-2026-34576
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint acce
04:00 KSA
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) …
CVE-2025-50650
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate validation of input size in the ro
00:18 KSA
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate validation of input size in the routes_static parameter in the /router.asp endpoint.
CVE-2025-50652
An issue in D-Link DI-8003 16.07.26A1 related to improper handling of the id parameter in the /saveparm_usb.asp endpoint
00:18 KSA
An issue in D-Link DI-8003 16.07.26A1 related to improper handling of the id parameter in the /saveparm_usb.asp endpoint.
CVE-2025-50653
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name and mem paramet
00:18 KSA
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name and mem parameters in the /time_group.asp endpoint.
CVE-2025-50654
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of the id parameter in th
00:18 KSA
A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of the id parameter in the /thd_member.asp endpoint.
CVE-2025-52222
D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-840
22:16 KSA
D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1 were discovered to contain a buffer overflow via the rd_en, rd_auth, rd_acct,…
CVE-2026-27489
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0,
04:00 KSA
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.…
CVE-2026-3396
WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter
00:18 KSA
WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL …
CVE-2026-34543
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the
04:00 KSA
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (inform…
CVE-2026-35525
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %},
00:18 KSA
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is …
CVE-2026-40036
Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote a
06:32 KSA
Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, ex…
CVE-2026-34544
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the
04:00 KSA
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that dec…
CVE-2026-34545
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the
04:00 KSA
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 327…
CVE-2026-40027
ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.p
00:18 KSA
ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, allowing arbitrary file writes outside th…
CVE-2026-5555
A weakness has been identified in code-projects Concert Ticket Reservation System 1.0. This affects an unknown part of t
16:32 KSA
A weakness has been identified in code-projects Concert Ticket Reservation System 1.0. This affects an unknown part of the file /ConcertTicketReservationSystem-master/login.php of the component Parameter Handler. Executing a manipulation of the argument Email can lead to sql inje…
CVE-2026-5562
A vulnerability was identified in provectus kafka-ui up to 0.7.2. This impacts the function validateAccess of the file /
16:32 KSA
A vulnerability was identified in provectus kafka-ui up to 0.7.2. This impacts the function validateAccess of the file /api/smartfilters/testexecutions of the component Endpoint. The manipulation leads to code injection. The attack can be initiated remotely. The exploit is public…
CVE-2026-5564
A weakness has been identified in code-projects Simple Laundry System 1.0. Affected by this vulnerability is an unknown
16:32 KSA
A weakness has been identified in code-projects Simple Laundry System 1.0. Affected by this vulnerability is an unknown functionality of the file /searchguest.php of the component Parameter Handler. This manipulation of the argument searchServiceId causes sql injection. The attac…
CVE-2026-5565
A security vulnerability has been detected in code-projects Simple Laundry System 1.0. Affected by this issue is some un
17:36 KSA
A security vulnerability has been detected in code-projects Simple Laundry System 1.0. Affected by this issue is some unknown functionality of the file /delmemberinfo.php of the component Parameter Handler. Such manipulation of the argument userid leads to sql injection. The atta…
CVE-2026-5569
A vulnerability was found in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Impacted is an unknown function of the file /
17:36 KSA
A vulnerability was found in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Impacted is an unknown function of the file /Technostrobe/ of the component Endpoint. The manipulation results in improper access controls. The attack may be performed from remote. The exploit has been mad…
CVE-2026-5570
A vulnerability was determined in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. The affected element is the function ind
22:36 KSA
A vulnerability was determined in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. The affected element is the function index_config of the file /LoginCB. This manipulation causes improper authentication. It is possible to initiate the attack remotely. The exploit has been publicly …
CVE-2026-5573
A weakness has been identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This impacts an unknown function of the
22:36 KSA
A weakness has been identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This impacts an unknown function of the file /fs. Executing a manipulation of the argument cwd can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available…
CVE-2026-5575
A vulnerability was detected in SourceCodester/jkev Record Management System 1.0. Affected by this vulnerability is an u
22:36 KSA
A vulnerability was detected in SourceCodester/jkev Record Management System 1.0. Affected by this vulnerability is an unknown functionality of the file index.php of the component Login. The manipulation of the argument Username results in sql injection. The attack may be launche…
CVE-2026-5577
A vulnerability has been found in Song-Li cross_browser up to ca690f0fe6954fd9bcda36d071b68ed8682a786a. This affects an
22:36 KSA
A vulnerability has been found in Song-Li cross_browser up to ca690f0fe6954fd9bcda36d071b68ed8682a786a. This affects an unknown part of the file flask/uniquemachine_app.py of the component details Endpoint. Such manipulation of the argument ID leads to sql injection. The attack c…
CVE-2026-5802
A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP
00:18 KSA
A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly av…
CVE-2026-5805
A weakness has been identified in code-projects Easy Blog Site up to 1.0. The impacted element is an unknown function of
00:18 KSA
A weakness has been identified in code-projects Easy Blog Site up to 1.0. The impacted element is an unknown function of the file /users/contact_us.php. Executing a manipulation of the argument Name can lead to sql injection. The attack can be launched remotely. The exploit has b…
CVE-2026-5813
A weakness has been identified in PHPGurukul Online Course Registration 3.1. This vulnerability affects unknown code of
06:32 KSA
A weakness has been identified in PHPGurukul Online Course Registration 3.1. This vulnerability affects unknown code of the file /check_availability.php. Executing a manipulation of the argument cid can lead to sql injection. It is possible to launch the attack remotely. The expl…
CVE-2026-1343
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1
20:54 KSA
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication en…
CVE-2026-29782
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, th
04:00 KSA
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-con…
CVE-2026-4808
The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file t
00:18 KSA
The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administ…
CVE-2026-32589
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any reposit
00:18 KSA
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow th…
CVE-2026-32590
A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores interm
00:18 KSA
A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.
CVE-2026-34603
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal
04:00 KSA
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already…
CVE-2026-34604
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containmen
04:00 KSA
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under t…
CVE-2026-40024
The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write fi
00:18 KSA
The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image.…
CVE-2026-39883
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed th
00:18 KSA
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf…
CVE-2025-30650
A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a
03:18 KSA
A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a privileged local attacker to gain access to line cards running Junos OS Evolved
as root.
This issue affects systems running Junos OS using Linux-based line …
CVE-2026-1672
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnera
01:10 KSA
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function.…
CVE-2026-1865
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom U
01:10 KSA
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to SQL Injection via the ‘membership_ids[]’ parameter in all versions up to, and including, …
CVE-2026-2377
A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially cra
03:18 KSA
A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially crafted web address (URL). This allows the application's backend to make arbitrary requests to internal network resources, a vulnerability known as Server-Side Req…
The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capa…
CVE-2026-40037
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that
09:48 KSA
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data…
CVE-2025-14732
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Sc
10:09 KSA
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it pos…
CVE-2025-57847
A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from th
01:10 KSA
A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within an…
CVE-2025-57851
A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems f
01:10 KSA
A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an …
CVE-2025-57853
A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd fi
01:10 KSA
A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, ev…
CVE-2025-57854
A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from
01:10 KSA
A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an aff…
CVE-2025-58713
A container privilege escalation flaw was found in certain Red Hat Process Automation Manager images. This issue stems f
03:18 KSA
A container privilege escalation flaw was found in certain Red Hat Process Automation Manager images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an …
CVE-2026-1396
The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magi
01:10 KSA
The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. T…
CVE-2026-2481
The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site
01:10 KSA
The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.10.1.1 due to insufficient input sanitization and output escaping. This makes it …
CVE-2026-2509
The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget's Cu
03:18 KSA
The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget's Custom Attributes field in all versions up to, and including, 2.0.8. This is due to an incomplete event handler blocklist in the 'pagelayer_xss_content' XSS filte…
CVE-2026-2988
The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podca
12:16 KSA
The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated a…
CVE-2026-3142
The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting
14:23 KSA
The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authen…
CVE-2026-3239
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonial_v
12:16 KSA
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonial_view shortcode in all versions up to, and including, 3.2.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…
CVE-2026-3311
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for Wor
14:23 KSA
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Progress Bar shortcode in all versions up to, and including, 6.4.9 due to insufficient inpu…
CVE-2026-3513
The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the
12:16 KSA
The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied sho…
CVE-2026-3600
The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion'
12:16 KSA
The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on us…
CVE-2026-3618
The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attr
18:37 KSA
The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [print_clmns] shortcode in all versions up to and including 1.0.3. This is due to insufficient input sanitization and output escaping on the 'id' a…
CVE-2026-4025
The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' shortcode attr
01:10 KSA
The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' shortcode attribute in the [pc-login-form] shortcode in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on the 'a…
CVE-2026-4073
The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdflio' shortcode in all versions
01:10 KSA
The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdflio' shortcode in all versions up to, and including, 1.0.5. This is due to insufficient input sanitization and output escaping on the 'text' shortcode attribute. The output_shortcode() funct…
CVE-2026-4300
The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in al
01:10 KSA
The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a custom `|***...***|` marker pattern in its `fixJsFunction()` method to embed raw JavaScript function r…
CVE-2026-4303
The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the
01:10 KSA
The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wsm_showDayStatsGraph' shortcode in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping on user supplied…
CVE-2026-4333
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' a
12:18 KSA
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learn_press_courses shortcode in all versions up to and including 4.3.3. This is due to insufficient input sanitization and output escaping on t…
CVE-2026-4341
The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follo
14:23 KSA
The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follow_us_text' setting of the Mount widget in all versions up to, and including, 4.1.10. This is due to insufficient input sanitization and output escaping. Specifi…
CVE-2026-4379
The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `group` attribute in t
12:16 KSA
The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `group` attribute in the `[gallery]` shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the `group` attrib…
CVE-2026-4655
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Imag
01:10 KSA
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in th…
CVE-2026-4785
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-S
14:23 KSA
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient outpu…
CVE-2026-4871
The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after
20:48 KSA
The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the `scm_member_data` shortcode in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This ma…
CVE-2026-5451
The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-trac
07:36 KSA
The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-track' shortcode in all versions up to, and including, 4.14. This is due to insufficient input sanitization and output escaping on user supplied attributes. This ma…
CVE-2026-5506
The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all vers
22:54 KSA
The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for aut…
CVE-2026-5508
The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wowpress` shortcode in
22:54 KSA
The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wowpress` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible…
CVE-2026-5711
The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block at
11:54 KSA
The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attrib…
CVE-2026-5803
A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The aff
09:48 KSA
A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in serve…
CVE-2026-4394
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Ty
08:00 KSA
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field (`input_<id>.4`) in all versions up to, and including, 2.9.30. This is due to the `get_value_entry_detail()` method in the `GF_Field_CreditCard` c…
CVE-2025-1794
The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all vers
14:23 KSA
The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev…
CVE-2026-0811
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, a
05:32 KSA
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenti…
CVE-2026-31313
An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allo
03:35 KSA
An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Content field.
CVE-2026-31350
An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitra
03:35 KSA
An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter.
CVE-2026-31352
An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allow
03:35 KSA
An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter.
CVE-2026-31353
An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attac
03:35 KSA
An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
CVE-2026-31354
Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 a
03:35 KSA
Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters.
CVE-2026-3781
The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' parameter in all version
20:48 KSA
The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' parameter in all versions up to, and including, 0.6.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.…
CVE-2026-40028
Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allow
09:48 KSA
Hayabusa versions prior to 3.8.0 contain a cross-site scripting (XSS) vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject Ja…
CVE-2026-4065
The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing cap
05:48 KSA
The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display_admin_ajax() method does not cal…
CVE-2026-4401
The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bu
08:00 KSA
The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these…
CVE-2026-5811
A vulnerability was identified in SourceCodester Online Food Ordering System 1.0. Affected by this issue is the function
11:54 KSA
A vulnerability was identified in SourceCodester Online Food Ordering System 1.0. Affected by this issue is the function save_product of the file /Actions.php of the component POST Parameter Handler. Such manipulation of the argument price leads to business logic errors. The atta…
CVE-2026-5812
A security flaw has been discovered in SourceCodester Pharmacy Product Management System 1.0. This affects an unknown pa
14:00 KSA
A security flaw has been discovered in SourceCodester Pharmacy Product Management System 1.0. This affects an unknown part of the file add-sales.php of the component POST Parameter Handler. Performing a manipulation of the argument txtqty results in business logic errors. It is p…
CVE-2025-14243
A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enum
03:18 KSA
A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.
CVE-2026-2263
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modific
08:00 KSA
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possi…
CVE-2026-3477
The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including
16:36 KSA
The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_ajax_pzfm_user_request_action action hook, lacks both capability checks and nonce…
CVE-2026-3594
The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to,
18:37 KSA
The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permission_callback' set to '__return…
CVE-2026-3646
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin
12:16 KSA
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PH…
CVE-2026-4299
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including
12:18 KSA
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attack…
CVE-2026-4654
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object R
22:54 KSA
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user ha…
CVE-2026-5167
The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authoriza
20:48 KSA
The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook(…
CVE-2026-32591
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an u
03:18 KSA
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external…
⚠️ Threat Intelligence
18 threats
rss:The Hacker News
—
04:36 KSA
<strong>Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs</strong>
Iranian cyber actors are actively targeting internet-exposed operational technology devices, specifically programmable logic controllers (PLCs), across U.S. critical infr…
rss:Dark Reading
—
03:33 KSA
<strong>Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs</strong>
Iranian threat actors have compromised Internet-facing operational technology (OT) devices, specifically PLCs, targeting US critical infrastructure. The attacks resulted in file and displa…
rss:Dark Reading
—
03:33 KSA
<strong>Pluralsight Launches SecureReady to Help Organizations Build Job-Ready Cybersecurity Teams</strong>
Pluralsight has launched SecureReady, a new initiative designed to help organizations develop job-ready cybersecurity teams. This addresses the ongoing cybersecurity skill…
rss:The Hacker News
—
03:32 KSA
<strong>N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust</strong>
North Korean threat actors behind the Contagious Interview campaign have expanded their supply chain attacks by distributing 1,700 malicious packages across multiple developer ecosystem…
rss:The Hacker News
—
03:32 KSA
<strong>Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems</strong>
Anthropic launched Project Glasswing, utilizing its new AI model Claude Mythos to automatically discover and address security vulnerabilities across major systems. This initiat…
rss:The Hacker News
—
03:32 KSA
<strong>Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP)</strong>
Enterprise Identity and Access Management (IAM) systems face critical fragmentation risks as organizations scale across thousands of applications and decentralized sys…
rss:Dark Reading
—
02:27 KSA
<strong>Fraud Rockets Higher in Mobile-First Latin America</strong>
Cybercriminals are rapidly exploiting compromised mobile devices to execute account takeovers and fraudulent fund transfers in Latin America's mobile-first market. Financial institutions struggle to respond quic…
rss:Dark Reading
—
02:27 KSA
<strong>Niobium Introduces The Fog</strong>
Niobium has introduced a new product or service called 'The Fog'. Without additional context, this appears to be a technology announcement potentially related to cybersecurity solutions or infrastructure.
Source: https://www.darkreadi…
rss:Dark Reading
—
02:27 KSA
<strong>Full Sail University to Open IBM Cyber Defense Range Powered by AWS and Cloud Range on Campus</strong>
Full Sail University is launching an IBM Cyber Defense Range on campus, powered by AWS and Cloud Range infrastructure. This initiative aims to provide hands-on cybersec…
rss:The Hacker News
—
02:27 KSA
<strong>APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies</strong>
Russian APT28 group launched a spear-phishing campaign against Ukraine and NATO allies deploying PRISMEX malware. The sophisticated malware suite uses advanced steganography and componen…
rss:The Hacker News
—
02:27 KSA
<strong>Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices</strong>
Masjesu botnet, advertised as a DDoS-for-hire service on Telegram since 2023, targets IoT devices globally for distributed denial-of-service attacks. The stealthy botnet represents a gr…
rss:The Hacker News
—
02:27 KSA
<strong>New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy</strong>
A new Chaos malware variant is targeting misconfigured cloud deployments, expanding the botnet's attack surface beyond traditional targets. This development poses significant risks to or…
rss:Dark Reading
—
01:17 KSA
<strong>AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties</strong>
HackerOne has paused bug bounty programs due to a shift in the vulnerability lifecycle bottleneck from discovery to remediation. Automated AI-driven tools have accelerated vulnerability discovery …
rss:Dark Reading
—
01:17 KSA
<strong>Threat Actors Get Crafty With Emojis to Escape Detection</strong>
Cybercriminals are increasingly using emojis as coded language to evade security filters and detection systems. Threat actors employ symbols like 🤖 for 'bot available', 🧰 for 'toolkit', and 💰💰💰 for 'big ra…
rss:Malwarebytes Lab
—
00:04 KSA
<strong>Timeshare owners warned to watch out for cartel-linked scams</strong>
Mexican drug cartels are conducting advance-fee fraud schemes targeting timeshare owners. Authorities warn that scammers pose as legitimate buyers or companies to extract upfront payments from victims …
rss:Malwarebytes Lab
—
00:04 KSA
<strong>Russian hacking group targets home and small office routers to spy on users</strong>
FBI, NCSC, and Microsoft have issued warnings about an active Russian cyber campaign targeting home and small office routers. The attackers are hijacking DNS settings to conduct surveill…
rss:Malwarebytes Lab
—
00:04 KSA
<strong>Your extensions leak clues about you, so we made sure Browser Guard doesn&#8217;t</strong>
Browser extensions can be exploited to create user profiles for advertisers and scammers through fingerprinting techniques. Malwarebytes has implemented privacy protections in …
rss:Recorded Future
—
21:50 KSA
<strong>Understanding and Anticipating Venezuelan Government Actions</strong>
Analysis of Venezuela's political transition following a hypothetical 2026 US operation, examining Acting President Delcy Rodríguez's strategy and internal threats. While primarily geopolitical, this i…
📰 Cybersecurity News
0 articles
No news aggregated today yet
This digest is updated automatically every day — Last updated: Wednesday, April 8, 2026
CVE Archive ·
Threats ·
News