166
CVEs
32
Threats
0
News
75
Critical
75
CISA KEV
🛡 Security Vulnerabilities (CVE)
Apache ActiveMQ — CVE-2026-34197
Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the pro…
CVE-2019-7286
Apple Multiple Products Memory Corruption Vulnerability — Apple iOS, macOS, watchOS, and tvOS contain a memory corruptio
11:01 KSA
Apple Multiple Products Memory Corruption Vulnerability — Apple iOS, macOS, watchOS, and tvOS contain a memory corruption vulnerability that could allow for privilege escalation.
CVE-2019-9874
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability — Sitecore CMS and Experience Platform (XP) cont
11:01 KSA
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability — Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a seri…
CVE-2019-9875
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability — Sitecore CMS and Experience Platform (XP) cont
11:01 KSA
Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability — Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serial…
CVE-2019-9978
WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability — WordPress Social Warfare plugin contains a cr
11:01 KSA
WordPress Social Warfare Plugin Cross-Site Scripting (XSS) Vulnerability — WordPress Social Warfare plugin contains a cross-site scripting (XSS) vulnerability that allows for remote code execution. This vulnerability affects Social Warfare and Social Warfare Pro.
CVE-2020-0041
Android Kernel Out-of-Bounds Write Vulnerability — Android Kernel binder_transaction of binder.c contains an out-of-boun
11:01 KSA
Android Kernel Out-of-Bounds Write Vulnerability — Android Kernel binder_transaction of binder.c contains an out-of-bounds write vulnerability due to an incorrect bounds check that could allow for local privilege escalation. This vulnerability was observed chained with CVE-2019-2…
CVE-2020-0069
Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability — Multiple MediaTek chipsets contain an insuffici
11:01 KSA
Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability — Multiple MediaTek chipsets contain an insufficient input validation vulnerability and have missing SELinux restrictions in the Command Queue drivers ioctl handlers. This causes an out-of-bounds write leading…
CVE-2020-0601
Microsoft Windows CryptoAPI Spoofing Vulnerability — Microsoft Windows CryptoAPI (Crypt32.dll) contains a spoofing vulne
11:01 KSA
Microsoft Windows CryptoAPI Spoofing Vulnerability — Microsoft Windows CryptoAPI (Crypt32.dll) contains a spoofing vulnerability in the way it validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing cer…
CVE-2020-0618
Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability — Microsoft SQL Server Reporting Services co
11:01 KSA
Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability — Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in the …
CVE-2020-0638
Microsoft Update Notification Manager Privilege Escalation Vulnerability — Microsoft Update Notification Manager contain
11:01 KSA
Microsoft Update Notification Manager Privilege Escalation Vulnerability — Microsoft Update Notification Manager contains an unspecified vulnerability that allows for privilege escalation.
CVE-2020-0646
Microsoft .NET Framework Remote Code Execution Vulnerability — Microsoft .NET Framework contains an improper input valid
11:01 KSA
Microsoft .NET Framework Remote Code Execution Vulnerability — Microsoft .NET Framework contains an improper input validation vulnerability that allows for remote code execution.
CVE-2020-0674
Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability — Microsoft Internet Explorer contains a me
11:01 KSA
Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability — Microsoft Internet Explorer contains a memory corruption vulnerability due to the way the Scripting Engine handles objects in memory. Successful exploitation could allow remote code execution in the co…
CVE-2020-0683
Microsoft Windows Installer Privilege Escalation Vulnerability — Microsoft Windows Installer contains a privilege escala
11:01 KSA
Microsoft Windows Installer Privilege Escalation Vulnerability — Microsoft Windows Installer contains a privilege escalation vulnerability when MSI packages process symbolic links, which allows attackers to bypass access restrictions to add or remove files.
CVE-2020-0688
Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability — Microsoft Exchange Server Validation Key
11:01 KSA
Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability — Microsoft Exchange Server Validation Key fails to properly create unique keys at install time, allowing for remote code execution.
CVE-2020-0787
Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability — Microsoft
11:01 KSA
Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability — Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execut…
CVE-2020-0796
Microsoft SMBv3 Remote Code Execution Vulnerability — A remote code execution vulnerability exists in the way that the M
11:01 KSA
Microsoft SMBv3 Remote Code Execution Vulnerability — A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability t…
CVE-2020-0938
Microsoft Windows Adobe Font Manager Library Remote Code Execution Vulnerability — Microsoft Windows Adobe Font Manager
11:01 KSA
Microsoft Windows Adobe Font Manager Library Remote Code Execution Vulnerability — Microsoft Windows Adobe Font Manager Library contains an unspecified vulnerability when handling specially crafted multi-master fonts (Adobe Type 1 PostScript format) that allows for remote code ex…
CVE-2020-0968
Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability — Microsoft Internet Explorer contains a me
11:01 KSA
Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability — Microsoft Internet Explorer contains a memory corruption vulnerability due to how the Scripting Engine handles objects in memory, leading to remote code execution.
CVE-2020-0986
Microsoft Windows Kernel Privilege Escalation Vulnerability — Microsoft Windows kernel contains an unspecified vulnerabi
11:01 KSA
Microsoft Windows Kernel Privilege Escalation Vulnerability — Microsoft Windows kernel contains an unspecified vulnerability when handling objects in memory that allows attackers to escalate privileges and execute code in kernel mode.
CVE-2020-10148
SolarWinds Orion Authentication Bypass Vulnerability — SolarWinds Orion API contains an authentication bypass vulnerabil
11:01 KSA
SolarWinds Orion Authentication Bypass Vulnerability — SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands.
CVE-2020-10181
Sumavision EMR Cross-Site Request Forgery (CSRF) Vulnerability — Sumavision Enhanced Multimedia Router (EMR) contains a
11:01 KSA
Sumavision EMR Cross-Site Request Forgery (CSRF) Vulnerability — Sumavision Enhanced Multimedia Router (EMR) contains a cross-site request forgery (CSRF) vulnerability allowing the creation of users with elevated privileges as administrator on a device.
CVE-2020-10189
Zoho ManageEngine Desktop Central File Upload Vulnerability — Zoho ManageEngine Desktop Central contains a file upload v
11:01 KSA
Zoho ManageEngine Desktop Central File Upload Vulnerability — Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution.
CVE-2020-10199
Sonatype Nexus Repository Remote Code Execution Vulnerability — Sonatype Nexus Repository contains an unspecified vulner
11:01 KSA
Sonatype Nexus Repository Remote Code Execution Vulnerability — Sonatype Nexus Repository contains an unspecified vulnerability that allows for remote code execution.
CVE-2020-1020
Microsoft Windows Adobe Font Manager Library Remote Code Execution Vulnerability — Microsoft Windows Adobe Font Manager
11:01 KSA
Microsoft Windows Adobe Font Manager Library Remote Code Execution Vulnerability — Microsoft Windows Adobe Font Manager Library contains an unspecified vulnerability when handling specially crafted multi-master fonts (Adobe Type 1 PostScript format) that allows for remote code ex…
CVE-2023-36033
Microsoft Windows Desktop Window Manager (DWM) Core Library Privilege Escalation Vulnerability — Microsoft Windows Deskt
11:01 KSA
Microsoft Windows Desktop Window Manager (DWM) Core Library Privilege Escalation Vulnerability — Microsoft Windows Desktop Window Manager (DWM) Core Library contains an unspecified vulnerability that allows for privilege escalation.
CVE-2023-36036
Microsoft Windows Cloud Files Mini Filter Driver Privilege Escalation Vulnerability — Microsoft Windows Cloud Files Mini
11:01 KSA
Microsoft Windows Cloud Files Mini Filter Driver Privilege Escalation Vulnerability — Microsoft Windows Cloud Files Mini Filter Driver contains a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges.
CVE-2023-36802
Microsoft Streaming Service Proxy Privilege Escalation Vulnerability — Microsoft Streaming Service Proxy contains an uns
11:01 KSA
Microsoft Streaming Service Proxy Privilege Escalation Vulnerability — Microsoft Streaming Service Proxy contains an unspecified vulnerability that allows for privilege escalation.
CVE-2023-36844
Juniper Junos OS EX Series PHP External Variable Modification Vulnerability — Juniper Junos OS on EX Series contains a P
11:01 KSA
Juniper Junos OS EX Series PHP External Variable Modification Vulnerability — Juniper Junos OS on EX Series contains a PHP external variable modification vulnerability that allows an unauthenticated, network-based attacker to control certain, important environment variables. Usin…
CVE-2023-36845
Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability — Juniper Junos OS on EX Seri
11:01 KSA
Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability — Juniper Junos OS on EX Series and SRX Series contains a PHP external variable modification vulnerability that allows an unauthenticated, network-based attacker to control an important env…
CVE-2023-36846
Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability — Juniper Junos OS on SRX Series
11:01 KSA
Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability — Juniper Junos OS on SRX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file…
CVE-2023-36847
Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability — Juniper Junos OS on EX Series co
11:01 KSA
Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability — Juniper Junos OS on EX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file s…
CVE-2023-36851
Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability — Juniper Junos OS on SRX Series
11:01 KSA
Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability — Juniper Junos OS on SRX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file…
CVE-2023-36874
Microsoft Windows Error Reporting Service Privilege Escalation Vulnerability — Microsoft Windows Error Reporting Service
11:01 KSA
Microsoft Windows Error Reporting Service Privilege Escalation Vulnerability — Microsoft Windows Error Reporting Service contains an unspecified vulnerability that allows for privilege escalation.
CVE-2023-36884
Microsoft Windows Search Remote Code Execution Vulnerability — Microsoft Windows Search contains an unspecified vulnerab
11:01 KSA
Microsoft Windows Search Remote Code Execution Vulnerability — Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file, leading to remote code execution.
CVE-2023-37450
Apple Multiple Products WebKit Code Execution Vulnerability — Apple iOS, iPadOS, macOS, and Safari WebKit contain an uns
11:01 KSA
Apple Multiple Products WebKit Code Execution Vulnerability — Apple iOS, iPadOS, macOS, and Safari WebKit contain an unspecified vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKi…
CVE-2023-37580
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability — Synacor Zimbra Collaboration Suite (
11:01 KSA
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability — Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability impacting the confidentiality and integrity of data.
CVE-2023-38035
Ivanti Sentry Authentication Bypass Vulnerability — Ivanti Sentry, formerly known as MobileIron Sentry, contains an auth
11:01 KSA
Ivanti Sentry Authentication Bypass Vulnerability — Ivanti Sentry, formerly known as MobileIron Sentry, contains an authentication bypass vulnerability that may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictiv…
CVE-2023-38180
Microsoft .NET Core and Visual Studio Denial-of-Service Vulnerability — Microsoft .NET Core and Visual Studio contain an
11:01 KSA
Microsoft .NET Core and Visual Studio Denial-of-Service Vulnerability — Microsoft .NET Core and Visual Studio contain an unspecified vulnerability that allows for denial-of-service (DoS).
CVE-2023-38203
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability — Adobe ColdFusion contains a deserialization of untrus
11:01 KSA
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability — Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.
CVE-2023-38205
Adobe ColdFusion Improper Access Control Vulnerability — Adobe ColdFusion contains an improper access control vulnerabil
11:01 KSA
Adobe ColdFusion Improper Access Control Vulnerability — Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass.
CVE-2023-38606
Apple Multiple Products Kernel Unspecified Vulnerability — Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspec
11:01 KSA
Apple Multiple Products Kernel Unspecified Vulnerability — Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability allowing an app to modify a sensitive kernel state.
Samsung Mobile Devices Out-of-Bounds Write Vulnerability — Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code.
CVE-2025-21333
Windows Hyper-V NT Kernel Integration VSP Heap Buffer Overflow Privilege Escalation
11:01 KSA
Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability — Microsoft Windows Hyper-V NT Kernel Integration VSP contains a heap-based buffer overflow vulnerability that allows a local attacker to gain SYSTEM privileges.
CVE-2025-21334
Windows Hyper-V NT Kernel Integration VSP Use-After-Free Privilege Escalation
11:01 KSA
Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability — Microsoft Windows Hyper-V NT Kernel Integration VSP contains a use-after-free vulnerability that allows a local attacker to gain SYSTEM privileges.
CVE-2025-21335
Windows Hyper-V NT Kernel Integration VSP Use-After-Free Privilege Escalation
11:01 KSA
Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability — Microsoft Windows Hyper-V NT Kernel Integration VSP contains a use-after-free vulnerability that allows a local attacker to gain SYSTEM privileges.
CVE-2025-21391
Microsoft Windows Storage Link Following Privilege Escalation Vulnerability
11:01 KSA
Microsoft Windows Storage Link Following Vulnerability — Microsoft Windows Storage contains a link following vulnerability that could allow for privilege escalation. This vulnerability could allow an attacker to delete data including data that results in the service being unavail…
CVE-2025-21418
Windows WinSock Ancillary Function Driver Heap Buffer Overflow Privilege Escalation
11:01 KSA
Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability — Microsoft Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow vulnerability that allows for privilege escalation, enabling a local attacker to gain S…
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability — Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code exec…
SonicWall SMA1000 Appliances Deserialization Vulnerability — SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) contain a deserialization of untrusted data vulnerability, which can enable a remote, unauthenticated attacker to execute arbitra…
Craft CMS Code Injection Vulnerability — Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.
Commvault Web Server Unspecified Vulnerability — Commvault Web Server contains an unspecified vulnerability that allows a remote, authenticated attacker to create and execute webshells.
SolarWinds Web Help Desk Security Control Bypass Vulnerability — SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality.
Samsung MagicINFO 9 Server Path Traversal Vulnerability — Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority.
Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability — Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execut…
IGEL OS Use of a Key Past its Expiration Date Vulnerability — IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesyst…
Git Link Following Vulnerability — Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.
TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability — TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed h…
RoundCube Webmail Deserialization of Untrusted Data Vulnerability — RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/setti…
Microsoft SharePoint Code Injection Vulnerability — Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. CVE-2025-53770 is a patch bypass for C…
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability — Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution.
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability — Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple we…
Adobe Commerce and Magento Improper Input Validation Vulnerability — Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.
Adobe Experience Manager Forms Code Execution Vulnerability — Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution.
CVE-2025-54313
Prettier eslint-config-prettier Malicious Code Execution via Install Script
11:01 KSA
Prettier eslint-config-prettier Embedded Malicious Code Vulnerability — Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
CVE-2025-59230
Windows Remote Access Connection Manager Privilege Escalation Vulnerability
11:01 KSA
Microsoft Windows Improper Access Control Vulnerability — Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally.
CVE-2025-61882
Oracle E-Business Suite BI Publisher Integration Critical Remote Compromise
11:01 KSA
Oracle E-Business Suite Unspecified Vulnerability — Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. …
Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability — Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.
CVE-2025-61932
Motex LANSCOPE Endpoint Manager Arbitrary Code Execution via Unverified Communication
11:01 KSA
Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability — Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sendin…
Fortinet FortiWeb Path Traversal Vulnerability — Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
RoundCube Webmail Cross-site Scripting Vulnerability — RoundCube Webmail contains a cross-site scripting vulnerability via the animate tag in an SVG document.
Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability — Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal req…
Gogs Path Traversal Vulnerability — Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.
N-able N-Central Command Injection Vulnerability — N-able N-Central contains a command injection vulnerability via improper sanitization of user input.
WatchGuard Firebox Out-of-Bounds Write Vulnerability — WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code.
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability — TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-servic…
CVE-2026-25654
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate u
09:48 KSA
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass authorization checks, leading to the abil…
CVE-2026-27668
A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). U
09:48 KSA
A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and gr…
CVE-2026-3464
The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file pat
18:48 KSA
The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that…
CVE-2026-40040
Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file
03:25 KSA
Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directori…
CVE-2026-40459
PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP synt
12:32 KSA
PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations.
This issue was fixed in PAC4J versio…
CVE-2026-6157
A vulnerability was detected in Totolink A800R 4.1.2cu.5137_B20200730. This impacts the function setAppEasyWizardConfig
03:25 KSA
A vulnerability was detected in Totolink A800R 4.1.2cu.5137_B20200730. This impacts the function setAppEasyWizardConfig in the library /lib/cste_modules/app.so. The manipulation of the argument apcliSsid results in buffer overflow. The attack can be executed remotely. The exploit…
CVE-2026-6168
A flaw has been found in TOTOLINK A7000R up to 9.1.0u.6115. The affected element is the function setWiFiEasyGuestCfg of
03:25 KSA
A flaw has been found in TOTOLINK A7000R up to 9.1.0u.6115. The affected element is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid5g causes stack-based buffer overflow. Remote exploitation of the attack is possible. The e…
CVE-2026-6186
A security vulnerability has been detected in UTT HiPER 1200GW up to 2.5.3-170306. This vulnerability affects the functi
03:25 KSA
A security vulnerability has been detected in UTT HiPER 1200GW up to 2.5.3-170306. This vulnerability affects the function strcpy of the file /goform/formNatStaticMap. The manipulation of the argument NatBind leads to buffer overflow. The attack is possible to be carried out remo…
CVE-2026-6194
A weakness has been identified in Totolink A3002MU B20211125.1046. Affected by this vulnerability is the function sub_41
03:25 KSA
A weakness has been identified in Totolink A3002MU B20211125.1046. Affected by this vulnerability is the function sub_410188 of the file /boafrm/formWlanSetup of the component HTTP Request Handler. This manipulation of the argument wan-url causes stack-based buffer overflow. Remo…
CVE-2026-6196
A vulnerability was detected in Tenda F456 1.0.0.5. This affects the function fromexeCommand of the file /goform/exeComm
03:25 KSA
A vulnerability was detected in Tenda F456 1.0.0.5. This affects the function fromexeCommand of the file /goform/exeCommand. Performing a manipulation of the argument cmdinput results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit i…
CVE-2026-6198
A vulnerability has been found in Tenda F456 1.0.0.5. This issue affects the function fromNatStaticSetting of the file /
03:25 KSA
A vulnerability has been found in Tenda F456 1.0.0.5. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit…
CVE-2026-6199
A vulnerability was found in Tenda F456 1.0.0.5. Impacted is the function fromqossetting of the file /goform/qossetting.
03:25 KSA
A vulnerability was found in Tenda F456 1.0.0.5. Impacted is the function fromqossetting of the file /goform/qossetting. The manipulation of the argument page results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public an…
CVE-2026-6200
A vulnerability was determined in Tenda F456 1.0.0.5. The affected element is the function formwebtypelibrary of the fil
03:25 KSA
A vulnerability was determined in Tenda F456 1.0.0.5. The affected element is the function formwebtypelibrary of the file /goform/webtypelibrary. This manipulation of the argument menufacturer/Go causes stack-based buffer overflow. The attack can be initiated remotely. The exploi…
CVE-2026-27928
Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network.
21:54 KSA
Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-40516
OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search t
18:48 KSA
OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attacker…
CVE-2026-5718
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in
20:43 KSA
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces…
CVE-2026-27912
Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an adjacent network.
21:54 KSA
Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an adjacent network.
CVE-2025-36568
Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release versio
12:32 KSA
Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an insufficiently protected credentials vulnerability. A low privileged…
CVE-2026-23657
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
21:54 KSA
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-26143
Improper input validation in Microsoft PowerShell allows an unauthorized attacker to bypass a security feature locally.
21:54 KSA
Improper input validation in Microsoft PowerShell allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-26183
Improper access control in Windows RPC API allows an authorized attacker to elevate privileges locally.
21:54 KSA
Improper access control in Windows RPC API allows an authorized attacker to elevate privileges locally.
CVE-2026-27238
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could
15:49 KSA
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malici…
CVE-2026-27283
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Use After Free vulnerability that could result in a
15:49 KSA
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2026-27284
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a cr
21:54 KSA
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the con…
CVE-2026-27291
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could resul
21:54 KSA
InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious fi…
CVE-2026-27924
Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
21:54 KSA
Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
CVE-2026-27913
Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.
21:54 KSA
Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-34853
Permission bypass vulnerability in the LBS module.
Impact: Successful exploitation of this vulnerability may affect avai
03:25 KSA
Permission bypass vulnerability in the LBS module.
Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-26154
Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a n
21:54 KSA
Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.
CVE-2026-26171
Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.
21:54 KSA
Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.
CVE-2026-40515
OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive fil
18:48 KSA
OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glob tools with sensitive root directories …
CVE-2026-4352
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endp
09:48 KSA
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf(…
CVE-2026-4659
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV
06:18 KSA
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions…
CVE-2026-5710
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading t
20:43 KSA
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. This is due to the plugin using client-supplied mfile[] POST values as the source of truth for em…
CVE-2026-24032
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3 with UMC). The affected application contains a
09:48 KSA
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3 with UMC). The affected application contains an authentication weakness due to insufficient validation of user identity in the UMC component.
This could allow an unauthenticated remote attacker to bypass a…
CVE-2026-34856
UAF vulnerability in the communication module.
Impact: Successful exploitation of this vulnerability may affect availabi
03:25 KSA
UAF vulnerability in the communication module.
Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-6153
A vulnerability was identified in code-projects Vehicle Showroom Management System 1.0. Impacted is an unknown function
03:25 KSA
A vulnerability was identified in code-projects Vehicle Showroom Management System 1.0. Impacted is an unknown function of the file /util/StaffDetailsFunction.php. Such manipulation of the argument STAFF_ID leads to sql injection. The attack can be launched remotely. The exploit …
CVE-2026-6158
A flaw has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setUpgradeUboot of the file upgra
03:25 KSA
A flaw has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setUpgradeUboot of the file upgrade.so. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been published…
CVE-2026-6161
A vulnerability was determined in code-projects Simple ChatBox up to 1.0. This affects an unknown part of the file /chat
03:25 KSA
A vulnerability was determined in code-projects Simple ChatBox up to 1.0. This affects an unknown part of the file /chatbox/insert.php of the component Endpoint. Executing a manipulation of the argument msg can lead to sql injection. It is possible to launch the attack remotely. …
CVE-2026-6163
A vulnerability was identified in code-projects Lost and Found Thing Management 1.0. Affected by this issue is some unkn
03:25 KSA
A vulnerability was identified in code-projects Lost and Found Thing Management 1.0. Affected by this issue is some unknown functionality of the file /catageory.php. Such manipulation of the argument cat leads to sql injection. It is possible to launch the attack remotely. The ex…
CVE-2026-6164
A security flaw has been discovered in code-projects Lost and Found Thing Management 1.0. This affects an unknown part o
03:25 KSA
A security flaw has been discovered in code-projects Lost and Found Thing Management 1.0. This affects an unknown part of the file /addcat.php. Performing a manipulation of the argument cata results in sql injection. The attack can be initiated remotely. The exploit has been rele…
CVE-2026-6165
A weakness has been identified in code-projects Vehicle Showroom Management System 1.0. This vulnerability affects unkno
03:25 KSA
A weakness has been identified in code-projects Vehicle Showroom Management System 1.0. This vulnerability affects unknown code of the file /util/Login_check.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The explo…
CVE-2026-6166
A security vulnerability has been detected in code-projects Vehicle Showroom Management System 1.0. This issue affects s
03:25 KSA
A security vulnerability has been detected in code-projects Vehicle Showroom Management System 1.0. This issue affects some unknown processing of the file /util/UpdateVehicleFunction.php. The manipulation of the argument VEHICLE_ID leads to sql injection. The attack may be initia…
CVE-2026-6167
A vulnerability was detected in code-projects Faculty Management System 1.0. Impacted is an unknown function of the file
03:25 KSA
A vulnerability was detected in code-projects Faculty Management System 1.0. Impacted is an unknown function of the file /subject-print.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be use…
CVE-2026-6182
A vulnerability was identified in code-projects Simple Content Management System 1.0. Affected by this vulnerability is
03:25 KSA
A vulnerability was identified in code-projects Simple Content Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /web/admin/login.php. Such manipulation of the argument User leads to sql injection. The attack may be launched remotely. T…
CVE-2026-6183
A security flaw has been discovered in code-projects Simple Content Management System 1.0. Affected by this issue is som
03:25 KSA
A security flaw has been discovered in code-projects Simple Content Management System 1.0. Affected by this issue is some unknown functionality of the file /web/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is …
CVE-2026-6187
A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. This issue affects some unknown
03:25 KSA
A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. This issue affects some unknown processing of the file /ajax.php?action=chk_prod_availability. The manipulation of the argument ID results in sql injection. The attack may be performed from re…
CVE-2026-6188
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the
03:25 KSA
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=delete_sales. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has b…
CVE-2026-6189
A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unk
03:25 KSA
A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotel…
CVE-2026-6193
A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of
03:25 KSA
A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to t…
CVE-2026-6224
A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function
05:35 KSA
A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The a…
CVE-2026-6490
A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown f
12:32 KSA
A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown function of the file admin/deletecourse.php of the component GET Request Parameter Handler. This manipulation of the argument ID causes sql injection. The attack…
CVE-2026-23776
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5,
12:32 KSA
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60, contain(s) an Improper Certificate Validation vulnerabil…
CVE-2026-3017
The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to P
09:48 KSA
The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_shortcodes() function. This makes it possi…
CVE-2026-40038
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and sc
03:25 KSA
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and …
CVE-2026-4388
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box
09:48 KSA
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tag…
CVE-2026-5231
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in al
06:18 KSA
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utm_so…
CVE-2026-6227
The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/
09:48 KSA
The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences.…
CVE-2026-6483
A vulnerability was found in Wavlink WL-WN530H4 20220721. This vulnerability affects the function strcat/snprintf of the
12:32 KSA
A vulnerability was found in Wavlink WL-WN530H4 20220721. This vulnerability affects the function strcat/snprintf of the file /cgi-bin/internet.cgi. The manipulation results in os command injection. It is possible to launch the attack remotely. The exploit has been made public an…
CVE-2026-33704
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arb
03:25 KSA
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While …
CVE-2026-33892
A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 < V1.15.17), Industrial
11:48 KSA
A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 < V1.15.17), Industrial Edge Management Pro V2 (All versions >= V2.0.0 < V2.1.1), Industrial Edge Management Virtual (All versions >= V2.2.0 < V2.8.0). Affected management systems do …
CVE-2026-34256
Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacke
05:35 KSA
Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is su…
CVE-2026-40518
ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-m
20:43 KSA
ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers can supply traversal-style values or absolute paths as the agent name to influe…
CVE-2026-4344
A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked
15:49 KSA
A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulner…
CVE-2026-4345
A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripti
15:49 KSA
A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary co…
CVE-2026-4369
A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and
15:49 KSA
A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage thi…
CVE-2026-6421
A vulnerability has been found in Mobatek MobaXterm Home Edition up to 26.1. This affects an unknown part in the library
06:18 KSA
A vulnerability has been found in Mobatek MobaXterm Home Edition up to 26.1. This affects an unknown part in the library msimg32.dll. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The attack is considered to have high complexity. It i…
CVE-2026-3488
The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.1
08:36 KSA
The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`, `wp_statistics_…
CVE-2026-4666
The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($arg
11:00 KSA
The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action …
CVE-2026-4817
The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based B
08:36 KSA
The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25. This is du…
CVE-2026-6080
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to
13:16 KSA
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it poss…
CVE-2026-1572
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cro
04:09 KSA
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax…
CVE-2026-2434
The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attribute
07:18 KSA
The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, …
CVE-2026-2840
The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Sc
04:09 KSA
The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it pos…
CVE-2026-3875
The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shor
04:09 KSA
The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. Thi…
CVE-2026-5162
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed
08:36 KSA
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes i…
CVE-2026-6488
A vulnerability was identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This vulnerability affec
22:16 KSA
A vulnerability was identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This vulnerability affects unknown code of the file admin/editcourse.php of the component GET Request Parameter Handler. The manipulation of the argument ID leads to sql injection. The…
CVE-2026-6489
A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects
22:16 KSA
A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestri…
CVE-2026-6497
A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this vulnerability is an unknown fu
00:48 KSA
A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this vulnerability is an unknown functionality of the file /filemanager.php?p= ajax=true&type=upload of the component File Upload Handler. This manipulation of the argument uploadurl causes serve…
CVE-2026-3355
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsea
04:09 KSA
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, 5.101.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthentica…
CVE-2026-3369
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
04:09 KSA
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authentic…
CVE-2026-6496
A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /fileman
22:16 KSA
A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /filemanager.php of the component POST Parameter Handler. The manipulation of the argument file[] results in path traversal. The attack may be performed from remote. Th…
CVE-2026-0718
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthor
04:09 KSA
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions up to, and including, 5.0.5. This makes i…
CVE-2026-4160
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulne
04:09 KSA
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and o…
CVE-2026-5234
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and includin
13:16 KSA
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no auth…
CVE-2026-5427
The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due
13:16 KSA
The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, p…
CVE-2026-5502
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content m
13:16 KSA
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The functio…
CVE-2026-5797
The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and inc
13:16 KSA
The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to insufficient input sanitization and the execution of do_shortcode() on user-submitted quiz answer text. User-submitted answers pas…
CVE-2026-6491
A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function im_minpos_vec o
22:16 KSA
A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function im_minpos_vec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. An attack ha…
CVE-2026-6492
A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea.
22:16 KSA
A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. The impacted element is an unknown function of the file /api/health/detailed of the component Health Check Endpoint. Performing a manipulation results in infor…
CVE-2026-6494
A flaw was found in the AAP MCP server. An unauthenticated remote attacker can exploit a log injection vulnerability by
22:16 KSA
A flaw was found in the AAP MCP server. An unauthenticated remote attacker can exploit a log injection vulnerability by sending specially crafted input to the `toolsetroute` parameter. This parameter is not properly sanitized before being written to logs, allowing the attacker to…
⚠️ Threat Intelligence
32 threats
rss:Dark Reading
—
03:19 KSA
<strong>Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing</strong>
Attackers using the Tycoon phishing kit have shifted tactics to device code phishing, exploiting legitimate new-device login flows to deceive users into granting account access. This technique bypasses trad…
rss:Dark Reading
—
03:19 KSA
<strong>How NIST's Cutback of CVE Handling Impacts Cyber Teams</strong>
NIST's reduction in CVE data enrichment services is creating a gap in vulnerability management that industry coalitions are working to fill. This cutback impacts organizations' ability to prioritize and…
rss:SecurityWeek
—
02:16 KSA
<strong>White House Chief of Staff to Meet With Anthropic CEO Over Its New AI Technology</strong>
The White House is engaging with advanced AI laboratories to discuss their models and software security implications. This meeting between the Chief of Staff and Anthropic's CEO ref…
rss:BleepingComputer
—
02:16 KSA
<strong>Payouts King ransomware uses QEMU VMs to bypass endpoint security</strong>
Payouts King ransomware employs QEMU emulator technology to establish reverse SSH backdoors and execute hidden virtual machines on compromised systems, effectively evading endpoint security detect…
rss:Malwarebytes Lab
—
21:20 KSA
<strong>This old-school scam is still working</strong>
A classic Nigerian advance-fee scam continues to victimize users with modern variations. These persistent scams remain effective because they exploit human psychology and trust. Organizations should educate employees about t…
rss:SecurityWeek
—
21:20 KSA
<strong>CoChat Launches AI Collaboration Platform to Combat Shadow AI</strong>
CoChat has launched an AI collaboration platform designed to provide visibility and governance over unauthorized AI tool usage within enterprises. The platform aims to address the growing security ris…
rss:Dark Reading
—
21:20 KSA
<strong>Every Old Vulnerability Is Now an AI Vulnerability</strong>
AI systems are amplifying the impact of previously known vulnerabilities rather than creating entirely new attack vectors. Legacy security flaws are becoming more dangerous as AI technologies exploit them at sca…
rss:BleepingComputer
—
21:20 KSA
<strong>Grinex exchange blames "Western intelligence" for $13.7M crypto hack</strong>
Kyrgyzstan-based cryptocurrency exchange Grinex suffered a $13.7 million hack and suspended operations, attributing the attack to Western intelligence agencies. The incident highlight…
rss:The Hacker News
—
20:18 KSA
<strong>Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched</strong>
Threat actors are actively exploiting three zero-day vulnerabilities in Microsoft Defender (BlueHammer and RedSun) to gain elevated privileges on compromised systems. Two of the three fla…
rss:BleepingComputer
—
20:18 KSA
<strong>Inside an Underground Guide: How Threat Actors Vet Stolen Credit Card Shops</strong>
Cybercriminals use underground guides to evaluate stolen credit card shops based on data quality, reputation, and operational longevity. This reveals the sophisticated vetting processes …
rss:SecurityWeek
—
19:16 KSA
<strong>In Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker Arrested</strong>
Multiple cybersecurity incidents reported including ShinyHunters targeting Rockstar Games, exploitation of ShowDoc vulnerability in active attacks, and increased EPA cybersecurity…
rss:Dark Reading
—
19:16 KSA
<strong>NIST Revamps CVE Framework to Focus on High-Impact Vulnerabilities</strong>
NIST has revised its CVE (Common Vulnerabilities and Exposures) framework to prioritize high-impact vulnerabilities, changing how organizations approach vulnerability remediation and patch manage…
rss:Dark Reading
—
19:16 KSA
<strong>Coast Guard's New Cybersecurity Rules Offers Lessons for CISOs</strong>
The Maritime Transportation Security Act (MTSA) establishes new cybersecurity requirements for protecting operational technology (OT) systems in maritime infrastructure. Organizations must imple…
rss:BleepingComputer
—
19:16 KSA
<strong>Webinar: From phishing to fallout — Why MSPs must rethink both security and recovery</strong>
Cyberattacks, particularly phishing campaigns, are outpacing MSP and corporate security defenses. The webinar addresses the need for integrated security and recovery strategies …
rss:The Hacker News
—
18:00 KSA
<strong>Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul</strong>
Google announced blocking 8.3 billion policy-violating ads globally and suspending 24.9 million accounts in 2025, while introducing new Play Store policy updates focused on str…
rss:SecurityWeek
—
16:54 KSA
<strong>Recent Apache ActiveMQ Vulnerability Exploited in the Wild</strong>
CVE-2026-34197, a critical remote code execution vulnerability in Apache ActiveMQ, is being actively exploited in the wild since early April. Organizations using ActiveMQ are at immediate risk of comprom…
rss:SecurityWeek
—
16:54 KSA
<strong>Lawmakers Gathered Quietly to Talk About AI. Angst and Fears of ‘Destruction’ Followed</strong>
U.S. lawmakers held private discussions about AI risks and potential destructive impacts as global AI development accelerates. The meeting reflects growing concerns about AI s…
rss:SecurityWeek
—
16:54 KSA
<strong>Another DraftKings Hacker Sentenced to Prison</strong>
A DraftKings hacker was sentenced to prison for selling stolen credentials through online marketplaces despite his guilty plea. The incident highlights ongoing credential theft and unauthorized access to sports betti…
rss:SecurityWeek
—
15:48 KSA
<strong>Two North Korean IT Worker Scheme Facilitators Jailed in the US</strong>
Two individuals, Kejia Wang and Zhenxing Wang, were imprisoned in the US for facilitating a North Korean IT worker scheme that involved identity fraud. The scheme compromised dozens of US citizens' …
rss:BleepingComputer
—
15:48 KSA
<strong>CISA flags Apache ActiveMQ flaw as actively exploited in attacks</strong>
CISA has issued a warning about active exploitation of a high-severity vulnerability in Apache ActiveMQ that remained undetected for 13 years before being patched. Attackers are actively leveraging…
rss:Malwarebytes Lab
—
14:36 KSA
<strong>“Your shipment has arrived” email hides remote access software</strong>
A phishing email impersonating DHL delivery notifications tricks recipients into installing remote access software that enables attackers to deploy additional malware and ransomware. This supply chai…
rss:SecurityWeek
—
14:36 KSA
<strong>ZionSiphon Malware Targets ICS in Water Facilities</strong>
ZionSiphon malware has been identified targeting Industrial Control Systems (ICS) in water treatment and desalination facilities. The malware is specifically configured to operate on systems associated with Isra…
rss:The Hacker News
—
14:36 KSA
<strong>NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions</strong>
NIST has implemented new restrictions on CVE enrichment in its National Vulnerability Database due to a 263% surge in vulnerability submissions. The institute will now only enrich CVEs that…
rss:BleepingComputer
—
14:36 KSA
<strong>Microsoft: Some Windows servers enter reboot loops after April patches</strong>
Microsoft has identified a critical issue where Windows domain controllers experience continuous restart loops following the installation of April 2026 security patches. This vulnerability af…
rss:SecurityWeek
—
13:32 KSA
<strong>53 DDoS Domains Taken Down by Law Enforcement</strong>
Law enforcement agencies from 21 countries coordinated a takedown operation against 53 domains operating DDoS-for-hire services. This international effort disrupts criminal infrastructure used to launch distributed d…
rss:SecurityWeek
—
13:32 KSA
<strong>Cursor AI Vulnerability Exposed Developer Devices</strong>
A critical vulnerability in Cursor AI combines indirect prompt injection with sandbox bypass and remote tunnel features to achieve shell access on developer machines. This attack chain could allow attackers to co…
rss:The Hacker News
—
13:32 KSA
<strong>Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts</strong>
International law enforcement operation Operation PowerOFF successfully dismantled 53 DDoS domains and arrested four individuals involved in commercial DDoS operations used by over 75…
rss:BleepingComputer
—
13:32 KSA
<strong>Man gets 30 months for selling thousands of hacked DraftKings accounts</strong>
A 23-year-old from Memphis was sentenced to 30 months in prison for selling unauthorized access to tens of thousands of compromised DraftKings accounts. This case highlights the criminal pros…
rss:BleepingComputer
—
12:18 KSA
<strong>Recently leaked Windows zero-days now exploited in attacks</strong>
Threat actors are actively exploiting three recently disclosed Windows zero-day vulnerabilities to gain SYSTEM and elevated administrator privileges on target systems. These vulnerabilities pose a critic…
rss:The Hacker News
—
10:00 KSA
<strong>Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation</strong>
A high-severity vulnerability in Apache ActiveMQ Classic (CVE-2026-34197) is being actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog…
rss:BleepingComputer
—
05:32 KSA
<strong>Operation PowerOFF identifies 75k DDoS users, takes down 53 domains</strong>
Operation PowerOFF successfully identified and disrupted a major DDoS botnet ecosystem, taking down 53 malicious domains and identifying 75,000 DDoS users across 21 countries. This coordinated l…
rss:BleepingComputer
—
05:32 KSA
<strong>ZionSiphon malware designed to sabotage water treatment systems</strong>
ZionSiphon is a newly discovered malware specifically engineered to target operational technology environments in water treatment and desalination facilities. This threat poses critical risks to ess…
📰 Cybersecurity News
0 articles
No news aggregated today yet
This digest is updated automatically every day — Last updated: Friday, April 17, 2026
CVE Archive ·
Threats ·
News