CVEs from 2026
Total
13,469
critical
critical 1,177
high
high 4,294
medium
medium 4,168
low
low 445
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.8%
Top products
- chrome 417
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-1299 | medium | — | 5.5 | 3mo ago | RHSA-2026:4473: python3.11 security update (Moderate) | |||
| CVE-2026-3588 | medium | 5.5 | 5.5 | 3mo ago | A server-side request forgery (SSRF) vulnerability in IKEA Dirigera v2.866.4 allows an attacker to exfiltrate private keys by sending a crafted request. | |||
| CVE-2026-23001 | medium | — | 5.5 | 3mo ago | RHSA-2026:3964: kernel-rt security update (Moderate) | |||
| CVE-2026-3665 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsx_consumer::read_office_document of the file source/detail/serialization/xlsx_… | |||
| CVE-2026-3664 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cp… | |||
| CVE-2026-3606 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability has been found in Ettercap 0.8.4-Garofalo. Affected by this vulnerability is the function add_data_segment of the file src/ettercap/utils/etterfilter/ef_output.c of the component ette… | |||
| CVE-2026-28685 | medium | — | 5.5 | 3mo ago | Kimai's API invoice endpoint missing customer-level access control (IDOR) | |||
| CVE-2026-1642 | medium | — | 5.5 | 3mo ago | RHSA-2026:5581: nginx:1.24 security update (Moderate) | |||
| CVE-2026-23097 | medium | — | 5.5 | 3mo ago | RHSA-2026:3464: kernel security update (Moderate) | |||
| CVE-2026-3392 | medium | 5.5 | 5.5 | 3mo ago | A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function eval_tree of the file src/lily_emitter.c. This manipulation causes null pointer dereference. The a… | |||
| CVE-2026-3391 | medium | 5.5 | 5.5 | 3mo ago | A security flaw has been discovered in FascinatedBox lily up to 2.3. Impacted is the function clear_storages of the file src/lily_emitter.c. The manipulation results in out-of-bounds read. The attack… | |||
| CVE-2026-3390 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability was identified in FascinatedBox lily up to 2.3. This issue affects the function patch_line_end of the file src/lily_build_error.c of the component Error Reporting. The manipulation le… | |||
| CVE-2026-3389 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability was determined in Squirrel up to 3.2. This vulnerability affects the function sqstd_rex_newnode in the library sqstdlib/sqstdrex.cpp. Executing a manipulation can lead to null pointer… | |||
| CVE-2026-3388 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability was found in Squirrel up to 3.2. This affects the function SQCompiler::Factor/SQCompiler::UnaryOP of the file squirrel/sqcompiler.cpp. Performing a manipulation results in uncontrolle… | |||
| CVE-2026-3387 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability has been found in wren-lang wren up to 0.4.0. Affected by this issue is the function getByteCountForArguments of the file src/vm/wren_compiler.c. Such manipulation leads to null point… | |||
| CVE-2026-3385 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability was detected in wren-lang wren up to 0.4.0. Affected is the function resolveLocal of the file src/vm/wren_compiler.c. The manipulation results in uncontrolled recursion. Attacking loc… | |||
| CVE-2026-3384 | medium | 5.5 | 5.5 | 3mo ago | A security vulnerability has been detected in ChaiScript up to 6.1.0. This impacts the function chaiscript::eval::AST_Node_Impl::eval/chaiscript::eval::Function_Push_Pop of the file include/chaiscrip… | |||
| CVE-2026-3383 | medium | 5.5 | 5.5 | 3mo ago | A weakness has been identified in ChaiScript up to 6.1.0. This affects the function chaiscript::Boxed_Number::go of the file include/chaiscript/dispatchkit/boxed_number.hpp. Executing a manipulation … | |||
| CVE-2026-3382 | medium | 5.5 | 5.5 | 3mo ago | A security flaw has been discovered in ChaiScript up to 6.1.0. The impacted element is the function chaiscript::Boxed_Number::get_as of the file include/chaiscript/dispatchkit/boxed_number.hpp. Perfo… | |||
| CVE-2026-3293 | medium | 5.5 | 5.5 | 3mo ago | Snowflake JDBC Driver is Vulnerable to Uncontrolled Resource Consumption through SdkProxyRoutePlanner | |||
| CVE-2026-3284 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability was found in libvips 8.19.0. Impacted is the function vips_extract_area_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_area results in intege… | |||
| CVE-2026-2887 | medium | 5.5 | 5.5 | 3mo ago | A security vulnerability has been detected in aardappel lobster up to 2025.4. This impacts the function lobster::TypeName in the library dev/src/lobster/idents.h. Such manipulation leads to uncontrol… | |||
| CVE-2026-2869 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability was identified in janet-lang janet up to 1.40.1. Affected by this vulnerability is the function janetc_varset of the file src/core/specials.c of the component handleattr Handler. The … | |||
| CVE-2026-2703 | medium | 5.5 | 5.5 | 3mo ago | A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decode_base64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XL… | |||
| CVE-2026-2657 | medium | 5.5 | 5.5 | 3mo ago | A vulnerability has been found in wren-lang wren up to 0.4.0. This impacts the function printError of the file src/vm/wren_compiler.c of the component Error Message Handler. Such manipulation leads t… | |||
| CVE-2026-0861 | medium | — | 5.5 | 3mo ago | Moderate: glibc security update | |||
| CVE-2026-0915 | medium | — | 5.5 | 3mo ago | RHSA-2026:4772: glibc security update (Moderate) | |||
| CVE-2026-22998 | medium | — | 5.5 | 4mo ago | RHSA-2026:2378: kernel-rt security update (Moderate) | |||
| CVE-2026-23151 | medium | 5.5 | 5.5 | 4mo ago | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix memory leak in set_ssp_complete Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures are … | |||
| CVE-2026-21340 | medium | 5.5 | 5.5 | 4mo ago | Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose se… | |||
| CVE-2026-2259 | medium | 5.5 | 5.5 | 4mo ago | A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Pars… | |||
| CVE-2026-2258 | medium | 5.5 | 5.5 | 4mo ago | A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. Executing a manipulation can lead to… | |||
| CVE-2026-1998 | medium | 5.5 | 5.5 | 4mo ago | A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be l… | |||
| CVE-2026-1991 | medium | 5.5 | 5.5 | 4mo ago | A vulnerability was detected in libuvc up to 0.0.7. Affected is the function uvc_scan_streaming of the file src/device.c of the component UVC Descriptor Handler. The manipulation results in null poin… | |||
| CVE-2026-1979 | medium | 5.5 | 5.5 | 4mo ago | A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after fr… | |||
| CVE-2026-1532 | medium | 5.5 | 5.5 | 4mo ago | A vulnerability was identified in D-Link DCS-700L 1.03.09. The affected element is the function uploadmusic of the file /setUploadMusic of the component Music File Upload Service. The manipulation of… | |||
| CVE-2026-22795 | medium | 5.5 | 5.5 | 4mo ago | Important: openssl security update | |||
| CVE-2026-22188 | medium | 5.5 | 5.5 | 5mo ago | The deploy-stub component in Panda3D versions up to and including 1.10.16 contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy … | |||
| CVE-2026-21968 | medium | — | 5.5 | 5mo ago | RHSA-2026:6435: mariadb:10.11 security update (Moderate) | |||
| CVE-2026-23205 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in smb2_open_file() Reproducer: 1. server: directories are exported read-only 2. client: mount -… | |||
| CVE-2026-23146 | medium | — | 5.5 | 7mo ago | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_u… | |||
| CVE-2026-44611 | medium | 5.4 | 5.4 | 2d ago | Danelec MacGregor Voyage Data Recorder passwords are stored with a hashing method which limits password length and is susceptible to brute force attacks. | |||
| CVE-2026-42951 | medium | 5.4 | 5.4 | 2d ago | An authenticated user can download a backup of the Danelec MacGregor Voyage Data Recorder device which includes account data and password hashes. | |||
| CVE-2026-34507 | medium | 5.4 | 5.4 | 2d ago | OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin comma… | |||
| CVE-2026-47694 | medium | 5.4 | 5.4 | 2d ago | WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user w… | |||
| CVE-2026-9811 | medium | 5.4 | 5.4 | 2d ago | A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application f… | |||
| CVE-2026-9971 | medium | 5.4 | 5.4 | 3d ago | Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTM… | |||
| CVE-2026-45023 | medium | 5.4 | 5.4 | 3d ago | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes block… | |||
| CVE-2026-42401 | medium | 5.4 | 5.4 | 3d ago | Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which… | |||
| CVE-2026-48523 | medium | 5.4 | 5.4 | 3d ago | PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. … | |||
| CVE-2026-47761 | medium | 5.4 | 5.4 | 3d ago | TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* a… | |||
| CVE-2026-47760 | medium | 5.4 | 5.4 | 3d ago | TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using… | |||
| CVE-2026-47759 | medium | 5.4 | 5.4 | 3d ago | TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).… | |||
| CVE-2026-45718 | medium | 5.4 | 5.4 | 4d ago | Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is… | |||
| CVE-2026-4390 | medium | 5.4 | 5.4 | 4d ago | A weakness has been identified in TeamSpeak 3 Server up to 3.13.7. This affects the function process_resend_queue of the component Connection State Management. This manipulation causes use after free… | |||
| CVE-2026-42082 | medium | 5.4 | 5.4 | 4d ago | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AM… | |||
| CVE-2026-45335 | medium | 5.4 | 5.4 | 4d ago | WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically th… | |||
| CVE-2026-45571 | medium | 5.4 | 5.4 | 4d ago | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside… | |||
| CVE-2026-6287 | medium | 5.4 | 5.4 | 5d ago | The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks… | |||
| CVE-2026-38931 | medium | 5.4 | 5.4 | 5d ago | A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload. | |||
| CVE-2026-32389 | medium | 5.4 | 5.4 | 6d ago | Missing Authorization vulnerability in Linethemes NanoCare allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NanoCare: from n/a before 1.2.2. | |||
| CVE-2026-24586 | medium | 5.4 | 5.4 | 6d ago | Missing Authorization vulnerability in Themeansar Newses allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Newses: from n/a through 2.0.0.77. | |||
| CVE-2026-48589 | medium | 5.4 | 5.4 | 6d ago | Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value coul… | |||
| CVE-2026-44598 | medium | 5.4 | 5.4 | 6d ago | With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha… | |||
| CVE-2026-9078 | medium | 5.4 | 5.4 | 6d ago | Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portio… | |||
| CVE-2026-9438 | medium | 5.4 | 5.4 | 7d ago | A vulnerability was found in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file courseDel.php. The manipulation of the arg… | |||
| CVE-2026-40864 | medium | 5.4 | 5.4 | 9d ago | JupyterHub has cross-origin form POSTs bypass XSRF (CWE-352) | |||
| CVE-2026-39964 | medium | 5.4 | 5.4 | 9d ago | Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers | |||
| CVE-2026-28735 | medium | 5.4 | 5.4 | 9d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to g… | |||
| CVE-2026-9251 | medium | 5.4 | 5.4 | 9d ago | Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain ac… | |||
| CVE-2026-8381 | medium | 5.4 | 5.4 | 10d ago | A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an a… | |||
| CVE-2026-7798 | medium | 5.4 | 5.4 | 10d ago | The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions… | |||
| CVE-2026-8245 | medium | 5.4 | 5.4 | 10d ago | Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL fi… | |||
| CVE-2026-8139 | medium | 5.4 | 5.4 | 10d ago | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnera… | |||
| CVE-2026-22678 | medium | 5.4 | 5.4 | 10d ago | Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attack… | |||
| CVE-2026-8203 | medium | 5.4 | 5.4 | 10d ago | Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that execute… | |||
| CVE-2026-48230 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsan… | |||
| CVE-2026-48229 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va… | |||
| CVE-2026-48228 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized v… | |||
| CVE-2026-48227 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized val… | |||
| CVE-2026-48226 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va… | |||
| CVE-2026-48225 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value… | |||
| CVE-2026-48224 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48223 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va… | |||
| CVE-2026-48222 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48221 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized val… | |||
| CVE-2026-48220 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48219 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics202.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48218 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an uns… | |||
| CVE-2026-48217 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitiz… | |||
| CVE-2026-48216 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized v… | |||
| CVE-2026-48215 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48214 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48213 | medium | 5.4 | 5.4 | 10d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value t… | |||
| CVE-2026-44924 | medium | 5.4 | 5.4 | 11d ago | InfoScale VIOM 9.1.3 allows XSS. | |||
| CVE-2026-9056 | medium | 5.4 | 5.4 | 12d ago | A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a differ… | |||
| CVE-2026-6394 | medium | 5.4 | 5.4 | 12d ago | The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due… | |||
| CVE-2026-8493 | medium | 5.4 | 5.4 | 12d ago | This module enables you to open content already on the page within a colorbox. The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading … | |||
| CVE-2026-36827 | medium | 5.4 | 5.4 | 12d ago | A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters … | |||
| CVE-2026-8922 | medium | 5.4 | 5.4 | 13d ago | A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the… |