CVEs from 2026
Total
13,622
critical
critical 1,190
high
high 4,358
medium
medium 4,254
low
low 466
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.8%
Top products
- chrome 442
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 166
- commerce 104
- commerce_b2b 89
- saml_sso_-_service_provider 77
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32345 | medium | 5.3 | 5.3 | 3mo ago | Missing Authorization vulnerability in raratheme Perfect Portfolio perfect-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Perfect Portfolio: from… | |||
| CVE-2026-32332 | medium | 5.3 | 5.3 | 3mo ago | Missing Authorization vulnerability in Ays Pro Easy Form easy-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form: from n/a through <= 2.7.9. | |||
| CVE-2026-31916 | medium | 5.3 | 5.3 | 3mo ago | Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post S… | |||
| CVE-2026-31915 | medium | 5.3 | 5.3 | 3mo ago | Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6. | |||
| CVE-2026-23943 | medium | 5.3 | 5.3 | 3mo ago | Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advert… | |||
| CVE-2026-4016 | medium | 5.3 | 5.3 | 3mo ago | A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipula… | |||
| CVE-2026-4015 | medium | 5.3 | 5.3 | 3mo ago | A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtin_process_texml of the file src/filters/load_text.c of the component TeXML File Parser. Executing a manipulation can lea… | |||
| CVE-2026-3994 | medium | 5.3 | 5.3 | 3mo ago | A vulnerability was detected in rui314 mold up to 2.40.4. This issue affects the function mold::ObjectFilemold::X86_64::initialize_sections of the file src/input-files.cc of the component Object File… | |||
| CVE-2026-3979 | medium | 5.3 | 5.3 | 3mo ago | A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local… | |||
| CVE-2026-3964 | medium | 5.3 | 5.3 | 3mo ago | A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the ar… | |||
| CVE-2026-3959 | medium | 5.3 | 5.3 | 3mo ago | A vulnerability was found in 0xKoda WireMCP up to 7f45f8b2b4adeb76be8c6227eefb38533fdd6b1e. Impacted is the function server.tool of the file index.js of the component Tshark CLI Command Handler. The … | |||
| CVE-2026-2742 | medium | 5.3 | 5.3 | 3mo ago | Vaadin Vulnerable to Authentication Bypass When Accessing the /VAADIN Endpoint Without a Trailing Slash | |||
| CVE-2026-3713 | medium | 5.3 | 5.3 | 3mo ago | A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function do_pnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of … | |||
| CVE-2026-3707 | medium | 5.3 | 5.3 | 3mo ago | A vulnerability was identified in MrNanko webp4j up to 1.3.x. The affected element is the function DecodeGifFromMemory of the file src/main/c/gif_decoder.c. Such manipulation of the argument canvas_h… | |||
| CVE-2026-3675 | medium | 5.3 | 5.3 | 3mo ago | A vulnerability was determined in Freedom Factory dGEN1 up to 20260221. Affected by this issue is the function FakeAppReceiver of the component org.ethosmobile.ethoslauncher. Executing a manipulation… | |||
| CVE-2026-3674 | medium | 5.3 | 5.3 | 3mo ago | A vulnerability was found in Freedom Factory dGEN1 up to 20260221. Affected by this vulnerability is the function FakeAppProvider of the component org.ethosmobile.ethoslauncher. Performing a manipula… | |||
| CVE-2026-3670 | medium | 5.3 | 5.3 | 3mo ago | A vulnerability was detected in Freedom Factory dGEN1 up to 20260221. Affected is an unknown function of the component com.dgen.alarm. Performing a manipulation results in improper authorization. The… | |||
| CVE-2026-3669 | medium | 5.3 | 5.3 | 3mo ago | A security vulnerability has been detected in Freedom Factory dGEN1 up to 20260221. This impacts the function AlarmService of the component com.dgen.alarm. Such manipulation leads to improper authori… | |||
| CVE-2026-3667 | medium | 5.3 | 5.3 | 3mo ago | A security flaw has been discovered in Freedom Factory dGEN1 up to 20260221. The impacted element is the function FakeAppService of the component org.ethosmobile.ethoslauncher. The manipulation resul… | |||
| CVE-2026-28132 | medium | 5.3 | 5.3 | 3mo ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects … | |||
| CVE-2026-2896 | medium | 5.3 | 5.3 | 3mo ago | funadmin has Incorrect Privilege Assignment in its Configuration Handler | |||
| CVE-2026-2851 | medium | 5.3 | 5.3 | 3mo ago | A vulnerability was determined in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addInport/updateInport/deleteInport of the file dataset\repo… | |||
| CVE-2026-27066 | medium | 5.3 | 5.3 | 3mo ago | Missing Authorization vulnerability in PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce allows Exploiting Incorrectly Configured Access Control Securit… | |||
| CVE-2026-25370 | medium | 5.3 | 5.3 | 3mo ago | Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress: from n/a … | |||
| CVE-2026-25006 | medium | 5.3 | 5.3 | 3mo ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through <= 9.6.4. | |||
| CVE-2026-23548 | medium | 5.3 | 5.3 | 3mo ago | Missing Authorization vulnerability in Designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a … | |||
| CVE-2026-23543 | medium | 5.3 | 5.3 | 3mo ago | Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issu… | |||
| CVE-2026-2672 | medium | 5.3 | 5.3 | 3mo ago | A security flaw has been discovered in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this vulnerability is the function Download of the file /Search/Subject/downLoad. Pe… | |||
| CVE-2026-22796 | medium | 5.3 | 5.3 | 4mo ago | Important: openssl security update | |||
| CVE-2026-24633 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in Passionate Brains Add Expires Headers & Optimized Minify add-expires-headers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue … | |||
| CVE-2026-24619 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in PopCash PopCash.Net Code Integration Tool popcashnet-code-integration-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue af… | |||
| CVE-2026-24615 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cream Magazine: from n/a thro… | |||
| CVE-2026-24613 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This… | |||
| CVE-2026-24612 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in themebeez Orchid Store orchid-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orchid Store: from n/a through <=… | |||
| CVE-2026-24607 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Monster: from n/a… | |||
| CVE-2026-24606 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in Web Impian Bayarcash WooCommerce bayarcash-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bayarcash WooCommerce: … | |||
| CVE-2026-24604 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects… | |||
| CVE-2026-24603 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Lev… | |||
| CVE-2026-24583 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This i… | |||
| CVE-2026-24577 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in Genetech Products Pie Register pie-register allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pie Register: from n/a th… | |||
| CVE-2026-24568 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through <= 11.1.0. | |||
| CVE-2026-24562 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in Ryviu Ryviu – Product Reviews for WooCommerce ryviu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ryviu – Product R… | |||
| CVE-2026-24559 | medium | 5.3 | 5.3 | 4mo ago | Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data.This issue affects Integration … | |||
| CVE-2026-24556 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in wpdive ElementCamp element-camp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementCamp: from n/a through <= 2.3.… | |||
| CVE-2026-24539 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in ABCdatos Protección de datos – RGPD proteccion-datos-rgpd allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Protección … | |||
| CVE-2026-24536 | medium | 5.3 | 5.3 | 4mo ago | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webpushr Webpushr webpushr-web-push-notifications allows Retrieve Embedded Sensitive Data.This issue affect… | |||
| CVE-2026-24530 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebP Conversion: from n/a t… | |||
| CVE-2026-24525 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in CloudPanel CLP Varnish Cache clp-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CLP Varnish Cache: fro… | |||
| CVE-2026-24523 | medium | 5.3 | 5.3 | 4mo ago | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data.This issue aff… | |||
| CVE-2026-24380 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime:… | |||
| CVE-2026-24368 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0. | |||
| CVE-2026-24366 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue af… | |||
| CVE-2026-23974 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Golo: from n/a through < 1.7.5. | |||
| CVE-2026-22469 | medium | 5.3 | 5.3 | 4mo ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection.This issue affects DeepDigital: from n/a throu… | |||
| CVE-2026-22447 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in Select-Themes Prowess prowess allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Prowess: from n/a through <= 1.8.1. | |||
| CVE-2026-22445 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Apimo Connector: from n/a throu… | |||
| CVE-2026-22348 | medium | 5.3 | 5.3 | 4mo ago | Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Civic Cookie Co… | |||
| CVE-2026-1196 | medium | 5.3 | 5.3 | 4mo ago | MineAdmin May Expose Sensitive Information to an Unauthorized Actor | |||
| CVE-2026-22486 | medium | 5.3 | 5.3 | 5mo ago | Missing Authorization vulnerability in Re Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Re Gallery: from n/a through 1.18.9. | |||
| CVE-2026-40001 | medium | 5.2 | 5.2 | 26d ago | There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traver… | |||
| CVE-2026-42077 | medium | 5.2 | 5.2 | 28d ago | Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations | |||
| CVE-2026-41662 | medium | 5.2 | 5.2 | 1mo ago | Admidio Missing Minimum Administrator Check in Role Membership Removal | |||
| CVE-2026-35244 | medium | 5.2 | 5.2 | 1mo ago | Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Lifecycle Management). The supported version that is affected is 11.2.24.0.000. Easily exploita… | |||
| CVE-2026-32591 | medium | 5.2 | 5.2 | 2mo ago | A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the spec… | |||
| CVE-2026-3503 | medium | 5.2 | 5.2 | 2mo ago | Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cry… | |||
| CVE-2026-47271 | medium | 5.1 | 5.1 | 5d ago | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(dat… | |||
| CVE-2026-2607 | medium | 5.1 | 5.1 | 5d ago | IBM MQ Operator SC2: v3.2.0 through 3.2.23CD: v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29 and IBM supplied M… | |||
| CVE-2026-8672 | medium | 5.1 | 5.1 | 10d ago | Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords. This issue affects Avantra: before 25.3.0. | |||
| CVE-2026-5091 | medium | 5.1 | 5.1 | 11d ago | Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess… | |||
| CVE-2026-23868 | medium | 5.1 | 5.1 | 14d ago | Giflib contains a double-free vulnerability that is the result of a shallow copy in GifMakeSavedImage and incorrect error handling. The conditions needed to trigger this vulnerability are difficult b… | |||
| CVE-2026-42371 | medium | 5.1 | 5.1 | 1mo ago | uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes. | |||
| CVE-2026-40337 | medium | 5.1 | 5.1 | 2mo ago | The Sentry kernel is a high security level micro-kernel implementation made for high security embedded systems. A given task with one of the DEV or IO capability is able to interact with another task… | |||
| CVE-2026-6654 | medium | 5.1 | 5.1 | 2mo ago | Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero. | |||
| CVE-2026-10275 | medium | 5.0 | 5.0 | 26 min ago | A flaw has been found in OpenSC up to 0.26.1. This affects the function test_kpgen_certwrite of the file src/tools/pkcs11-tool.c of the component pkcs11-tool Key Generation Module. This manipulation … | |||
| CVE-2026-10533 | medium | 5.0 | 5.0 | 2h ago | A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged u… | |||
| CVE-2026-6892 | medium | 5.0 | 5.0 | 4d ago | Improper handling of symbolic links in the installer of CUPS Printer Driver for macOS(*) may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installat… | |||
| CVE-2026-6891 | medium | 5.0 | 5.0 | 4d ago | Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic lin… | |||
| CVE-2026-9980 | medium | 5.0 | 5.0 | 4d ago | Insufficient validation of untrusted input in Printing in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a craft… | |||
| CVE-2026-9979 | medium | 5.0 | 5.0 | 4d ago | Insufficient validation of untrusted input in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted … | |||
| CVE-2026-9942 | medium | 5.0 | 5.0 | 4d ago | Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium secu… | |||
| CVE-2026-9903 | medium | 5.0 | 5.0 | 4d ago | Insufficient validation of untrusted input in Site Isolation in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a… | |||
| CVE-2026-10010 | medium | 5.0 | 5.0 | 4d ago | Inappropriate implementation in Input in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTM… | |||
| CVE-2026-46526 | medium | 5.0 | 5.0 | 4d ago | Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attac… | |||
| CVE-2026-44972 | medium | 5.0 | 5.0 | 5d ago | GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-read… | |||
| CVE-2026-41704 | medium | 5.0 | 5.0 | 5d ago | AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338… | |||
| CVE-2026-9568 | medium | 5.0 | 5.0 | 6d ago | A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. Th… | |||
| CVE-2026-9304 | medium | 5.0 | 5.0 | 9d ago | A security flaw has been discovered in calcom cal.diy up to 4.9.4. The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API. The ma… | |||
| CVE-2026-9245 | medium | 5.0 | 5.0 | 10d ago | Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a craft… | |||
| CVE-2026-46561 | medium | 5.0 | 5.0 | 11d ago | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An… | |||
| CVE-2026-44073 | medium | 5.0 | 5.0 | 11d ago | Authentication modules in Netatalk 1.5.0 through 4.4.2 fail to check the return value of seteuid(), which may allow a remote authenticated attacker to retain elevated privileges under error condition… | |||
| CVE-2026-45443 | medium | 5.0 | 5.0 | 12d ago | Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affect… | |||
| CVE-2026-33234 | medium | 5.0 | 5.0 | 14d ago | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt_platform/backen… | |||
| CVE-2026-6333 | medium | 5.0 | 5.0 | 14d ago | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect… | |||
| CVE-2026-44550 | medium | 5.0 | 5.0 | 17d ago | Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts | |||
| CVE-2026-41051 | medium | 5.0 | 5.0 | 19d ago | csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories. | |||
| CVE-2026-41195 | medium | 5.0 | 5.0 | 20d ago | mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker… | |||
| CVE-2026-41610 | medium | 5.0 | 5.0 | 20d ago | <p>Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.</p> | |||
| CVE-2026-43979 | medium | 5.0 | 5.0 | 21d ago | Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.0, PDFService._markdown_to_html() constructs an HTML document by interpolating user-controlled value… | |||
| CVE-2026-45003 | medium | 5.0 | 5.0 | 21d ago | OpenClaw: Workspace dotenv files cannot override connector endpoint hosts | |||
| CVE-2026-45000 | medium | 5.0 | 5.0 | 21d ago | OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing… |