CVEs from 2026
Total
13,634
critical
critical 1,192
high
high 4,364
medium
medium 4,266
low
low 466
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.8%
Top products
- chrome 503
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 172
- commerce 104
- commerce_b2b 89
- saml_sso_-_service_provider 77
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-8943 | medium | 4.3 | 4.3 | 6d ago | The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gosta… | |||
| CVE-2026-8941 | medium | 4.3 | 4.3 | 6d ago | The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdl_off_opt… | |||
| CVE-2026-8938 | medium | 4.3 | 4.3 | 6d ago | The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_… | |||
| CVE-2026-8939 | medium | 4.3 | 4.3 | 6d ago | The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_sim… | |||
| CVE-2026-9236 | medium | 4.3 | 4.3 | 6d ago | The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due… | |||
| CVE-2026-2255 | medium | 4.3 | 4.3 | 6d ago | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Al… | |||
| CVE-2026-9604 | medium | 4.3 | 4.3 | 6d ago | A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improp… | |||
| CVE-2026-9583 | medium | 4.3 | 4.3 | 6d ago | A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. E… | |||
| CVE-2026-9582 | medium | 4.3 | 4.3 | 6d ago | A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site … | |||
| CVE-2026-24520 | medium | 4.3 | 4.3 | 6d ago | Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24. | |||
| CVE-2026-25444 | medium | 4.3 | 4.3 | 6d ago | Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9. | |||
| CVE-2026-44749 | medium | 4.3 | 4.3 | 6d ago | The SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leadi… | |||
| CVE-2026-47728 | medium | 4.3 | 4.3 | 6d ago | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An a… | |||
| CVE-2026-46431 | medium | 4.3 | 4.3 | 6d ago | Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: * | |||
| CVE-2026-46430 | medium | 4.3 | 4.3 | 6d ago | Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS | |||
| CVE-2026-44314 | medium | 4.3 | 4.3 | 6d ago | Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and th… | |||
| CVE-2026-9566 | medium | 4.3 | 4.3 | 6d ago | A vulnerability was identified in teableio teable up to 1.9.x. This impacts an unknown function of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx of the component Sign-up. The manipul… | |||
| CVE-2026-35220 | medium | 4.3 | 4.3 | 6d ago | Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | |||
| CVE-2026-48900 | medium | 4.3 | 4.3 | 6d ago | An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | |||
| CVE-2026-43936 | medium | 4.3 | 4.3 | 6d ago | e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "M… | |||
| CVE-2026-38587 | medium | 4.3 | 4.3 | 6d ago | An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-l… | |||
| CVE-2026-44502 | medium | 4.3 | 4.3 | 6d ago | Bunsink has an SSRF bypass in `validate_webhook_url` | |||
| CVE-2026-24638 | medium | 4.3 | 4.3 | 6d ago | Missing Authorization vulnerability in Webful Creations RepairBuddy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RepairBuddy: from n/a through 4.1121. | |||
| CVE-2026-9527 | medium | 4.3 | 4.3 | 7d ago | A vulnerability was determined in itsourcecode Electronic Judging System 1.0. This issue affects some unknown processing of the file /admin/judges.php. This manipulation of the argument fname causes … | |||
| CVE-2026-9520 | medium | 4.3 | 4.3 | 7d ago | A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the comp… | |||
| CVE-2026-9519 | medium | 4.3 | 4.3 | 7d ago | A security flaw has been discovered in stonith404 pingvin-share up to 1.13.0. This affects the function getServerSideProps of the file frontend/src/pages/auth/signIn.tsx of the component Sign-in Auto… | |||
| CVE-2026-9518 | medium | 4.3 | 4.3 | 7d ago | A vulnerability was identified in hemant6488 CodeIgniter-StudentManagementSystem. The impacted element is the function addStudent of the file view_students.php of the component Students Controller. T… | |||
| CVE-2026-36239 | medium | 4.3 | 4.3 | 7d ago | PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality | |||
| CVE-2026-24582 | medium | 4.3 | 4.3 | 7d ago | Missing Authorization vulnerability in WPPOOL FlexTable allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FlexTable: from n/a through 3.24.0. | |||
| CVE-2026-24554 | medium | 4.3 | 4.3 | 7d ago | Cross-Site Request Forgery (CSRF) vulnerability in Convers Lab WPSubscription allows Cross Site Request Forgery. This issue affects WPSubscription: from n/a through 1.9.1. | |||
| CVE-2026-24527 | medium | 4.3 | 4.3 | 7d ago | Missing Authorization vulnerability in Patterns in the cloud Autoship Cloud for WooCommerce Subscription Products allows Exploiting Incorrectly Configured Access Control Security Levels. This issue … | |||
| CVE-2026-24597 | medium | 4.3 | 4.3 | 7d ago | Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart allows Cross Site Request Forgery. This issue affects Organization chart: from n/a through 1.7.5. | |||
| CVE-2026-24545 | medium | 4.3 | 4.3 | 7d ago | Missing Authorization vulnerability in Nikki Blight QR Redirector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects QR Redirector: from n/a through 2.0.3. | |||
| CVE-2026-9486 | medium | 4.3 | 4.3 | 7d ago | A security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be exe… | |||
| CVE-2026-9467 | medium | 4.3 | 4.3 | 7d ago | A vulnerability was identified in debugmcp mcp-debugger up to 0.20.0. Impacted is the function handleGetSourceContext of the file src/server.ts. The manipulation leads to path traversal. The attack i… | |||
| CVE-2026-9448 | medium | 4.3 | 4.3 | 7d ago | A vulnerability was determined in code-projects Employee Management System 1.0. This affects an unknown function of the file /applyleave.php. Executing a manipulation of the argument ID can lead to c… | |||
| CVE-2026-9419 | medium | 4.3 | 4.3 | 8d ago | A vulnerability has been found in code-projects Employee Management System 1.0. Affected by this issue is some unknown functionality of the file /empproject.php. The manipulation of the argument ID l… | |||
| CVE-2026-9418 | medium | 4.3 | 4.3 | 8d ago | A flaw has been found in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /changepassemp.php. Executing a manipulation of the argum… | |||
| CVE-2026-9417 | medium | 4.3 | 4.3 | 8d ago | A vulnerability was detected in code-projects Employee Management System 1.0. Affected is an unknown function of the file /myprofileup.php. Performing a manipulation of the argument ID results in cro… | |||
| CVE-2026-9416 | medium | 4.3 | 4.3 | 8d ago | A security vulnerability has been detected in code-projects Employee Management System 1.0. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument ID leads to … | |||
| CVE-2026-9415 | medium | 4.3 | 4.3 | 8d ago | A weakness has been identified in code-projects Employee Management System 1.0. This affects an unknown function of the file /eloginwel.php. This manipulation of the argument ID causes cross site scr… | |||
| CVE-2026-9413 | medium | 4.3 | 4.3 | 8d ago | A vulnerability was identified in SourceCodester Indian Invoicing System 1.0. The affected element is an unknown function of the file /Invoicing/category.php. The manipulation of the argument msg lea… | |||
| CVE-2026-9410 | medium | 4.3 | 4.3 | 8d ago | A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workf… | |||
| CVE-2026-9409 | medium | 4.3 | 4.3 | 8d ago | A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipu… | |||
| CVE-2026-9358 | medium | 4.3 | 4.3 | 9d ago | A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead t… | |||
| CVE-2026-9303 | medium | 4.3 | 4.3 | 9d ago | A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Th… | |||
| CVE-2026-40864 | medium | 4.3 | 4.3 | 10d ago | JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with… | |||
| CVE-2026-9246 | medium | 4.3 | 4.3 | 10d ago | Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of s… | |||
| CVE-2026-9224 | medium | 4.3 | 4.3 | 10d ago | Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This is… | |||
| CVE-2026-9223 | medium | 4.3 | 4.3 | 10d ago | Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request. | |||
| CVE-2026-5171 | medium | 4.3 | 4.3 | 10d ago | Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activ… | |||
| CVE-2026-8347 | medium | 4.3 | 4.3 | 10d ago | Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one… | |||
| CVE-2026-8340 | medium | 4.3 | 4.3 | 10d ago | Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version… | |||
| CVE-2026-4646 | medium | 4.3 | 4.3 | 10d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to cr… | |||
| CVE-2026-3636 | medium | 4.3 | 4.3 | 10d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allow… | |||
| CVE-2026-8692 | medium | 4.3 | 4.3 | 10d ago | The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due … | |||
| CVE-2026-7636 | medium | 4.3 | 4.3 | 10d ago | The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. … | |||
| CVE-2026-7615 | medium | 4.3 | 4.3 | 10d ago | The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on the save_widge… | |||
| CVE-2026-7249 | medium | 4.3 | 4.3 | 11d ago | The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()`… | |||
| CVE-2026-4070 | medium | 4.3 | 4.3 | 11d ago | The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() fun… | |||
| CVE-2026-2518 | medium | 4.3 | 4.3 | 11d ago | The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' fun… | |||
| CVE-2026-8327 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo… | |||
| CVE-2026-8236 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns int… | |||
| CVE-2026-7886 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation … | |||
| CVE-2026-7882 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and procee… | |||
| CVE-2026-7881 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express… | |||
| CVE-2026-4843 | medium | 4.3 | 4.3 | 11d ago | The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and … | |||
| CVE-2026-27349 | medium | 4.3 | 4.3 | 11d ago | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPFunnels Team Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a t… | |||
| CVE-2026-4055 | medium | 4.3 | 4.3 | 11d ago | Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in… | |||
| CVE-2026-1881 | medium | 4.3 | 4.3 | 12d ago | The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on… | |||
| CVE-2026-40094 | medium | 4.3 | 4.3 | 12d ago | nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and s… | |||
| CVE-2026-9116 | medium | 4.3 | 4.3 | 12d ago | Insufficient policy enforcement in ServiceWorker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: … | |||
| CVE-2026-9115 | medium | 4.3 | 4.3 | 12d ago | Insufficient policy enforcement in Service Worker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severi… | |||
| CVE-2026-9113 | medium | 4.3 | 4.3 | 12d ago | Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2026-9101 | medium | 4.3 | 4.3 | 12d ago | Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execu… | |||
| CVE-2026-27424 | medium | 4.3 | 4.3 | 12d ago | Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Photo Gallery F… | |||
| CVE-2026-6405 | medium | 4.3 | 4.3 | 12d ago | The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.… | |||
| CVE-2026-6566 | medium | 4.3 | 4.3 | 13d ago | The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insuffic… | |||
| CVE-2026-44392 | medium | 4.3 | 4.3 | 13d ago | Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be execute… | |||
| CVE-2026-5075 | medium | 4.3 | 4.3 | 13d ago | The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal o… | |||
| CVE-2026-8610 | medium | 4.3 | 4.3 | 13d ago | The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user… | |||
| CVE-2026-8424 | medium | 4.3 | 4.3 | 13d ago | The Remove Yellow BGBOX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'rybb_a… | |||
| CVE-2026-8423 | medium | 4.3 | 4.3 | 13d ago | The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on th… | |||
| CVE-2026-8419 | medium | 4.3 | 4.3 | 13d ago | The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This… | |||
| CVE-2026-8418 | medium | 4.3 | 4.3 | 13d ago | The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() funct… | |||
| CVE-2026-6452 | medium | 4.3 | 4.3 | 13d ago | The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigf… | |||
| CVE-2026-6401 | medium | 4.3 | 4.3 | 13d ago | The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update fo… | |||
| CVE-2026-6400 | medium | 4.3 | 4.3 | 13d ago | The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the opti… | |||
| CVE-2026-45442 | medium | 4.3 | 4.3 | 13d ago | Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Presto Player: from n/a through 4.1.… | |||
| CVE-2026-37981 | medium | 4.3 | 4.3 | 13d ago | A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) r… | |||
| CVE-2026-8830 | medium | 4.3 | 4.3 | 14d ago | A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side … | |||
| CVE-2026-33514 | medium | 4.3 | 4.3 | 14d ago | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature… | |||
| CVE-2026-32312 | medium | 4.3 | 4.3 | 14d ago | GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue… | |||
| CVE-2026-8802 | medium | 4.3 | 4.3 | 14d ago | A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argumen… | |||
| CVE-2026-6343 | medium | 4.3 | 4.3 | 14d ago | Mattermost doesn't check public/private permissions | |||
| CVE-2026-6339 | medium | 4.3 | 4.3 | 14d ago | Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint | |||
| CVE-2026-4286 | medium | 4.3 | 4.3 | 14d ago | Mattermost doesn't check if {{team_id}} was being changed when updating playbooks | |||
| CVE-2026-28732 | medium | 4.3 | 4.3 | 14d ago | Mattermost doesn't enforce slash command trigger-word uniqueness during command updates | |||
| CVE-2026-6342 | medium | 4.3 | 4.3 | 14d ago | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via … | |||
| CVE-2026-6341 | medium | 4.3 | 4.3 | 14d ago | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multip… |