CVEs from 2026
Total
14,071
critical
critical 1,240
high
high 4,658
medium
medium 4,449
low
low 488
% Critical
8.8%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 522
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 239
- openclaw 172
- commerce 104
- commerce_b2b 89
- grafana 80
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-9985 | medium | 5.3 | 5.3 | 6d ago | Insufficient validation of untrusted input in Media in Google Chrome on ChromeOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to obtain potentially sensi… | |||
| CVE-2026-45410 | medium | 5.3 | 5.3 | 6d ago | TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an e… | |||
| CVE-2026-46843 | medium | 5.3 | 5.3 | 6d ago | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network ac… | |||
| CVE-2026-46842 | medium | 5.3 | 5.3 | 6d ago | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network ac… | |||
| CVE-2026-46841 | medium | 5.3 | 5.3 | 6d ago | Vulnerability in Oracle REST Data Services (component: General). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network… | |||
| CVE-2026-46830 | medium | 5.3 | 5.3 | 6d ago | Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with networ… | |||
| CVE-2026-49130 | medium | 5.3 | 5.3 | 6d ago | Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF by… | |||
| CVE-2026-33463 | medium | 5.3 | 5.3 | 6d ago | Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-b… | |||
| CVE-2026-9091 | medium | 5.3 | 5.3 | 6d ago | Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go c… | |||
| CVE-2026-47676 | medium | 5.3 | 5.3 | 6d ago | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, … | |||
| CVE-2026-47675 | medium | 5.3 | 5.3 | 6d ago | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters th… | |||
| CVE-2026-47674 | medium | 5.3 | 5.3 | 6d ago | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against conf… | |||
| CVE-2026-48525 | medium | 5.3 | 5.3 | 6d ago | PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL deco… | |||
| CVE-2026-6937 | medium | 5.3 | 5.3 | 6d ago | The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the pl… | |||
| CVE-2026-7651 | medium | 5.3 | 5.3 | 6d ago | The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure… | |||
| CVE-2026-7552 | medium | 5.3 | 5.3 | 6d ago | The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to … | |||
| CVE-2026-9803 | medium | 5.3 | 5.3 | 6d ago | A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authori… | |||
| CVE-2026-9794 | medium | 5.3 | 5.3 | 6d ago | A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced… | |||
| CVE-2026-46544 | medium | 5.3 | 5.3 | 7d ago | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages a… | |||
| CVE-2026-6713 | medium | 5.3 | 5.3 | 7d ago | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauth… | |||
| CVE-2026-4392 | medium | 5.3 | 5.3 | 7d ago | A vulnerability was detected in TeamSpeak 3 Server up to 3.13.7. This issue affects some unknown processing of the component clientek Handshake Handler. Performing a manipulation of the argument proo… | |||
| CVE-2026-4391 | medium | 5.3 | 5.3 | 7d ago | A security vulnerability has been detected in TeamSpeak 3 Server up to 3.13.7. This vulnerability affects unknown code of the component ECC Key Parser. Such manipulation leads to heap-based buffer ov… | |||
| CVE-2026-44318 | medium | 5.3 | 5.3 | 7d ago | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscrip… | |||
| CVE-2026-49053 | medium | 5.3 | 5.3 | 7d ago | Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addon… | |||
| CVE-2026-7254 | medium | 5.3 | 5.3 | 7d ago | IBM OPENBMC FW1110.00 through FW1110.11 is vulnerable to denial of service attacks by unauthenticated network users. | |||
| CVE-2026-49001 | medium | 5.3 | 5.3 | 7d ago | Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampe… | |||
| CVE-2026-9014 | medium | 5.3 | 5.3 | 7d ago | The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The func… | |||
| CVE-2026-7493 | medium | 5.3 | 5.3 | 8d ago | The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a… | |||
| CVE-2026-38808 | medium | 5.3 | 5.3 | 8d ago | SQL Injection vulnerability in uzy-ssm-mall v1.1.0 allows a remote attacker to obtain sensitive information via the ProductMapper.xml and /OrderUtil.java components | |||
| CVE-2026-8391 | medium | 5.3 | 5.3 | 8d ago | RHSA-2026:22643: thunderbird security update (Important) | |||
| CVE-2026-46740 | medium | 5.3 | 5.3 | 8d ago | Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted… | |||
| CVE-2026-42015 | medium | 5.3 | 5.3 | 8d ago | RHSA-2026:20612: gnutls security update (Important) | |||
| CVE-2026-44214 | medium | 5.3 | 5.3 | 8d ago | eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage b… | |||
| CVE-2026-25426 | medium | 5.3 | 5.3 | 8d ago | Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxi Booking M… | |||
| CVE-2026-9541 | medium | 5.3 | 5.3 | 8d ago | A security flaw has been discovered in Squirrel up to 3.2. Impacted is the function ReadObject of the file squirrel/sqobject.cpp of the component Cnut File Handler. Performing a manipulation results … | |||
| CVE-2026-9540 | medium | 5.3 | 5.3 | 8d ago | A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. I… | |||
| CVE-2026-48135 | medium | 5.3 | 5.3 | 8d ago | A Check Point HTTP-based service can incorrectly handle malformed HTTP requests. The issue is related to HTTP request parsing and validation. | |||
| CVE-2026-39642 | medium | 5.3 | 5.3 | 8d ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7. | |||
| CVE-2026-24590 | medium | 5.3 | 5.3 | 8d ago | Missing Authorization vulnerability in VideoWhisper.Com Paid Videochat Turnkey Site allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Videochat Turnkey… | |||
| CVE-2026-39655 | medium | 5.3 | 5.3 | 8d ago | Missing Authorization vulnerability in TeconceTheme Mayosis Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mayosis Core: from n/a through 5.4.7. | |||
| CVE-2026-27398 | medium | 5.3 | 5.3 | 9d ago | Missing Authorization vulnerability in WP Chill RSVP and Event Management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RSVP and Event Management: from … | |||
| CVE-2026-27357 | medium | 5.3 | 5.3 | 9d ago | Missing Authorization vulnerability in Cornel Raiu WP Search Analytics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Search Analytics: from n/a befor… | |||
| CVE-2026-24592 | medium | 5.3 | 5.3 | 9d ago | Missing Authorization vulnerability in Lucian Apostol Auto Affiliate Links allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Auto Affiliate Links: from n/a … | |||
| CVE-2026-9502 | medium | 5.3 | 5.3 | 9d ago | A vulnerability was identified in GNU LibreDWG up to 0.14. This affects the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. The manipulation leads to heap… | |||
| CVE-2026-9500 | medium | 5.3 | 5.3 | 9d ago | A vulnerability was found in GNU LibreDWG up to 0.14. The affected element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgread Utility. Performing a manipul… | |||
| CVE-2026-24546 | medium | 5.3 | 5.3 | 9d ago | Missing Authorization vulnerability in Ruben Garcia GamiPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GamiPress: from n/a through 7.6.3. | |||
| CVE-2026-9466 | medium | 5.3 | 5.3 | 9d ago | A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue affects some unknown processing of the file /rest/user/updateUserPassword of the component API Endpoin… | |||
| CVE-2026-47069 | medium | 5.3 | 5.3 | 9d ago | CRLF injection in cookie domain/path options in hackney | |||
| CVE-2026-46745 | medium | 5.3 | 5.3 | 9d ago | Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache… | |||
| CVE-2026-5223 | medium | 5.3 | 5.3 | 9d ago | Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The… | |||
| CVE-2026-9369 | medium | 5.3 | 5.3 | 10d ago | A security flaw has been discovered in NousResearch hermes-agent 2026.4.23. Affected is the function _discover_dashboard_plugins of the file hermes_cli/web_server.py of the component CLI web-dashboar… | |||
| CVE-2026-9352 | medium | 5.3 | 5.3 | 10d ago | A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. This issue affects the function _make_run_env of the file tools/environments/local.py of the component Messaging Gateway H… | |||
| CVE-2026-9349 | medium | 5.3 | 5.3 | 10d ago | A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideP… | |||
| CVE-2026-44618 | medium | 5.3 | 5.3 | 12d ago | Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this is… | |||
| CVE-2026-4635 | medium | 5.3 | 5.3 | 12d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to c… | |||
| CVE-2026-8684 | medium | 5.3 | 5.3 | 12d ago | The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is aut… | |||
| CVE-2026-46598 | medium | 5.3 | 5.3 | 12d ago | For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used. | |||
| CVE-2026-39835 | medium | 5.3 | 5.3 | 12d ago | SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an… | |||
| CVE-2026-8337 | medium | 5.3 | 5.3 | 13d ago | Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unau… | |||
| CVE-2026-8240 | medium | 5.3 | 5.3 | 13d ago | Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted … | |||
| CVE-2026-8239 | medium | 5.3 | 5.3 | 13d ago | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security … | |||
| CVE-2026-8238 | medium | 5.3 | 5.3 | 13d ago | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enume… | |||
| CVE-2026-8237 | medium | 5.3 | 5.3 | 13d ago | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enu… | |||
| CVE-2026-7879 | medium | 5.3 | 5.3 | 13d ago | In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypa… | |||
| CVE-2026-8205 | medium | 5.3 | 5.3 | 13d ago | Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being… | |||
| CVE-2026-8204 | medium | 5.3 | 5.3 | 13d ago | Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot… | |||
| CVE-2026-6826 | medium | 5.3 | 5.3 | 13d ago | Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs… | |||
| CVE-2026-48245 | medium | 5.3 | 5.3 | 13d ago | Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the sour… | |||
| CVE-2026-48244 | medium | 5.3 | 5.3 | 13d ago | Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to th… | |||
| CVE-2026-48243 | medium | 5.3 | 5.3 | 13d ago | Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can ext… | |||
| CVE-2026-27393 | medium | 5.3 | 5.3 | 13d ago | Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 WOW Styler: from n/a through 1.7.6. | |||
| CVE-2026-9124 | medium | 5.3 | 5.3 | 14d ago | Insufficient validation of untrusted input in Input in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a craf… | |||
| CVE-2026-2812 | medium | 5.3 | 5.3 | 14d ago | ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the en… | |||
| CVE-2026-4293 | medium | 5.3 | 5.3 | 14d ago | The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the brow… | |||
| CVE-2026-5950 | medium | 5.3 | 5.3 | 14d ago | An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sendin… | |||
| CVE-2026-3592 | medium | 5.3 | 5.3 | 14d ago | BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resou… | |||
| CVE-2026-6728 | medium | 5.3 | 5.3 | 14d ago | The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the 'get_stream_data()' function. This makes it possible for una… | |||
| CVE-2026-44390 | medium | 5.3 | 5.3 | 14d ago | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses… | |||
| CVE-2026-42923 | medium | 5.3 | 5.3 | 14d ago | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit… | |||
| CVE-2026-42534 | medium | 5.3 | 5.3 | 14d ago | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could ren… | |||
| CVE-2026-32792 | medium | 5.3 | 5.3 | 14d ago | NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbou… | |||
| CVE-2026-42526 | medium | 5.3 | 5.3 | 15d ago | In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_… | |||
| CVE-2026-34154 | medium | 5.3 | 5.3 | 15d ago | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain a… | |||
| CVE-2026-46337 | medium | 5.3 | 5.3 | 15d ago | AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` | |||
| CVE-2026-34883 | medium | 5.3 | 5.3 | 15d ago | An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate priv… | |||
| CVE-2026-31388 | medium | 5.3 | 5.3 | 15d ago | Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixe… | |||
| CVE-2026-31387 | medium | 5.3 | 5.3 | 15d ago | Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | |||
| CVE-2026-8814 | medium | 5.3 | 5.3 | 15d ago | ExifReader is vulnerable to denial of service via unbounded decompression of image metadata | |||
| CVE-2026-32994 | medium | 5.3 | 5.3 | 15d ago | The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any… | |||
| CVE-2026-32244 | medium | 5.3 | 5.3 | 16d ago | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unpriv… | |||
| CVE-2026-4893 | medium | 5.3 | 5.3 | 16d ago | RHSA-2026:20589: dnsmasq security update (Important) | |||
| CVE-2026-4891 | medium | 5.3 | 5.3 | 16d ago | RHSA-2026:20589: dnsmasq security update (Important) | |||
| CVE-2026-45554 | medium | 5.3 | 5.3 | 16d ago | NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rathe… | |||
| CVE-2026-36438 | medium | 5.3 | 5.3 | 16d ago | An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd | |||
| CVE-2026-45620 | medium | 5.3 | 5.3 | 16d ago | WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) … | |||
| CVE-2026-8752 | medium | 5.3 | 5.3 | 17d ago | A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the compon… | |||
| CVE-2026-8739 | medium | 5.3 | 5.3 | 17d ago | A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigC… | |||
| CVE-2026-8737 | medium | 5.3 | 5.3 | 17d ago | A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListD… | |||
| CVE-2026-8723 | medium | 5.3 | 5.3 | 18d ago | ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not ha… | |||
| CVE-2026-8681 | medium | 5.3 | 5.3 | 19d ago | The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is auth… |