CVE-2026-2468 - The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in

CVE-2026-2440 - The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to

CVE-2026-2427 - The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from

CVE-2026-2424 - The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-2375 - The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable

CVE-2026-2351 - The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, an

CVE-2026-2294 - The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vuln

CVE-2026-2290 - The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all vers

CVE-2026-2279 - The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sort_by' and 'sort_orde

CVE-2026-2277 - The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' an

CVE-2026-2121 - The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add

CVE-2026-1935 - The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all ve

CVE-2026-1914 - The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fuse

CVE-2026-1911 - The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweet_t

CVE-2026-1908 - The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-1899 - The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin

CVE-2026-1891 - The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-1889 - The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute

CVE-2026-1886 - The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scrip

CVE-2026-1854 - The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's

CVE-2026-1851 - The iVysilani Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'w

CVE-2026-1822 - The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's

CVE-2026-1806 - The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-S

CVE-2026-1800 - The Fonts Manager | Custom Fonts plugin for WordPress is vulnerable to time-based SQL Injection via

CVE-2026-1648 - The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all ver

CVE-2026-1647 - The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_S

CVE-2026-1575 - The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi

CVE-2026-1503 - The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-

CVE-2026-1397 - The PQ Addons – Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site S

CVE-2026-1393 - The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Si

CVE-2026-1392 - The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versio

CVE-2026-1390 - The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versi

CVE-2026-1378 - The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versio

CVE-2026-1313 - The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all ve

CVE-2026-1278 - The Mandatory Field plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin sett

CVE-2026-1275 - The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scriptin

CVE-2026-1253 - The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modificat

CVE-2026-1247 - The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in a

CVE-2026-1093 - The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cr

CVE-2026-0609 - The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is v

CVE-2025-14037 - The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path tr

CVE-2025-13910 - The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting vi

CVE-2024-13785 - The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable

CVE-2026-4302 - The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery

CVE-2026-32899 - OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* a

CVE-2026-32898 - OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client

CVE-2026-32897 - OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID

CVE-2026-32896 - OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback au

CVE-2026-32895 - OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subt

CVE-2026-32067 - OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-s

CVE-2026-32065 - OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.ru

CVE-2026-32064 - OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authenticati

CVE-2026-32058 - OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run exec

CVE-2026-32057 - OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-p

CVE-2026-32056 - OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and Z

CVE-2026-32055 - OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary va

CVE-2026-32054 - OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and

CVE-2026-32053 - OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication w

CVE-2026-32052 - OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run she

CVE-2026-32051 - OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows auth

CVE-2026-32050 - OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction noti

CVE-2026-32049 - OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limi

CVE-2026-32048 - OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_

CVE-2026-32046 - OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that al

CVE-2026-32045 - OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to

CVE-2026-32044 - OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 insta

CVE-2026-32043 - OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-b

CVE-2026-32042 - OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing

CVE-2026-4083 - The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scriptin

CVE-2026-3577 - The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the back

CVE-2026-3572 - The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored C

CVE-2026-3567 - The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized acces

CVE-2026-3516 - The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_

CVE-2026-3474 - The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary

CVE-2026-3368 - The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious

CVE-2026-3350 - The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-3339 - The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions u

CVE-2026-33428 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and

CVE-2026-33427 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and

CVE-2026-33426 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and

CVE-2026-33425 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and

CVE-2026-33424 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and

CVE-2026-33238 - WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoi

CVE-2026-33237 - WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()`

CVE-2026-32666 - WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentic

CVE-2026-2430 - The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loadi

CVE-2026-2352 - The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_p

CVE-2026-25086 - Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow

CVE-2026-24060 - Service information is not encrypted when transmitted as BACnet packets over the wire, and can be s

CVE-2026-4508 - A vulnerability was identified in PbootCMS up to 3.2.12. The impacted element is the function checkU

CVE-2026-3864 - A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in vo

CVE-2026-33476 - SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes

CVE-2026-33423 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and

CVE-2026-33422 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and

CVE-2026-33411 - Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and

CVE-2026-33291 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and

CVE-2026-33251 - Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and

CVE-2026-33243 - barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corr

CVE-2026-33236 - NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials s

CVE-2026-33231 - NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials s

CVE-2026-33230 - NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials s

CVE-2026-33228 - flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use a

CVE-2026-33226 - Budibase is a low code platform for creating internal tools, workflows, and admin panels. In version

CVE-2026-33221 - Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage serv

CVE-2026-33210 - Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1

CVE-2026-33209 - Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflect

CVE-2026-33204 - SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthentica

CVE-2026-33203 - SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocke

CVE-2026-33194 - SiYuan is a personal knowledge management system. Prior to version 3.6.2, the `IsSensitivePath()` fu

CVE-2026-33186 - gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization by

CVE-2026-33180 - HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in J

CVE-2026-32810 - Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41

CVE-2026-32733 - Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38

CVE-2026-32663 - The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows mu

CVE-2026-31926 - Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CVE-2026-31904 - The WebSocket Application Programming Interface lacks restrictions on the number of authentication r

CVE-2026-31903 - The WebSocket Application Programming Interface lacks restrictions on the number of authentication r

CVE-2026-2598 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVE-2026-29796 - WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorize

CVE-2026-28204 - Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CVE-2026-27649 - The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows mu

CVE-2026-25192 - WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorize

CVE-2026-22163 - Requires malware code to misuse the DDK kernel module IOCTL interface. Such code can use the interf

CVE-2026-21732 - A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can tri

CVE-2026-4507 - A vulnerability was determined in Mindinventory MindSQL up to 0.2.1. The affected element is the fun

CVE-2026-4506 - A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of t

CVE-2026-3584 - The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, an

CVE-2026-33177 - Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and

CVE-2026-33172 - Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and

CVE-2026-33171 - Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and

CVE-2026-33166 - Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allur

CVE-2026-32887 - Effect is a TypeScript framework that consists of several packages that work together to help build

CVE-2026-2378 - ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar t

CVE-2026-23536 - A security issue was discovered in the Feast Feature Server's `/read-document` endpoint that allows

CVE-2026-33179 - libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.1

CVE-2026-33165 - libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a craft

CVE-2026-33164 - libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malfo

CVE-2026-33156 - ScreenToGif is a screen recording tool. In versions from 2.42.1 and prior, ScreenToGif is vulnerable

CVE-2026-33155 - DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 t

CVE-2026-33154 - dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnera

CVE-2026-33151 - Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior t

CVE-2026-33150 - libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.1

CVE-2026-33147 - GMT is an open source collection of command-line tools for manipulating geographic and Cartesian dat

CVE-2026-33144 - GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (

CVE-2026-33143 - OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the W

CVE-2026-33142 - OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the f

CVE-2025-63261 - AWStats 8.0 is vulnerable to Command Injection via the open function

CVE-2025-55988 - An issue in the component /Controllers/RestController.php of DreamFactory Core v1.0.3 allows attacke

CVE-2026-4505 - A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function m

CVE-2026-4504 - A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of

CVE-2026-4500 - A vulnerability was identified in bagofwords1 bagofwords up to 0.0.297. This impacts the function ge

CVE-2026-4499 - A vulnerability was determined in D-Link DIR-820LW 2.03. Affected is the function ssdpcgi_main of th

CVE-2026-4438 - Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library'

CVE-2026-4437 - Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library'

CVE-2026-33140 - PySpector is a static analysis security testing (SAST) Framework engineered for modern Python develo

CVE-2026-33139 - PySpector is a static analysis security testing (SAST) Framework engineered for modern Python develo

CVE-2026-33126 - Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior

CVE-2025-63260 - SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comm

CVE-2026-4497 - A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the

CVE-2026-4496 - A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880.

CVE-2026-33010 - mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.

CVE-2026-32710 - MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaD

CVE-2026-32318 - Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud.

CVE-2026-32317 - Cryptomator for Android offers multi-platform transparent client-side encryption for files in the cl

CVE-2026-32310 - Cryptomator encrypts data being stored on cloud infrastructure. From version 1.6.0 to before version

CVE-2026-32309 - Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-bas

CVE-2026-4495 - A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the fi

CVE-2026-4494 - A vulnerability was identified in atjiu pybbs 6.0.0. This affects the function create of the file sr

CVE-2026-4493 - A vulnerability was determined in Tenda A18 Pro 02.03.02.28. The impacted element is the function su

CVE-2026-4492 - A vulnerability was found in Tenda A18 Pro 02.03.02.28. The affected element is the function set_qos

CVE-2026-32844 - XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerabi

CVE-2026-32303 - Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrit

CVE-2026-31836 - Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime,

CVE-2026-30580 - File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create f

CVE-2026-30579 - File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "u

CVE-2026-30578 - File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "

CVE-2026-4491 - A vulnerability has been found in Tenda A18 Pro 02.03.02.28. Impacted is the function fromSetIpMacBi

CVE-2026-4490 - A flaw has been found in Tenda A18 Pro 02.03.02.28. This issue affects the function setSchedWifi of

CVE-2026-29828 - DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via

CVE-2026-22902 - A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains

CVE-2026-22901 - A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gain

CVE-2026-22900 - A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote at

CVE-2026-22898 - A missing authentication for critical function vulnerability has been reported to affect QVR Pro. Th

CVE-2026-22897 - A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can

CVE-2026-22895 - A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote at

CVE-2025-62846 - An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an admin

CVE-2025-62845 - An improper neutralization of escape, meta, or control sequences vulnerability has been reported to

CVE-2025-62844 - A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local ne

CVE-2025-62843 - An improper restriction of communication channel to intended endpoints vulnerability has been report

CVE-2025-59383 - A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attac

CVE-2025-15608 - This vulnerability in AX53 v1 results from insufficient input sanitization in the device’s probe han

CVE-2025-15607 - A command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient

CVE-2026-4489 - A vulnerability was detected in Tenda A18 Pro 02.03.02.28. This vulnerability affects the function f

CVE-2026-4488 - A vulnerability was identified in UTT HiPER 1250GW up to 3.2.7-210907-180535. Affected is the functi

CVE-2026-32989 - Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attacke

CVE-2026-32986 - Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows

CVE-2025-67260 - The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions ha

CVE-2025-46597 - Bitcoin Core 0.13.0 through 29.x has an integer overflow.

CVE-2026-4519 - The webbrowser.open() API would accept leading dashes in the URL which could be handled as command

CVE-2026-4487 - A vulnerability was determined in UTT HiPER 1200GW up to 2.5.3-170306. This impacts the function str

CVE-2026-33312 - Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior

CVE-2026-29794 - Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to

CVE-2026-22172 - OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket

CVE-2025-46598 - Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.

CVE-2026-4486 - A vulnerability was found in D-Link DIR-513 1.10. This affects the function formEasySetPassword of t

CVE-2026-4485 - A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element i

CVE-2026-33372 - An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (C

CVE-2026-33371 - An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vu

CVE-2026-33370 - An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (

CVE-2026-33369 - Zimbra Collaboration (ZCS) 10.0 and 10.1 contains an LDAP injection vulnerability in the Mailbox SOA

CVE-2026-33368 - Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulne

CVE-2026-31382 - The error_description parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's

CVE-2026-31381 - An attacker can extract user email addresses (PII) exposed in base64 encoding via the state paramete

CVE-2024-44722 - SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd.

CVE-2026-4434 - Improper certificate validation in the PAM propagation WinRM connections allows a network attacker

CVE-2026-33136 - WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-

CVE-2026-33135 - WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-

CVE-2026-33134 - WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticate

CVE-2026-33133 - WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB()

CVE-2026-33132 - ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.

CVE-2026-33131 - H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofin

CVE-2026-32595 - Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through

CVE-2026-32305 - Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through

CVE-2026-25792 - Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted ex

CVE-2026-33130 - Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fi

CVE-2026-33129 - H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Cha

CVE-2026-33128 - H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14,

CVE-2026-33125 - Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In ve

CVE-2026-33124 - Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versi

CVE-2026-33123 - pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker t

CVE-2026-33081 - PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Vers

CVE-2026-22324 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio

CVE-2026-0677 - Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite al

CVE-2024-32537 - Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site

CVE-2024-31119 - Improper neutralization of input during web page generation ('cross-site scripting') vulnerability i

CVE-2026-3550 - The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and

CVE-2026-33192 - Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In

CVE-2026-33080 - Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.

CVE-2026-33075 - FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.

CVE-2026-33072 - FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded

CVE-2026-33071 - FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV u

CVE-2026-33070 - FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, a missing-au

CVE-2026-33069 - PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and bel

CVE-2026-33068 - Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from se

CVE-2026-33067 - SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata f

CVE-2026-33066 - SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREA

CVE-2026-32701 - Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arr

CVE-2026-2432 - The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulner

CVE-2026-2421 - The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in al

CVE-2026-27625 - Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In v