CVE-2026-29771 - Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint al

CVE-2026-29194 - Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker

CVE-2026-29190 - Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0,

CVE-2026-29076 - cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0

CVE-2026-28678 - DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authe

CVE-2026-3664 - A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::de

CVE-2026-3663 - A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::

CVE-2026-29193 - ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerabilit

CVE-2026-29192 - ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerabilit

CVE-2026-29191 - ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerabilit

CVE-2026-29186 - Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a co

CVE-2026-29185 - Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerabil

CVE-2026-29184 - Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious s

CVE-2026-29067 - ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potentia

CVE-2026-3662 - A vulnerability has been found in Wavlink WL-NU516U1 240425. This vulnerability affects the function

CVE-2026-3661 - A flaw has been found in Wavlink WL-NU516U1 240425. This affects the function ota_new_upgrade of the

CVE-2026-2219 - It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not

CVE-2026-24308 - Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all pla

CVE-2026-24281 - Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN

CVE-2026-2433 - The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is

CVE-2026-2420 - The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-1825 - The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plu

CVE-2026-1824 - The Infomaniak Connect for OpenID plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-1823 - The Consensus Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin

CVE-2026-1820 - The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-1805 - The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi

CVE-2026-1574 - The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl

CVE-2026-1569 - The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wueen-

CVE-2026-1087 - The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versi

CVE-2026-1086 - The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request

CVE-2026-1085 - The True Ranker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up

CVE-2026-1074 - The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-fe

CVE-2026-1073 - The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forg

CVE-2026-1071 - The Carta Online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin setting

CVE-2025-14675 - The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file

CVE-2026-30842 - Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallo

CVE-2026-30841 - Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passw

CVE-2026-30840 - Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there

CVE-2026-30839 - Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testw

CVE-2026-30830 - Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/de

CVE-2026-30829 - Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime,

CVE-2026-30828 - Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the u

CVE-2026-30827 - express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0

CVE-2026-30825 - hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/ac

CVE-2026-30824 - Flowise is a drag & drop user interface to build a customized large language model flow. Prior to ve

CVE-2026-30823 - Flowise is a drag & drop user interface to build a customized large language model flow. Prior to ve

CVE-2026-27797 - Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request

CVE-2026-27796 - Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Ho

CVE-2025-8899 - The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privi

CVE-2026-30822 - Flowise is a drag & drop user interface to build a customized large language model flow. Prior to ve

CVE-2026-30821 - Flowise is a drag & drop user interface to build a customized large language model flow. Prior to ve

CVE-2026-30820 - Flowise is a drag & drop user interface to build a customized large language model flow. Prior to ve

CVE-2026-30247 - WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval.

CVE-2026-3352 - The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to

CVE-2026-2722 - The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin setting

CVE-2026-2721 - The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin setting

CVE-2026-2494 - The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-

CVE-2026-2488 - The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauth

CVE-2026-2431 - The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '

CVE-2026-2429 - The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV

CVE-2026-2020 - The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to

CVE-2026-1902 - The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix'

CVE-2026-1650 - The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due t

CVE-2025-14353 - The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all ver

CVE-2026-25073 - XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a stored cross-site

CVE-2026-25072 - XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable sessio

CVE-2026-25071 - XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a missing authentica

CVE-2026-25070 - XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command inject

CVE-2026-2371 - The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Di

CVE-2026-1981 - The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable

CVE-2026-1644 - The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all vers

CVE-2026-3233 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVE-2026-30244 - Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attacker

CVE-2026-30242 - Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validati

CVE-2026-30241 - Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the

CVE-2026-30238 - Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions

CVE-2026-30237 - Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions

CVE-2026-27142 - Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can all

CVE-2026-27139 - On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the r

CVE-2026-27138 - Certificate verification can panic when a certificate in the chain has an empty DNS name and another

CVE-2026-27137 - When verifying a certificate chain which contains a certificate containing multiple email address co

CVE-2026-25679 - url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

CVE-2026-30835 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.

CVE-2026-30233 - OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1,

CVE-2026-30231 - Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools.

CVE-2026-30230 - Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools.

CVE-2026-30229 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.

CVE-2026-30228 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.

CVE-2026-30227 - MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipu

CVE-2026-30225 - OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1,

CVE-2026-30224 - OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1,

CVE-2026-30223 - OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1,

CVE-2026-29795 - stellar-xdr is a library and CLI containing types and functionality for working with Stellar XDR. Pr

CVE-2026-29791 - Agentgateway is an open source data plane for agentic AI connectivity within or across any agent fra

CVE-2026-29790 - dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to ver

CVE-2026-29789 - Vito is a self-hosted web application that helps manage servers and deploy PHP applications into pro

CVE-2026-29788 - TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage

CVE-2026-29182 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.

CVE-2026-30847 - Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notifica

CVE-2026-30846 - Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwe

CVE-2026-30845 - Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board co

CVE-2026-30844 - Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Serv

CVE-2026-30843 - Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecu

CVE-2025-69654 - A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7

CVE-2026-3653 - Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in

CVE-2026-29063 - Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and

CVE-2025-69653 - A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13,

CVE-2025-69652 - GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when proces

CVE-2025-69650 - GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF bi

CVE-2025-69649 - GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a c

CVE-2026-3419 - Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after th

CVE-2026-30833 - Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions

CVE-2026-30831 - Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions

CVE-2026-29178 - Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery v

CVE-2026-29110 - Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debu

CVE-2026-29091 - Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior

CVE-2026-29089 - TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgre

CVE-2026-29087 - @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when usi

CVE-2026-28514 - Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions

CVE-2025-69651 - GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when p

CVE-2025-69646 - Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with ma

CVE-2025-69645 - Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with ma

CVE-2025-69644 - An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerabil

CVE-2026-29783 - The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary

CVE-2026-29082 - Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execut

CVE-2026-29075 - Mesa is an open-source Python library for agent-based modeling, simulating complex systems and explo

CVE-2026-29064 - Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73

CVE-2025-70363 - Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x all

CVE-2025-15602 - Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges tha

CVE-2026-27777 - Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CVE-2026-27764 - The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows mu

CVE-2026-27123 - Rejected reason: Reason: This candidate was issued in error.

CVE-2026-27027 - Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CVE-2026-26288 - WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorize

CVE-2026-26018 - CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerabil

CVE-2026-26017 - CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in Cor

CVE-2026-24696 - The WebSocket Application Programming Interface lacks restrictions on the number of authentication r

CVE-2026-20882 - The WebSocket Application Programming Interface lacks restrictions on the number of authentication r

CVE-2026-20748 - The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows mu

CVE-2026-2754 - Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on

CVE-2026-2753 - An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP se

CVE-2026-2752 - Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticate

CVE-2026-26051 - WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorize

CVE-2026-1799 - Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate has been dete

CVE-2022-4947 - Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-32111. Reason:

CVE-2018-25200 - OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated att

CVE-2018-25199 - OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to exec

CVE-2018-25198 - eToolz 3.4.8.0 contains a denial of service vulnerability that allows local attackers to crash the a

CVE-2018-25197 - PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to exe

CVE-2018-25196 - ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to man

CVE-2018-25194 - Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execut

CVE-2018-25193 - Mongoose Web Server 6.9 contains a denial of service vulnerability that allows remote attackers to c

CVE-2018-25192 - GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attacke

CVE-2018-25191 - Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers t

CVE-2018-25190 - Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attac

CVE-2018-25189 - Data Center Audit 2.6.2 contains an SQL injection vulnerability in the username parameter of dca_log

CVE-2018-25188 - Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers

CVE-2018-25187 - Tina4 Stack 1.0.3 contains multiple vulnerabilities allowing unauthenticated attackers to access sen

CVE-2018-25186 - Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modif

CVE-2018-25184 - Surreal ToDo 0.6.1.2 contains a local file inclusion vulnerability that allows unauthenticated attac

CVE-2018-25182 - Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated a

CVE-2018-25181 - Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to downl

CVE-2018-25180 - Maitra 1.7.2 contains an sql injection vulnerability that allows authenticated attackers to execute

CVE-2018-25179 - Gumbo CMS 0.99 contains an SQL injection vulnerability that allows unauthenticated attackers to exec

CVE-2018-25178 - Easyndexer 1.0 contains an arbitrary file download vulnerability that allows unauthenticated attacke

CVE-2018-25177 - Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to

CVE-2018-25176 - Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to

CVE-2018-25175 - Alienor Web Libre 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers

CVE-2018-25174 - ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify ad

CVE-2018-25173 - Rmedia SMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extr

CVE-2018-25172 - Pedidos 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute

CVE-2018-25171 - EdTv 2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbi

CVE-2018-25170 - DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manip

CVE-2018-25169 - AMPPS 2.7 contains a denial of service vulnerability that allows remote attackers to crash the servi

CVE-2018-25168 - Precurio Intranet Portal 2.0 contains a cross-site request forgery vulnerability that allows unauthe

CVE-2018-25167 - Net-Billetterie 2.9 contains an SQL injection vulnerability in the login parameter of login.inc.php

CVE-2018-25166 - Meneame English Pligg 5.8 contains an SQL injection vulnerability that allows unauthenticated attack

CVE-2018-25165 - Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attacke

CVE-2018-25164 - EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers

CVE-2018-25163 - BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute

CVE-2018-25162 - 2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attacker

CVE-2018-25161 - Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to ex

CVE-2026-28106 - URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Kings Plugins B2BKing Premium a

CVE-2026-28080 - Missing Authorization vulnerability in Rank Math Rank Math SEO PRO allows Exploiting Incorrectly Con

CVE-2024-35644 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab

CVE-2026-1468 - QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craf

CVE-2026-3589 - The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch reques

CVE-2026-23925 - An authenticated Zabbix user (User role) with template/host write permissions is able to create obje

CVE-2026-2830 - The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is v

CVE-2026-2331 - An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via

CVE-2026-2330 - An attacker may access restricted filesystem areas on the device via the CROWN REST interface due to

CVE-2026-29183 - SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflect

CVE-2026-29074 - SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG

CVE-2026-29073 - SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a

CVE-2026-29062 - jackson-core contains core low-level incremental ("streaming") parser and generator abstractions use

CVE-2026-29059 - Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows an

CVE-2026-29068 - PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17

CVE-2026-29065 - changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a

CVE-2026-29058 - AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can e

CVE-2026-29049 - melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior,

CVE-2026-29048 - HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulner

CVE-2026-29042 - Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.2

CVE-2026-29039 - changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, th

CVE-2026-29038 - changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, th

CVE-2026-28804 - pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who use

CVE-2026-28802 - Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to bef

CVE-2026-28801 - Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.

CVE-2026-28800 - Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.

CVE-2026-28799 - PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17

CVE-2026-28795 - OpenChatBI is an intelligent chat-based BI tool powered by large language models, designed to help u

CVE-2026-28438 - CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target conne

CVE-2026-2446 - The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF check

CVE-2026-1128 - The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting cou

CVE-2026-29084 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior

CVE-2026-29061 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior

CVE-2026-29060 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior

CVE-2026-28794 - oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards.

CVE-2026-28787 - OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, t

CVE-2026-28785 - Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symb

CVE-2026-28685 - Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoic

CVE-2026-28683 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior

CVE-2026-28682 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior

CVE-2026-28681 - Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the

CVE-2026-28680 - Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can e

CVE-2026-28679 - Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prio

CVE-2026-28677 - OpenSift is an AI study tool that sifts through large datasets using semantic search and generative

CVE-2026-28676 - OpenSift is an AI study tool that sifts through large datasets using semantic search and generative

CVE-2026-28675 - OpenSift is an AI study tool that sifts through large datasets using semantic search and generative

CVE-2026-28509 - LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI rend

CVE-2026-28508 - Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authenticatio

CVE-2026-28507 - Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulne

CVE-2026-28429 - Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerabil

CVE-2026-28428 - Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vu

CVE-2026-27605 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-27603 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-27005 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-25888 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-25887 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-25877 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-29093 - WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml

CVE-2026-29046 - TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb ac

CVE-2026-29041 - Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an aut

CVE-2026-28502 - WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Ex

CVE-2026-28501 - WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injectio

CVE-2026-28497 - TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer

CVE-2026-27807 - MarkUs is a web application for the submission and grading of student assignments. Prior to version

CVE-2026-25962 - MarkUs is a web application for the submission and grading of student assignments. Prior to version

CVE-2025-59544 - Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to

CVE-2025-59543 - Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scri

CVE-2025-59542 - Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scri