VYPR

CVEs

100,472 total · page 116 of 2,010

  • CVE-2026-5785HigApr 16, 2026
    risk 0.53cvss 8.1epss 0.01

    Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.

  • CVE-2026-31987HigApr 16, 2026
    risk 0.42cvss 7.5epss 0.01

    JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.

  • CVE-2026-3489HigApr 16, 2026
    risk 0.42cvss 7.5epss 0.00

    The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient…

  • CVE-2026-23772HigApr 16, 2026
    risk 0.47cvss 7.3epss 0.00

    Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, contain(s) an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.

  • CVE-2024-2374HigApr 16, 2026
    risk 0.49cvss 7.5epss 0.00

    The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of…

  • CVE-2025-14868HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.00

    The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action…

  • CVE-2026-41035HigApr 16, 2026
    risk 0.41cvss 7.4epss 0.00

    In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are…

  • CVE-2026-3876HigApr 16, 2026
    risk 0.47cvss 7.2epss 0.00

    The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the…

  • CVE-2026-1620HigApr 16, 2026
    risk 0.57cvss 8.8epss 0.01

    The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate…

  • CVE-2026-5050HigApr 16, 2026
    risk 0.42cvss 7.5epss 0.00

    The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature…

  • CVE-2026-3614HigApr 16, 2026
    risk 0.57cvss 8.8epss 0.00

    The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with…

  • CVE-2026-3599HigApr 16, 2026
    risk 0.49cvss 7.5epss 0.00

    The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to…

  • CVE-2026-22619HigApr 16, 2026
    risk 0.51cvss 7.8epss 0.00

    Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest version of Eaton IPP software…

  • CVE-2023-3634HigApr 16, 2026
    risk 0.57cvss 8.8epss 0.01

    In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability.

  • CVE-2026-6351HigApr 16, 2026
    risk 0.49cvss 7.5epss 0.01

    MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.

  • CVE-2026-6348HigApr 16, 2026
    risk 0.57cvss 8.8epss 0.00

    WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on the local machine as well as on all hosts within the environment where the agent is installed.

  • CVE-2026-41015HigApr 16, 2026
    risk 0.41cvss 7.4epss 0.01

    radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after…

  • CVE-2026-40960HigApr 16, 2026
    risk 0.46cvss 8.1epss 0.00

    Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it.

  • CVE-2026-40502HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.02

    OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler.…

  • CVE-2026-5363HigApr 16, 2026
    risk 0.57cvss 8.8epss 0.00

    Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login.  An adjacent attacker…

  • CVE-2026-40245HigApr 16, 2026
    risk 0.42cvss 7.5epss 0.01

    Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions 4.2.1 and below contain an information disclosure vulnerability in the UDR (Unified Data Repository) service. The handler for GET /nudr-dr/v2/application-data/influenceData/s…

  • CVE-2026-40193HigApr 16, 2026
    risk 0.46cvss 8.2epss 0.00

    maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search filters and DN strings via strings.ReplaceAll() without any LDAP filter…

  • CVE-2026-40316HigApr 15, 2026
    risk 0.50cvss 8.8epss 0.00

    OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the…

  • CVE-2026-40192HigApr 15, 2026
    risk 0.42cvss 7.5epss 0.01

    Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption,…

  • CVE-2026-40261HigApr 15, 2026
    risk 0.50cvss 8.8epss 0.02

    Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally…

  • CVE-2026-40176HigApr 15, 2026
    risk 0.44cvss 7.8epss 0.01

    Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port,…

  • CVE-2026-22676HigApr 15, 2026
    risk 0.51cvss 7.8epss 0.00

    Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation…

  • CVE-2026-6384HigApr 15, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw was found in gimp. This buffer overflow vulnerability in the GIF image loading component's `ReadJeffsImage` function allows an attacker to write beyond an allocated buffer by processing a specially crafted GIF file. This can lead to a denial of service or potentially…

  • CVE-2026-6363HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-6361HigApr 15, 2026
    risk 0.54cvss 8.3epss 0.00

    Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

  • CVE-2026-6360HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6359HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6358HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical)

  • CVE-2026-6319HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Use after free in Payments in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-6318HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-6317HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6316HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6315HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6314HigApr 15, 2026
    risk 0.54cvss 8.3epss 0.00

    Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6311HigApr 15, 2026
    risk 0.54cvss 8.3epss 0.00

    Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6310HigApr 15, 2026
    risk 0.54cvss 8.3epss 0.00

    Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6309HigApr 15, 2026
    risk 0.54cvss 8.3epss 0.00

    Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6308HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Out of bounds read in Media in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6307HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6306HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

  • CVE-2026-6305HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

  • CVE-2026-6304HigApr 15, 2026
    risk 0.54cvss 8.3epss 0.00

    Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6303HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6302HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6301HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)