VYPR

CVEs

100,472 total · page 117 of 2,010

  • CVE-2026-6300HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6299HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

  • CVE-2026-6297HigApr 15, 2026
    risk 0.54cvss 8.3epss 0.00

    Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

  • CVE-2026-35569HigApr 15, 2026
    risk 0.50cvss 8.7epss 0.00

    ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into…

  • CVE-2026-4857HigApr 15, 2026
    risk 0.55cvss 8.4epss 0.00

    IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to incorrectly…

  • CVE-2026-34632HigApr 15, 2026
    risk 0.53cvss 8.2epss 0.00

    Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user. A low-privileged local attacker could have exploited this vulnerability by manipulating the search…

  • CVE-2026-34393HigApr 15, 2026
    risk 0.50cvss 8.8epss 0.00

    Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.

  • CVE-2026-34242HigApr 15, 2026
    risk 0.43cvss 7.7epss 0.00

    Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

  • CVE-2026-33667HigApr 15, 2026
    risk 0.48cvss 7.4epss 0.00

    OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing…

  • CVE-2026-33435HigApr 15, 2026
    risk 0.45cvss 8.0epss 0.01

    Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable…

  • CVE-2026-6290HigApr 15, 2026
    risk 0.52cvss 8.0epss 0.00

    Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries…

  • CVE-2026-32631HigApr 15, 2026
    risk 0.48cvss 7.4epss 0.00

    Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository, or checking out a malicious…

  • CVE-2026-6372HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5.

  • CVE-2026-30996HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.01

    An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET request.

  • CVE-2026-30995HigApr 15, 2026
    risk 0.56cvss 8.6epss 0.00

    Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.

  • CVE-2026-30994HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.

  • CVE-2025-63029HigApr 15, 2026
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through <= 3.7.1.

  • CVE-2026-30624HigApr 15, 2026
    risk 0.56cvss 8.6epss 0.00

    Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These values are executed by the…

  • CVE-2026-30617HigApr 15, 2026
    risk 0.56cvss 8.6epss 0.00

    LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands…

  • CVE-2026-30616HigApr 15, 2026
    risk 0.47cvss 7.3epss 0.00

    Jaaz 1.0.30 contains a remote code execution vulnerability in its MCP STDIO command execution handling. A remote attacker can send crafted network requests to the network-accessible Jaaz application, causing attacker-controlled commands to be executed on the server. Successful…

  • CVE-2026-30615HigApr 15, 2026
    risk 0.52cvss 8.0epss 0.00

    A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system. When Windsurf processes attacker-controlled HTML content, malicious instructions can cause unauthorized modification of the local MCP configuration…

  • CVE-2026-30461HigApr 15, 2026
    risk 0.54cvss 8.3epss 0.01

    Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.

  • CVE-2026-20205HigApr 15, 2026
    risk 0.47cvss 7.2epss 0.00

    In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.The vulnerability would require…

  • CVE-2026-20204HigApr 15, 2026
    risk 0.46cvss 7.1epss 0.03

    In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles…

  • CVE-2025-67841HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue.

  • CVE-2026-4682HigApr 15, 2026
    risk 0.57cvss epss 0.00

    Certain HP DeskJet All in One devices may be vulnerable to remote code execution caused by a buffer overflow when specially crafted Web Services for Devices (WSD) scan requests are improperly validated and handled by the MFP. WSD Scan is a Microsoft Windows–based network…

  • CVE-2026-4667HigApr 15, 2026
    risk 0.47cvss epss 0.00

    HP System Optimizer might potentially be vulnerable to escalation of privilege. HP is releasing an update to mitigate this potential vulnerability.

  • CVE-2026-30364HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.00

    CentSDR commit e40795 was discovered to contain a stack overflow in the "Thread1" function.

  • CVE-2024-53412HigApr 15, 2026
    risk 0.55cvss 8.4epss 0.01

    Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field

  • CVE-2026-4145HigApr 15, 2026
    risk 0.51cvss 7.8epss 0.00

    During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix that could allow a local authenticated user to perform arbitrary code execution with elevated privileges.

  • CVE-2026-4134HigApr 15, 2026
    risk 0.47cvss 7.3epss 0.00

    During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges.

  • CVE-2026-0827HigApr 15, 2026
    risk 0.46cvss 7.1epss 0.00

    During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file…

  • CVE-2026-40784HigApr 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through <= 1.91.2.

  • CVE-2026-40764HigApr 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.

  • CVE-2026-40745HigApr 15, 2026
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.

  • CVE-2026-40744HigApr 15, 2026
    risk 0.55cvss 8.5epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder: from n/a through <= 2.10.1.2.

  • CVE-2026-33805HigApr 15, 2026
    risk 0.49cvss 8.6epss 0.00

    @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests…

  • CVE-2026-30778HigApr 15, 2026
    risk 0.42cvss 7.5epss 0.01

    The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.

  • CVE-2026-5598HigApr 15, 2026
    risk 0.51cvss epss 0.01

    Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before…

  • CVE-2026-3505HigApr 15, 2026
    risk 0.50cvss epss 0.01

    Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java,…

  • CVE-2024-33618HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface.

  • CVE-2026-5694HigApr 15, 2026
    risk 0.47cvss 7.2epss 0.00

    The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2026-5617HigApr 15, 2026
    risk 0.57cvss 8.8epss 0.00

    The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as,…

  • CVE-2026-3643HigApr 15, 2026
    risk 0.47cvss 7.2epss 0.00

    The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the…

  • CVE-2025-40899HigApr 15, 2026
    risk 0.58cvss 8.9epss 0.00

    A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the…

  • CVE-2025-40897HigApr 15, 2026
    risk 0.53cvss 8.1epss 0.00

    An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality…

  • CVE-2026-5088HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.01

    Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are…

  • CVE-2026-40719HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.

  • CVE-2026-5397HigApr 15, 2026
    risk 0.51cvss 7.8epss 0.00

    It has been identified that a vulnerability (CWE-427) exists in the UPS (Uninterruptible Power Supply) management application, whereby improper permissions on the installation directory allow a malicious actor to place a DLL that is then executed with administrator privileges. …

  • CVE-2026-6328HigApr 15, 2026
    risk 0.47cvss epss 0.00

    Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame handler modules) allows Protocol Manipulation.This issue affects XQUIC: through…