VYPR

CVEs

100,472 total · page 122 of 2,010

  • CVE-2026-24032HigApr 14, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3 with UMC). The affected application contains an authentication weakness due to insufficient validation of user identity in the UMC component. This could allow an unauthenticated remote attacker to bypass…

  • CVE-2026-3017HigApr 14, 2026
    risk 0.40cvss 7.2epss 0.01

    The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_shortcodes() function. This makes it…

  • CVE-2026-40287HigApr 14, 2026
    risk 0.48cvss 8.4epss 0.00

    PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py…

  • CVE-2026-6227HigApr 14, 2026
    risk 0.47cvss 7.2epss 0.01

    The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal…

  • CVE-2026-4388HigApr 14, 2026
    risk 0.47cvss 7.2epss 0.00

    The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips…

  • CVE-2026-4352HigApr 14, 2026
    risk 0.49cvss 7.5epss 0.00

    The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via…

  • CVE-2026-34256HigApr 14, 2026
    risk 0.46cvss 7.1epss 0.00

    Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is…

  • CVE-2026-40164HigApr 14, 2026
    risk 0.42cvss 7.5epss 0.00

    jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By…

  • CVE-2026-5086HigApr 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password.

  • CVE-2026-6224HigApr 13, 2026
    risk 0.40cvss 7.3epss 0.00

    A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The…

  • CVE-2026-4786HigApr 13, 2026
    risk 0.39cvss epss 0.00

    Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

  • CVE-2026-33908HigApr 13, 2026
    risk 0.42cvss 7.5epss 0.01

    ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no depth…

  • CVE-2026-22566HigApr 13, 2026
    risk 0.49cvss 7.5epss 0.00

    An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
…

  • CVE-2026-22565HigApr 13, 2026
    risk 0.49cvss 7.5epss 0.00

    An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and…

  • CVE-2026-33901HigApr 13, 2026
    risk 0.42cvss 7.5epss 0.01

    ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue…

  • CVE-2026-32272HigApr 13, 2026
    risk 0.50cvss epss 0.00

    Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a…

  • CVE-2026-32271HigApr 13, 2026
    risk 0.43cvss epss 0.00

    Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through…

  • CVE-2025-51414HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.00

    In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.

  • CVE-2026-32605HigApr 13, 2026
    risk 0.42cvss 7.5epss 0.00

    nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer ==…

  • CVE-2026-6200HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.00

    A vulnerability was determined in Tenda F456 1.0.0.5. The affected element is the function formwebtypelibrary of the file /goform/webtypelibrary. This manipulation of the argument menufacturer/Go causes stack-based buffer overflow. The attack can be initiated remotely. The…

  • CVE-2026-6199HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.00

    A vulnerability was found in Tenda F456 1.0.0.5. Impacted is the function fromqossetting of the file /goform/qossetting. The manipulation of the argument page results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public…

  • CVE-2026-6198HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.00

    A vulnerability has been found in Tenda F456 1.0.0.5. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The…

  • CVE-2026-6197HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.00

    A flaw has been found in Tenda F456 1.0.0.5. This vulnerability affects the function formWrlsafeset of the file /goform/AdvSetWrlsafeset. Executing a manipulation of the argument mit_ssid can lead to stack-based buffer overflow. The attack may be performed from remote. The…

  • CVE-2026-40040HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.00

    Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible…

  • CVE-2026-40038HigApr 13, 2026
    risk 0.47cvss 7.2epss 0.00

    Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and…

  • CVE-2026-29955HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.02

    The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly…

  • CVE-2026-6196HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.01

    A vulnerability was detected in Tenda F456 1.0.0.5. This affects the function fromexeCommand of the file /goform/exeCommand. Performing a manipulation of the argument cmdinput results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit…

  • CVE-2026-6194HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.00

    A weakness has been identified in Totolink A3002MU B20211125.1046. Affected by this vulnerability is the function sub_410188 of the file /boafrm/formWlanSetup of the component HTTP Request Handler. This manipulation of the argument wan-url causes stack-based buffer overflow.…

  • CVE-2026-32316HigApr 13, 2026
    risk 0.46cvss 8.2epss 0.00

    jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer…

  • CVE-2026-28291HigApr 13, 2026
    risk 0.46cvss 8.1epss 0.01

    simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an…

  • CVE-2026-6193HigApr 13, 2026
    risk 0.47cvss 7.3epss 0.00

    A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to…

  • CVE-2026-6189HigApr 13, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack…

  • CVE-2026-36948HigApr 13, 2026
    risk 0.47cvss 7.3epss 0.00

    Sourcecodester Online Thesis Archiving System v1.0 is vulnerale to SQL injection in the file /otas/view_archive.php.

  • CVE-2026-23891HigApr 13, 2026
    risk 0.50cvss 8.7epss 0.00

    Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a…

  • CVE-2026-6188HigApr 13, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=delete_sales. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has…

  • CVE-2026-6187HigApr 13, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. This issue affects some unknown processing of the file /ajax.php?action=chk_prod_availability. The manipulation of the argument ID results in sql injection. The attack may be performed from…

  • CVE-2026-6186HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.01

    A security vulnerability has been detected in UTT HiPER 1200GW up to 2.5.3-170306. This vulnerability affects the function strcpy of the file /goform/formNatStaticMap. The manipulation of the argument NatBind leads to buffer overflow. The attack is possible to be carried out…

  • CVE-2026-34188HigApr 13, 2026
    risk 0.47cvss 7.2epss 0.01

    Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800

  • CVE-2026-34186HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects Pandora FMS: from 777 through 800

  • CVE-2026-30813HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via module search. This issue affects Pandora FMS: from 777 through 800

  • CVE-2026-30809HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.01

    Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug. This issue affects Pandora FMS: from 777 through 800

  • CVE-2026-30806HigApr 13, 2026
    risk 0.57cvss 8.8epss 0.01

    Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue affects Pandora FMS: from 777 through 800

  • CVE-2026-30804HigApr 13, 2026
    risk 0.47cvss 7.2epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800

  • CVE-2025-69627HigApr 13, 2026
    risk 0.55cvss 8.4epss 0.00

    Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI…

  • CVE-2025-69624HigApr 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true)…

  • CVE-2025-66769HigApr 13, 2026
    risk 0.49cvss 7.5epss 0.00

    A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet.

  • CVE-2026-6183HigApr 13, 2026
    risk 0.47cvss 7.3epss 0.00

    A security flaw has been discovered in code-projects Simple Content Management System 1.0. Affected by this issue is some unknown functionality of the file /web/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is…

  • CVE-2026-6182HigApr 13, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in code-projects Simple Content Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /web/admin/login.php. Such manipulation of the argument User leads to sql injection. The attack may be launched remotely.…

  • CVE-2026-33858HigApr 13, 2026
    risk 0.50cvss 8.8epss 0.01

    Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to…

  • CVE-2026-31281HigApr 13, 2026
    risk 0.52cvss 8.0epss 0.00

    Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's…