Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.2 HIGH
CVE-2026-40193 — Maddy Mail Server: LDAP Filter Injection via Unsanitized Username

maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search …

maddy | Remote | Injection
Apr 16, 2026 Apr 16, 2026
Apr 16, 2026
Apr 16, 2026
4.3 MEDIUM
CVE-2026-4949 — ProfilePress <= 4.16.12 - Missing Authorization to Authenticated (Subscriber+) Inactive M…

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions u…

Remote | Authorization
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
8.8 HIGH
CVE-2026-40316 — OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workfl…

Remote | Supply Chain
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
8.7 HIGH
CVE-2026-40192 — Pillow is vulnerable to a FITS GZIP decompression bomb

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attac…

Remote | Denial of Service
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
5.3 MEDIUM
CVE-2026-40179 — Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics e…

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of…

prometheus | Remote | Cross-Site Scripting
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
5.4 MEDIUM
CVE-2026-39350 — Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allo…

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields…

Remote | Authorization
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
9.1 CRITICAL
CVE-2026-6388 — Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insu…

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace bound…

Remote | Authorization
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
6.8 MEDIUM
CVE-2026-40500 — ProcessWire CMS SSRF via Add Module From URL

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arb…

Remote | Server-Side Request Forgery
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
4.8 MEDIUM
CVE-2026-1711 — Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting…

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.

Remote | Cross-Site Scripting
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
5.1 MEDIUM
CVE-2026-1564 — Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerabili…

Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.

Remote | Injection
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
8.8 HIGH
CVE-2026-40261 — Composer has Command Injection via Malicious Perforce Reference

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $source…

composer | Remote | Injection
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
6.1 MEDIUM
CVE-2026-40186 — ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags El…

ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasse…

Remote | Cross-Site Scripting
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
7.8 HIGH
CVE-2026-40176 — Composer is vulnerable to Command Injection via Malicious Perforce Repository

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs she…

composer | Injection
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
9.4 CRITICAL
CVE-2026-40173 — Dgraph: Unauthenticated pprof endpoint leaks admin auth token

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered o…

Remote | Authentication
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
8.5 HIGH
CVE-2026-22676 — Barracuda RMM < 2025.2.2 Privilege Escalation via Insecure Directory Permissions

Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on th…

| Authorization
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
6.5 MEDIUM
CVE-2026-6385 — Ffmpeg: ffmpeg: denial of service and potential arbitrary code execution via signed integ…

A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability i…

Remote | Memory Corruption
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
7.3 HIGH
CVE-2026-6384 — Gimp: gimp: arbitrary code execution or denial of service via buffer overflow in gif imag…

A flaw was found in gimp. This buffer overflow vulnerability in the GIF image loading component's `ReadJeffsImage` function allows an attacker to write beyond an allocated buffer by processing a spec…

| Memory Corruption
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
0.0 NA
CVE-2026-6364 — Google Chrome Skia Out-of-Bounds Read

Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security se…

| Memory Corruption
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
8.8 HIGH
CVE-2026-6363 — Google Chrome V8 Type Confusion Memory Access

Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

Remote | Memory Corruption
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
0.0 NA
CVE-2026-6362 — Google Chrome Use After Free in Codecs Vulnerability

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: H…

| Memory Corruption
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
Showing 20 of 6528 Results