Latest Security Vulnerabilities

Thursday April 23, 2026

 

Unclassified

CVE-2026-41988 UUID Buffer Write Vulnerability (v3/5/6) before 14.0.0 uuidjs
CVE-2026-41179 Rclone RC ops/fsinfo Unauth CmdExec via WebDAV 1.48.0-1.73.5
CVE-2026-3361 WP Store Locator 2.2.261 Stored XSS via 'wpsl_address' Meta
CVE-2026-3007 Koollab LMS XSS in Courselet (v5.3.2) Enables Arbitrary JS
CVE-2026-1923 Stored XSS via id param in Social Rocket <=1.3.4.2 (WP)
CVE-2026-6878 Sandbox Escalation in ByteDance verl 0.7.0
CVE-2026-40529 SQLi in CMS ALAYA 7.4.1.4 or earlier via admin interface
CVE-2026-41211 Vite+ 0.1.17 Path Traversal via downloadPackageManager
CVE-2026-41679 CVE-2026-41679 Paperclip RCE via API chain pre-2026.416.0
And others...

Gnupg Libgcrypt

CVE-2026-41990 Libgcrypt <=1.12.2 Dilithium signing static array bounds issue
CVE-2026-41989 Heap overflow in libgcrypt <1.12.2 via crafted ECDH ciphertext (gcry_pk_decrypt)

Cloudways

CVE-2026-3844 Breeze Cache WP Plugin 2.4.4 Arbitrary File Upload via fetch_gravatar_from_remote

Langchain Ai

CVE-2026-41182 LangSmith SDK Output Redaction Bypass in Streaming Tokens (0.5.18/0.7.30)

Froxlor

CVE-2026-41228 Froxlor <2.3.6 API def_language Path Traversal Exec
CVE-2026-41231 Froxlor <2.3.6: ExportCron chown RCE via Path Traversal
CVE-2026-41230 Froxlor DNS Injection via DomainZones::add() (pre-2.3.6)
CVE-2026-41229 Froxlor 2.3.6+ PHP code exec via unescaped privileged_user
CVE-2026-41232 Froxlor email alias validation flaw (before 2.3.6) allows domain spoofing
CVE-2026-41233 Froxlor <=2.3.5 Domain Attribution Bypass via adminid Validation

Gutentor

CVE-2026-2951 WordPress Gutentor <3.5.5 Stored XSS via Contributor Access

Wednesday April 22, 2026

Linux Kernel

CVE-2026-31462 Linux Kernel amdgpu PASID Reuse Interrupt PrivEsc
CVE-2026-31463 Linux Kernel: iomap folio access flaw from i_blkbits granularity mis-match
CVE-2026-31468 Linux Kernel vfio/pci Double-Free via DMA-BUF on Error Path
CVE-2026-31469 Linux Kernel: virtio_net UAF on dst_ops when IFF_XMIT_DST_RELEASE cleared
CVE-2026-31470 Linux Kernel TDX Guest Quote Buffer Length Validation Mitigates OOB Read
CVE-2026-31471 Linux Kernel IPTFS mode_data dangling ptr in clone_state allocation failure
CVE-2026-31478 Linux Kernel ksmbd SMB2 offset bug in response buffer
CVE-2026-31479 Linux Kernel: DRM/xe VM Rebind Unwind Tracking Vulnerability
CVE-2026-31483 Linux Kernel s390 Spectre: Unbounded Syscall Dispatch Table Access
And others...

Apple iOS

CVE-2026-28950 Apple iOS/iPadOS Log Redaction & Notification Retention Bug (18.7.8)

GitLab

CVE-2026-3254 GitLab CE/EE 18.11: Auth User Load Unauth Content via Mermaid Sandbox
CVE-2026-5262 GitLab <=18.11.1 Storybook token disclosure to unauthenticated user
CVE-2025-0186 GitLab CE/EE DoS via crafted endpoint (v10.6-18.9.5/18.10-18.10.3/18.11-18.11.0)
CVE-2025-3922 GitLab CE/EE DoS via GraphQL API before 18.9.6, 18.10.4, 18.11.1
CVE-2026-1660 GitLab CE/EE DoS from Issue Import Input Validation up to 18.11.1
CVE-2026-5816 GitLab CE/EE XSS via Path Validation (18.10<18.10.4, 18.11<18.11.1)
CVE-2026-5377 GitLab <=18.11.1 Improper ACL in Issue Render
CVE-2026-6515 GitLab Virtual Registry Credential Escalation 18.218.11.1
CVE-2026-4922 GitLab unauth GraphQL CSRF (v < 18.9.6 / 18.10.4 / 18.11.1)
And others...

Python

CVE-2026-6019 Python CPython <3.15.0 Morsel.js_output XSS via
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.