Latest Security Vulnerabilities

Thursday April 9, 2026

Webilia

CVE-2026-4326 Missing Auth in Vertex Addons for Elementor <1.6.4 Allows Plugin Install as Subscriber
 

Unclassified

CVE-2026-5357 WordPress Download Manager <=3.3.52 XSS via sid param in wpdm_members
CVE-2026-4429 OSM OSMP WordPress Plug <=6.1.15: Stored XSS via marker_name & file_color_list
CVE-2026-3574 XSS: Experto Dashboard WP Plugin 1.0.4 Settings Stored XSS
CVE-2026-5742 Stored XSS in UsersWP WP Plugin URL Fields (1.2.60)
CVE-2026-4124 Ziggeo WP Plugin <=3.1.1: Missing Auth via wp_ajax_ziggeo_ajax
CVE-2026-5831 OS Command Injection in Agions taskflow-ai 2.1.8 terminal_execute
CVE-2026-5842 decolua 9router 0.3.47 Auth Bypass via /api Admin API
CVE-2026-5833 Cmd Inject in awwaiid mcp-server-taskwarrior 1.0.1 server.setRequestHandler (local)
CVE-2026-5848 JimuReport <=2.3.0 Data Source Handler Code Injection via DriverManager
And others...

Totolink A7100ru Firmware

CVE-2026-5854 Totolink A7100RU 7.4cu.2313 OS Command Injection via cstecgi.cgi
CVE-2026-5853 Totolink A7100RU 7.4cu: CGI cmd injection setIpv6LanCfg (addrPrefixLen)
CVE-2026-5852 Totolink A7100RU OS Command Injection in CGI Handler igmpVer - 7.4cu.2313
CVE-2026-5851 Remote OS Command Injection via CGI in Totolink A7100RU (7.4cu.2313_b20191024)
CVE-2026-5850 Totolink A7100RU 7.4cu OS Command Injection via setVpnPassCfg (pptpPassThru)

Tenda Ac15 Firmware

CVE-2026-5830 Stack Buffer Overflow in Tenda AC15 15.03.05.18 websGetVar

Tenda I12 Firmware

CVE-2026-5849 Tenda i12 1.0.0.11 HTTP Handler Path Traversal Remote

Davidfcarr

CVE-2026-1830 WordPress Quick Playground 1.3.1 RCE via REST API
 

D-Link Dlink

CVE-2026-5844 D-Link DIR-882 1.01B02 HNAP1 OS Command Injection via sprintf

Code Projects Online Shoe Store

CVE-2026-5835 code-projects Online Shoe Store v1.0 XSS via product_name in admin_football.php
CVE-2026-5836 Code-Projects Online Shoe Store 1.0 XSS via product_name in admin_product.php
CVE-2026-5834 CVE-2026-5834: XSS in OnlineShoeStore 1.0 admin_running.php via product_name

Inspireui Mstore Api

CVE-2026-3568 CVE-2026-3568: IDOR in MStore API Plugin WordPress <=4.18.3

Code Projects Simple Laundry System

CVE-2026-5825 Simple Laundry System 1.0 XSS in /delmemberinfo.php (userid)

Code Projects

CVE-2026-5826 XSS in Simple IT Discussion Forum 1.0 /edit-category.php
CVE-2026-5827 SQLi in Simple IT Discussion Forum 1.0 (/question-function.php)
CVE-2026-5828 Simple IT Discussion Forum 1.0 AddComment.php SQLi via postid (remote)
CVE-2026-5829 SQLi via post_id in content.php Simple IT Discussion Forum 1.0
CVE-2026-5847 Movie Ticketing System 1.0 Info Disclosure via SQL DB Backup File Handler

Tenda I3 Firmware

CVE-2026-5841 Tenda i3 1.0.0.6 HTTP Handler Path Traversal via R7WebsSecurityHandler Remote
 

PHPGurukul News Portal Project

CVE-2026-5840 SQLi in PHPGurukul News Portal 4.1 via /admin/check_availability.php
CVE-2026-5839 SQL Injection in PHPGurukul News Portal 4.1 /admin/add-subcategory.php
CVE-2026-5838 SQL Injection in PHPGurukul News Portal 4.1 via /admin/add-subadmins.php
CVE-2026-5837 PHPGurukul News Portal 4.1 SQLi via /news-details.php Comment Arg

Rustaurius

CVE-2026-4336 Ultimate FAQ Accordion 2.4.7 Stored XSS via FAQ content

Wednesday April 8, 2026

Google Chrome

CVE-2026-5918 Chrome Nav CVE-2026-5918: Cross-Origin Leak via Renderer <147.0.7727.55
CVE-2026-5915 Google Chrome WebML OOB on <147.0.7727.55
CVE-2026-5914 Chrome <147.0.7727.55: CSS T. Confusion -> Heap Corrupt via Malicious Ext
CVE-2026-5903 Policy Bypass via IFrameSandbox in Chrome <147.0.7727.55
CVE-2026-5901 Chrome (pre-147.0.7727.55) DevTools policy bypass via malicious extension
CVE-2026-5897 Chrome<147.0.7727.55 UI Spoofing via Download Page
CVE-2026-5895 Google Chrome iOS 147.0.7727.55: Omnibox Spoofing via Incorrect Security UI
CVE-2026-5893 Heap Corruption via Race in V8 (Chrome <147.0.7727.55)
CVE-2026-5889 PDFium Crypto Brute-Force in Chrome <147.0.7727.55
And others...

Linux Kernel

CVE-2026-31411 Linux Kernel ATM: unvalidated vcc pointer crash via sendmsg

GoLang Go

CVE-2026-27140 SWIG cgo filename execution in Go cmd/go <1.26.2
CVE-2026-32280 Go crypto/x509 Intermediates DoS (<=1.26.2)
CVE-2026-32281 CVE-2026-32281: DoS via Policy Map Ineff in Go crypto/x509 <1.25.9, <1.26.2
CVE-2026-27144 Memory Corruption in Go Compiler (cmd/compile) <1.25.9, 1.26.0-1.26.2
CVE-2026-27143 Go cmd/compile 1.25.9/1.26.2 Induction Variable Underflow Vulnerability

Paul Bearne Author Avatars

CVE-2026-39690 Missing Auth in Author Avatars List/Block (WP) <=2.1.25

Axios

CVE-2026-39865 Axios Http2Sessions State Corrupt Before 1.13.2 Crash

Wp Delicious Delicious Recipes

CVE-2026-39528 WP Delicious Recipe Plugin Authorization Flaw (1.9.5)
 

Unclassified

CVE-2026-5357 WordPress Download Manager <=3.3.52 XSS via sid param in wpdm_members
CVE-2026-4429 OSM OSMP WordPress Plug <=6.1.15: Stored XSS via marker_name & file_color_list
CVE-2026-3574 XSS: Experto Dashboard WP Plugin 1.0.4 Settings Stored XSS
CVE-2026-5742 Stored XSS in UsersWP WP Plugin URL Fields (1.2.60)
CVE-2026-4124 Ziggeo WP Plugin <=3.1.1: Missing Auth via wp_ajax_ziggeo_ajax
CVE-2026-5831 OS Command Injection in Agions taskflow-ai 2.1.8 terminal_execute
CVE-2026-5842 decolua 9router 0.3.47 Auth Bypass via /api Admin API
CVE-2026-5833 Cmd Inject in awwaiid mcp-server-taskwarrior 1.0.1 server.setRequestHandler (local)
CVE-2026-5848 JimuReport <=2.3.0 Data Source Handler Code Injection via DriverManager
And others...

GitLab

CVE-2026-4916 GitLab CE/EE Privilege Escalation 18.2-18.8.8, 18.9-18.9.4, 18.10-18.10.2
CVE-2026-1101 GitLab EE Authenticated GraphQL DoS (18.218.10)
CVE-2026-2104 GitLab CE/EE Auth Bypass for CSV Export of Confidential Issues (v18.2-18.10)
CVE-2026-1752 GitLab EE Auth Bypass v11.318.8.9, v18.918.9.5, v18.1018.10.3
CVE-2025-12664 GitLab 13.0-18.10.3 GraphQL DoS via repeated queries
CVE-2026-4332 GitLab EE 18.2-18.10 XSS in Analytics Dashboards (before 18.8.9/18.9.5/18.10.3)
CVE-2025-9484 GitLab EE Authenticated GraphQL Email Disclosure CVE-2025-9484 (v16.6-18.9.4)
CVE-2026-1516 GitLab EE <=18.10.3 Authenticated IP Leak via Code Quality Reports
CVE-2026-2619 GitLab EE Priv Escal: Auditor edits vuln data (v18.6-18.8.9,18.9-18.9.5,18.10-18.10.3)
And others...

Tp Link

CVE-2026-30814 TP-Link Archer AX53 tmpServer Stack Buffer Overflow (v1.0)
CVE-2026-30815 OpenVPN OS Command Injection in TP-Link Archer AX53 v1.0 (before 1.7.1)
CVE-2026-30817 Fileread CVE-2026-30817 in TPLink AX53 OpenVPN module before v1.7.1
CVE-2026-30818 OS Command Injection in TP-Link Archer AX53 dnsmasq v1.0 (before 1.7.1)

Sonatype Nexus Repository Manager

CVE-2026-3438 Reflected XSS in Sonatype Nexus Repo 3.0.0-3.90.2 via Craft URL
CVE-2026-3199 Sonatype Nexus 3.22.1-3.90.2 Task Exec perm bypassing nexus.scripts.allowCreation

Red Hat Multicluster Engine

CVE-2025-57851 Privilege Escalation via GroupWritable /etc/passwd in MCE for K8s

Red Hat Openshift Update Service

CVE-2025-57854 Root Escalation via GroupWritable /etc/passwd in OSUS

Mitsubishielectric Genesis64

CVE-2025-14815 Cleartext Storage of SQL Credentials in Mitsubishi Electric GENESIS64 <10.97.3

Elastic Kibana

CVE-2026-33460 Kibana Auth Bypass via Unscoped Client Leaks Cross-Space Data
CVE-2026-4498 CVE-2026-4498: Kibana Fleet Plugin Debug Route Privilege Abuse (CWE-250)
CVE-2026-33459 Kibana Authenticated DoS via Excessive Allocation in Automatic Import
CVE-2026-33461 Kibana Internal API Auth Bypass Exposing Sensitive Config Data

Dell Powerscale Onefs

CVE-2026-27102 Dell PowerScale OneFS 9.5-9.13 Privilege Escalation via Incorrect Role Assignment
CVE-2026-24511 Dell PowerScale OneFS 9.5-9.13 Sensitive Error Leak

IBM Verify Identity Access Container

CVE-2026-1346 IBM Verify Access Privilege Escalation (Local) 10.0-10.0.9.1/11.0-11.0.2
CVE-2026-1343 IBM Verify Identity Access/10.0-10.0.9.1 Reverse Proxy Bypass

Blubrry

CVE-2026-2988 Blubrry PowerPress WP Plugin 11.15.15: Stored XSS via Powerpress & Podcast Shortcodes

Thimpress Learnpress

CVE-2026-4333 LearnPress 4.3.3 Stored XSS via skin attribute

Minio

CVE-2026-39414 MinIO S3 Select CSV memory exhaustion OOM via long lines

Themegoods Grandblog

CVE-2026-39632 ThemeGoods Grand Blog <=3.1 CSRF (grandblog)

Manoj Kumar Google Distance Calculator

CVE-2026-39674 MK Google Directions <=3.1.1 DOM-Based XSS CVE-2026-39674

G5theme G5plus April

CVE-2026-39714 Missing Authorization in G5Plus April <=6.8 (g5plus-april)

Dell Elastic Cloud Storage

CVE-2026-28261 Dell ECS/ObjScale: Sensitive Log Data (Pre-3.8.1.7/4.1.0.3) CVE-2026-28261

Dell

CVE-2026-28264 Dell PowerProtect Agent Service <20.1 Invalid Permission Assignment

Elastic Logstash

CVE-2026-33466 Logstash Archive Path Traversal Enables RCE

Red Hat Jboss Enterprise Bpms Platform

CVE-2025-58713 Container Priv Escal on /etc/passwd in Red Hat Process Automation Manager

Juniper Networks Junos

CVE-2025-30650 Juniper Junos OS (<22.4R3-S8) Missing Auth in Cmd Processing LPE

Ameliabooking

CVE-2026-39487 Amelia Booking <=2.1.1 Blind SQL Injection (CVE-2026-39487)

Automattic Wp Job Manager

CVE-2026-39660 Automattic WP Job Manager Missing Auth (<=2.4.1)

Wealcoder Animation Addons For Elementor

CVE-2026-39702 DOM-Based XSS in Wealcoder Animation Addons for Elementor <= v2.6.1

Red Hat Ansible Automation Platform

CVE-2025-57847 Ansible Automation Platform Container PrivEsc via Group-writable /etc/passwd

Latepoint

CVE-2026-4785 LatePoint Calendar Plugin XSS via button_caption (5.3.0)

IBM Tivoli Netcool Impact

CVE-2026-4788 IBM Tivoli Netcool Impact 7.1.0.x Log File Info Disclosure to Local User

Rapid7 Insight Agent

CVE-2026-4837 Rapid7 Insight Agent eval() injection in Linux beaconing logic

Awesomesupport

CVE-2026-4654 IDOR in Awesome Support WP plugin <=6.3.7 (wpas_get_ticket_replies_ajax)

Masteriyo

CVE-2026-5167 Masteriyo LMS 2.1.7 Auth Bypass via Unsigned Stripe Webhook

Red Hat Mirror Registry

CVE-2025-14243 OpenShift Mirror Registry Unauth Auth Failure Exposes Username/Email
CVE-2026-2377 Authenticated SSRF via Log Export in mirror-registry
CVE-2026-32589 Red Hat Quay Auth User Interferes with in-progress Image Upload
CVE-2026-32590 Code Execution via Malformed Resumable Uploads in Red Hat Quay
CVE-2026-32591 Red Hat Quay Proxy Cache Allows SSRF via Unverified Hostname

Eclipse Jetty

CVE-2026-5795 Jetty JASPIAuthenticator ThreadLocal Leak Causes Privilege Escalation

Red Hat Webterminal

CVE-2025-57853 Red Hat Web Terminal Container Priv Esc via Group-Writable /etc/passwd

Seedprod Coming Soon

CVE-2026-39464 SSRF in SeedProd Coming Soon Plugin <=6.19.8

Wpmu Dev Your All One Wordpress Platform Broken Link Checker

CVE-2026-39466 Broken Link Checker <=2.4.7 Blind SQL Injection

Syed Balkhi Userfeedback Lite

CVE-2026-39475 WordPress User Feedback Lite <=1.10.1 SQL Injection Vulnerability
CVE-2026-39476 Missing Authorization in User Feedback plugin (<=1.10.1)

Brainstorm Force Cartflows

CVE-2026-39477 CartFlows 2.2.3 Auth Bypass via ACL Misconfig

Brainstorm Force Suretriggers

CVE-2026-39479 Brainstorm Force OttoKit 1.1.20 and earlier Blind SQLi via suretriggers

John Darrel Hide My Wp

CVE-2026-39484 Hide My WP Ghost <7.0.00 Open Redirect (CVE-2026-39484)

Embedplus Youtube Embed Plus

CVE-2026-39485 Missing Auth in YouTube Embed Plus <=14.2.4: Exposed Configurable Access Control

Wp Chill Download Monitor

CVE-2026-39486 WP-Chill Download Monitor <=5.1.8 SQL Injection (Blind)