NVD Vulnerability Information Top

Show Search Menu

Vendor Name
プロダクト・サービス名
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
In descending order of publication date
In descending order of update date
Number of items displayed

NVD Vulnerability Information Top

You can search the list of vulnerabilities managed by the NVD (National Vulnerability Database).
Since vulnerability information is often updated before JVN (Japan Vulnerability Note), vulnerabilities that are not listed in JVN may be updated.

If there is a vulnerability related to JVN (Japan Vulnerability Note), the information will be displayed on the detail page.

To search by CWE, please refer to the CWE Overview and check the CWE number.

CRITICAL
HIGH
MEDIUM
LOW

Update Date:May 5, 2026, 4:51 a.m.

No	CVSS	Level Attach Vector	Vendor Name	Project Name	Title	CWE	CVE	Update Date	Publication Date	Show Affected	Exploit PoC Search
3851	-	-	-	-	A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any valid …	CWE-306 Missing Authentication for Critical Function	CVE-2026-6272	2026-04-24 23:39	2026-04-24	Show	GitHub Exploit DB Packet Storm

3852	5.3	MEDIUM Network	-	-	The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all vers…	CWE-639 Authorization Bypass Through User-Controlled Key	CVE-2026-2028	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3853	4.3	MEDIUM Network	-	-	The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() …	CWE-862 Missing Authorization	CVE-2026-6393	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3854	5.3	MEDIUM Network	-	-	The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks…	CWE-862 Missing Authorization	CVE-2026-5488	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3855	5.3	MEDIUM Network	-	-	The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the a…	CWE-862 Missing Authorization	CVE-2026-5347	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3856	8.1	HIGH Network	-	-	The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file ext…	CWE-434 Unrestricted Upload of File with Dangerous Type	CVE-2026-5364	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3857	6.4	MEDIUM Network	-	-	The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This…	CWE-79 Cross-site Scripting	CVE-2026-5428	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3858	5.3	MEDIUM Network	-	-	The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php …	CWE-639 Authorization Bypass Through User-Controlled Key	CVE-2026-6810	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3859	4.3	MEDIUM Network	-	-	The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/ad…	CWE-862 Missing Authorization	CVE-2025-11762	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3860	4.3	MEDIUM Network	-	-	The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnix_delete_my_account() …	CWE-352 Origin Validation Error	CVE-2026-3565	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3861	5.3	MEDIUM Network	-	-	The Liaison Site Prober plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.2.1 via the /wp-json/site-prober/v1/logs REST API endpoint. The permissions_re…	CWE-862 Missing Authorization	CVE-2026-3569	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3862	6.4	MEDIUM Network	-	-	The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to a…	CWE-79 Cross-site Scripting	CVE-2026-4078	2026-04-24 23:38	2026-04-24	Show	GitHub Exploit DB Packet Storm

3863	6.5	MEDIUM Network	dnnsoftware	dotnetnuke	DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affec…	CWE-330 Use of Insufficiently Random Values	CVE-2026-40306	2026-04-24 23:29	2026-04-18	Show	GitHub Exploit DB Packet Storm

3864	4.7	MEDIUM Network	oracle	applications_framework	Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulner…	CWE-284 Improper Access Control	CVE-2026-34298	2026-04-24 23:29	2026-04-22	Show	GitHub Exploit DB Packet Storm

3865	6.5	MEDIUM Network	oracle	peoplesoft_enterprise_fin_maintenance_management	Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploita…	CWE-284 Improper Access Control	CVE-2026-34299	2026-04-24 23:28	2026-04-22	Show	GitHub Exploit DB Packet Storm

3866	6.5	MEDIUM Network	oracle	peoplesoft_enterprise_fin_maintenance_management	Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploita…	CWE-284 Improper Access Control	CVE-2026-34301	2026-04-24 23:28	2026-04-22	Show	GitHub Exploit DB Packet Storm

3867	5.5	MEDIUM Network	oracle	workflow	Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows…	CWE-284 Improper Access Control	CVE-2026-34302	2026-04-24 23:27	2026-04-22	Show	GitHub Exploit DB Packet Storm

3868	7.5	HIGH Network	oracle	weblogic_server	Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0…	CWE-200 Information Exposure	CVE-2026-34305	2026-04-24 23:27	2026-04-22	Show	GitHub Exploit DB Packet Storm

3869	6.5	MEDIUM Network	oracle	peoplesoft_enterprise_fin_project_costing	Vulnerability in the PeopleSoft Enterprise FIN Project Costing product of Oracle PeopleSoft (component: Projects). The supported version that is affected is 9.2. Easily exploitable vulnerability al…	CWE-284 Improper Access Control	CVE-2026-34306	2026-04-24 23:26	2026-04-22	Show	GitHub Exploit DB Packet Storm

3870	5.4	MEDIUM Network	oracle	peoplesoft_enterprise_peopletools	Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows…	CWE-284 Improper Access Control	CVE-2026-34307	2026-04-24 23:26	2026-04-22	Show	GitHub Exploit DB Packet Storm

3871	8.1	HIGH Network	oracle	peoplesoft_enterprise_peopletools	Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows…	CWE-284 Improper Access Control	CVE-2026-34309	2026-04-24 23:25	2026-04-22	Show	GitHub Exploit DB Packet Storm

3872	7.5	HIGH Network	oracle	financial_services_analytical_applications_infrastructure	Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected ar…	CWE-284 Improper Access Control	CVE-2026-34310	2026-04-24 23:25	2026-04-22	Show	GitHub Exploit DB Packet Storm

3873	6.5	MEDIUM Network	oracle	weblogic_server	Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0…	CWE-285 CWE-601 Improper Authorization Open Redirect	CVE-2026-34315	2026-04-24 23:24	2026-04-22	Show	GitHub Exploit DB Packet Storm

3874	8.1	HIGH Network	sysadminsmedia	homebox	HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group,…	CWE-708 Incorrect Ownership Assignment	CVE-2026-40196	2026-04-24 23:23	2026-04-18	Show	GitHub Exploit DB Packet Storm

3875	7.2	HIGH Network	dolibarr	dolibarr_erp\/crm	Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mod…	CWE-95 CWE-94 Eval Injection Code Injection	CVE-2026-22666	2026-04-24 23:20	2026-04-7	Show	GitHub Exploit DB Packet Storm

3876	3.7	LOW Network	vmware	spring_security	Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then Dao…	CWE-208 Information Exposure Through Timing Discrepancy	CVE-2026-22746	2026-04-24 23:20	2026-04-22	Show	GitHub Exploit DB Packet Storm

3877	8.1	HIGH Network	vmware	spring_security	Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the usern…	CWE-297 Improper Validation of Certificate with Host Mismatch	CVE-2026-22747	2026-04-24 23:18	2026-04-22	Show	GitHub Exploit DB Packet Storm

3878	6.5	MEDIUM Network	vmware	spring_security	Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for…	CWE-20 Improper Input Validation	CVE-2026-22748	2026-04-24 23:18	2026-04-22	Show	GitHub Exploit DB Packet Storm

3879	7.5	HIGH Network	vmware	spring_security	Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter c…	CWE-693 Protection Mechanism Failure	CVE-2026-22753	2026-04-24 23:17	2026-04-22	Show	GitHub Exploit DB Packet Storm

3880	7.5	HIGH Network	vmware	spring_security	Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then …	CWE-284 Improper Access Control	CVE-2026-22754	2026-04-24 23:16	2026-04-22	Show	GitHub Exploit DB Packet Storm

3881	5.5	MEDIUM Local	libsixel saitoha	libsixel	stb_image.h (aka the stb image loader) 2.19, as used in libsixel and other products, has a reachable assertion in stbi__create_png_image_raw.	CWE-617 Reachable Assertion	CVE-2022-27938	2026-04-24 23:12	2022-03-26	Show	GitHub Exploit DB Packet Storm

3882	5.5	MEDIUM Local	libsixel saitoha	libsixel	stb_image.h (también se conoce como el cargador de imágenes de stb) versión 2.19, como es usado en libsixel y otros productos, presenta una aserción alcanzable en la función stbi__create_png_image_raw	CWE-617 Reachable Assertion	CVE-2022-27938	2026-04-24 23:12	2022-03-26	Show	GitHub Exploit DB Packet Storm

3883	7.2	HIGH Network	mintplexlabs	anythingllm	A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user inpu…	CWE-29 Path Traversal: '\..\filename'	CVE-2026-5627	2026-04-24 22:57	2026-04-7	Show	GitHub Exploit DB Packet Storm

3884	7.5	HIGH Network	nestjs	nest	Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per m…	CWE-674 Uncontrolled Recursion	CVE-2026-40879	2026-04-24 22:46	2026-04-22	Show	GitHub Exploit DB Packet Storm

3885	5.0	MEDIUM Network	openfga	helm_charts openfga	OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requ…	CWE-706 CWE-863 Use of Incorrectly-Resolved Name or Reference Incorrect Authorization	CVE-2026-41131	2026-04-24 22:44	2026-04-22	Show	GitHub Exploit DB Packet Storm

3886	7.8	HIGH Local	saitoha	libsixel	A vulnerability was found in saitoha libsixel up to 1.10.3. Affected by this issue is the function sixel_debug_print_palette of the file src/encoder.c of the component img2sixel. The manipulation res…	CWE-119 CWE-121 CWE-787 Incorrect Access of Indexable Resource ('Range Error') Stack-based Buffer Overflow Out-of-bounds Write	CVE-2025-9300	2026-04-24 22:44	2025-08-21	Show	GitHub Exploit DB Packet Storm

3887	7.8	HIGH Local	saitoha	libsixel	Se encontró una vulnerabilidad en saitoha libsixel hasta la versión 1.10.3. Este problema afecta a la función sixel_debug_print_palette del archivo src/encoder.c del componente img2sixel. La manipula…	CWE-119 CWE-121 CWE-787 Incorrect Access of Indexable Resource ('Range Error') Stack-based Buffer Overflow Out-of-bounds Write	CVE-2025-9300	2026-04-24 22:44	2025-08-21	Show	GitHub Exploit DB Packet Storm

3888	8.8	HIGH Local	packagekit_project	packagekit	PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3…	CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition	CVE-2026-41651	2026-04-24 22:43	2026-04-22	Show	GitHub Exploit DB Packet Storm

3889	7.5	HIGH Network	coturn_project	coturn	Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * wit…	CWE-704 Incorrect Type Conversion or Cast	CVE-2026-40613	2026-04-24 22:41	2026-04-22	Show	GitHub Exploit DB Packet Storm

3890	7.5	HIGH Network	protocol	libp2p	libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A m…	CWE-770 Allocation of Resources Without Limits or Throttling	CVE-2026-35405	2026-04-24 22:37	2026-04-8	Show	GitHub Exploit DB Packet Storm

3891	6.5	MEDIUM Network	libsixel	libsixel	In Libsixel prior to and including v1.10.3, a NULL pointer dereference in the stb_image.h component of libsixel allows attackers to cause a denial of service (DOS) via a crafted PICT file.	CWE-476 NULL Pointer Dereference	CVE-2021-45340	2026-04-24 22:35	2022-01-25	Show	GitHub Exploit DB Packet Storm

3892	6.5	MEDIUM Network	libsixel	libsixel	En Libsixel versiones anteriores a v1.10.3 incluyéndola, una desreferencia de puntero NULL en el componente stb_image.h de libsixel permite a atacantes causar una denegación de servicio (DOS) por med…	CWE-476 NULL Pointer Dereference	CVE-2021-45340	2026-04-24 22:35	2022-01-25	Show	GitHub Exploit DB Packet Storm

3893	8.8	HIGH Network	libsixel	libsixel	libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867.	CWE-787 Out-of-bounds Write	CVE-2021-40656	2026-04-24 22:34	2022-04-9	Show	GitHub Exploit DB Packet Storm

3894	8.8	HIGH Network	libsixel	libsixel	libsixel versiones anteriores a 1.10, es vulnerable a un desbordamiento del búfer en libsixel/src/quant.c:867	CWE-787 Out-of-bounds Write	CVE-2021-40656	2026-04-24 22:34	2022-04-9	Show	GitHub Exploit DB Packet Storm

3895	6.5	MEDIUM Network	saitoha	libsixel	An invalid read in the stb_image.h component of libsixel prior to v1.8.5 allows attackers to cause a denial of service (DOS) via a crafted PSD file.	CWE-125 Out-of-bounds Read	CVE-2020-21049	2026-04-24 22:34	2021-09-15	Show	GitHub Exploit DB Packet Storm

3896	6.5	MEDIUM Network	saitoha	libsixel	Una lectura no válida en el componente stb_image.h de libsixel versiones anteriores a v1.8.5, permite a atacantes causar una denegación de servicio (DOS) por medio de un archivo PSD diseñado	CWE-125 Out-of-bounds Read	CVE-2020-21049	2026-04-24 22:34	2021-09-15	Show	GitHub Exploit DB Packet Storm

3897	4.8	MEDIUM Network	mitmproxy	mitmproxy	mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the b…	CWE-90 LDAP Injection	CVE-2026-40606	2026-04-24 22:33	2026-04-22	Show	GitHub Exploit DB Packet Storm

3898	8.2	HIGH Network	protocol	libp2p	libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can r…	CWE-770 Allocation of Resources Without Limits or Throttling	CVE-2026-35457	2026-04-24 22:32	2026-04-8	Show	GitHub Exploit DB Packet Storm

3899	2.7	LOW Network	openbao	openbao	OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their tok…	CWE-1259 Improper Restriction of Security Token Assignment	CVE-2026-40264	2026-04-24 22:29	2026-04-21	Show	GitHub Exploit DB Packet Storm

3900	4.9	MEDIUM Network	openbao	openbao	OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use …	CWE-89 SQL Injection	CVE-2026-39946	2026-04-24 22:28	2026-04-21	Show	GitHub Exploit DB Packet Storm