|
1111
|
- |
|
-
|
-
|
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the s…
New
|
CWE-287
Improper Authentication
|
CVE-2026-40946
|
2026-04-23 05:28 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1112
|
4.3 |
MEDIUM
Network
|
-
|
-
|
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handlin…
New
|
CWE-601
Open Redirect
|
CVE-2026-41126
|
2026-04-23 05:26 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1113
|
6.5 |
MEDIUM
Network
|
-
|
-
|
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on w…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-41127
|
2026-04-23 05:26 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1114
|
- |
|
-
|
-
|
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from …
New
|
CWE-862
Missing Authorization
|
CVE-2026-41128
|
2026-04-23 05:26 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1115
|
- |
|
-
|
-
|
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a …
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41129
|
2026-04-23 05:26 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1116
|
- |
|
-
|
-
|
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41130
|
2026-04-23 05:26 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1117
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, …
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-5162
|
2026-04-23 05:22 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1118
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolatio…
Update
|
CWE-89
SQL Injection
|
CVE-2026-6080
|
2026-04-23 05:22 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1119
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers includi…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-3488
|
2026-04-23 05:22 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1120
|
9.8 |
CRITICAL
Network
|
-
|
-
|
All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in a…
Update
|
CWE-506
Embedded Malicious Code
|
CVE-2026-6443
|
2026-04-23 05:22 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
