|
1311
|
8.8 |
HIGH
Network
|
apache
|
storm
|
Deserialization of Untrusted Data vulnerability in Apache Storm.
Versions Affected:
before 2.8.6.
Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deser…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-35337
|
2026-04-16 00:54 |
2026-04-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1312
|
5.4 |
MEDIUM
Network
|
apache
|
storm
|
Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI
Versions Affected: before 2.8.6
Description: The Storm UI visualization component interpolates topology meta…
|
CWE-79
Cross-site Scripting
|
CVE-2026-35565
|
2026-04-16 00:53 |
2026-04-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1313
|
4.3 |
MEDIUM
Network
|
apache
|
openmeetings
|
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings.
Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (met…
|
CWE-274
Improper Handling of Insufficient Privileges
|
CVE-2026-33005
|
2026-04-16 00:27 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1314
|
7.5 |
HIGH
Network
|
apache
|
openmeetings
|
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.
The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case…
|
CWE-321
Use of Hard-coded Cryptographic Key
|
CVE-2026-33266
|
2026-04-16 00:21 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1315
|
7.5 |
HIGH
Network
|
apache
|
openmeetings
|
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.
The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Pleas…
|
CWE-598
Information Exposure Through Query Strings in GET Request
|
CVE-2026-34020
|
2026-04-16 00:21 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1316
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process.
|
-
|
CVE-2025-14545
|
2026-04-16 00:05 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1317
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function …
|
-
|
CVE-2026-4432
|
2026-04-16 00:05 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1318
|
6.8 |
MEDIUM
Network
|
-
|
-
|
The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain c…
|
CWE-89
SQL Injection
|
CVE-2025-15441
|
2026-04-16 00:05 |
2026-04-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1319
|
8.6 |
HIGH
Network
|
-
|
-
|
The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL inje…
|
CWE-89
SQL Injection
|
CVE-2026-3830
|
2026-04-16 00:05 |
2026-04-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1320
|
9.1 |
CRITICAL
Network
|
-
|
-
|
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Una…
|
CWE-201
Insertion of Sensitive Information Into Sent Data
|
CVE-2026-39912
|
2026-04-16 00:00 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
