7.5

CVSS3.1

CVE-2026-4525 - Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

📅 Published: April 17, 2026, 3 a.m. 🔄 Last Modified: April 17, 2026, 3 a.m.

5.3

CVSS3.1

CVE-2026-5052 - Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlle…

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1…

📅 Published: April 17, 2026, 2:55 a.m. 🔄 Last Modified: April 17, 2026, 2:55 a.m.

8.1

CVSS3.1

CVE-2026-3605 - Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret dat…

📅 Published: April 17, 2026, 2:44 a.m. 🔄 Last Modified: April 17, 2026, 2:44 a.m.

6.5

CVSS3.1

CVE-2026-4666 - wpForo Forum <= 2.4.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post …

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions…

📅 Published: April 17, 2026, 2:25 a.m. 🔄 Last Modified: April 17, 2026, 2:25 a.m.

6.5

CVSS3.1

CVE-2026-3488 - WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Informati…

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`, `wp_statistics_updatePrivacyStatus…

📅 Published: April 17, 2026, 1:24 a.m. 🔄 Last Modified: April 17, 2026, 1:24 a.m.
Load More Vulnerability
avatar

Mehmet Ince

@mdisec

CVE stats coming here

avatar

Nuri Çilengir

@ncilengir

CVE stats coming here

avatar

@aydinnyunus

CVE stats coming here

avatar

Onurcan Genç

@onurcangnc

CVE stats coming here

avatar

Seyit Sigirci

@h3xecute

CVE stats coming here

avatar

Ali İltizar

@iltosec

CVE stats coming here

avatar

@b3rsec

CVE stats coming here

avatar

@furkank

CVE stats coming here

avatar

kutaysec

@kutaysec

CVE stats coming here