5.3

CVSS3.1

CVE-2026-5347 - WP Books Gallery <= 4.8.0 - Missing Authorization to Unauthenticated Settings Update via 'permalink…

The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admin_init hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php. T…

📅 Published: April 24, 2026, 5:29 a.m. 🔄 Last Modified: April 24, 2026, 5:29 a.m.

8.1

CVSS3.1

CVE-2026-5364 - Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via s…

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attac…

📅 Published: April 24, 2026, 5:29 a.m. 🔄 Last Modified: April 24, 2026, 5:29 a.m.

8.7

CVSS4.0

CVE-2026-6947 - D-Link|DWM-222W USB Wi-Fi Adapter - Brute-Force Protection Bypass

DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device.

📅 Published: April 24, 2026, 3:46 a.m. 🔄 Last Modified: April 24, 2026, 3:46 a.m.

7.5

CVSS3.1

CVE-2026-41324 - basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()

basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client…

📅 Published: April 24, 2026, 3:28 a.m. 🔄 Last Modified: April 24, 2026, 3:28 a.m.

7.7

CVSS3.1

CVE-2026-41485 - Kyverno Controller Denial of Service via forEach Mutation Panic

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller…

📅 Published: April 24, 2026, 3:27 a.m. 🔄 Last Modified: April 24, 2026, 3:27 a.m.

5.3

CVSS3.1

CVE-2026-2028 - Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'ol…

The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-le…

📅 Published: April 24, 2026, 3:27 a.m. 🔄 Last Modified: April 24, 2026, 3:27 a.m.

5.3

CVSS3.1

CVE-2026-5488 - ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Toke…

The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is loc…

📅 Published: April 24, 2026, 3:27 a.m. 🔄 Last Modified: April 24, 2026, 3:27 a.m.

4.3

CVSS3.1

CVE-2026-6393 - BetterDocs <= 4.3.11 - Missing Authorization to Authenticated (Subscriber+) Unauthorized AI API Usa…

The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possi…

📅 Published: April 24, 2026, 3:27 a.m. 🔄 Last Modified: April 24, 2026, 3:27 a.m.

8.1

CVSS3.1

CVE-2026-41323 - Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no …

📅 Published: April 24, 2026, 3:21 a.m. 🔄 Last Modified: April 24, 2026, 3:21 a.m.

7.7

CVSS3.1

CVE-2026-41068 - Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the ConfigMap context loader has the identical vulnerability — the `con…

📅 Published: April 24, 2026, 3:14 a.m. 🔄 Last Modified: April 24, 2026, 3:14 a.m.
Total resulsts: 346283
Page 2 of 34,629
« previous page » next page
Filters