🛡️ CVE Tracker
Latest 50 CVEs from the NIST National Vulnerability Database — updated every 6 hours.
Last fetched: Sat, 16 May 2026 11:41:03 GMT CRITICAL: 9 HIGH: 19 MEDIUM: 12 LOW: 2
| CVE ID | Published | Score | Severity | Description |
|---|---|---|---|---|
| CVE-2026-33122 | 2026-04-16 | 9.8 | CRITICAL | DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition… |
| CVE-2025-54502 | 2026-04-16 | — | N/A | Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resultin… |
| CVE-2026-6442 | 2026-04-16 | 8.3 | HIGH | Improper validation of bash commands in Snowflake Cortex Code CLI versions prior to 1.0.25 allowed subsequent commands to execute outside the sandbox. An attacker could exploit this by embedding speci… |
| CVE-2026-33121 | 2026-04-16 | 8.8 | HIGH | DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from … |
| CVE-2026-33084 | 2026-04-16 | 8.8 | HIGH | DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the sort parameter of the /de2api/datasetData/enumValueObj end… |
| CVE-2025-54510 | 2026-04-16 | — | N/A | A missing lock verification in AMD Secure Processor (ASP) firmware may permit a locally authenticated attacker with administrative privileges to alter MMIO routing on some Zen 5-based products, potent… |
| CVE-2025-43937 | 2026-04-16 | 6.6 | MEDIUM | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. A low privileged attacker with local access could potentially exploit thi… |
| CVE-2025-43935 | 2026-04-16 | 4.4 | MEDIUM | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource shutdown or release vulnerability. A high privileged attacker with local access could potentially exploit this vulnerab… |
| CVE-2023-20585 | 2026-04-16 | — | N/A | Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in … |
| CVE-2026-41082 | 2026-04-16 | 7.3 | HIGH | In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory. |
| CVE-2026-33083 | 2026-04-16 | 8.8 | HIGH | DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints… |
| CVE-2026-33082 | 2026-04-16 | 9.8 | CRITICAL | DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST … |
| CVE-2026-2336 | 2026-04-16 | — | N/A | A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a … |
| CVE-2026-27820 | 2026-04-16 | — | N/A | zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zs… |
| CVE-2026-24749 | 2026-04-16 | 5.3 | MEDIUM | The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile:… |
| CVE-2025-43883 | 2026-04-16 | 4.1 | MEDIUM | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper check for unusual or exceptional conditions vulnerability. A high privileged attacker with local access could potentially exploi… |
| CVE-2026-41080 | 2026-04-16 | 2.9 | LOW | libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. |
| CVE-2025-36579 | 2026-04-16 | 5.1 | MEDIUM | Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability, leadin… |
| CVE-2026-5426 | 2026-04-16 | 7.5 | HIGH | Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote… |
| CVE-2026-37100 | 2026-04-16 | 6.5 | MEDIUM | An issue in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar firmware 2.40 (Mobile App: Sound Bar Remote / version: 2.40) allows remote attackers within BLE radio range… |
| CVE-2026-6409 | 2026-04-16 | — | N/A | A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep… |
| CVE-2026-3324 | 2026-04-16 | 8.2 | HIGH | Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration. |
| CVE-2026-37347 | 2026-04-16 | 9.1 | CRITICAL | SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php. |
| CVE-2026-37346 | 2026-04-16 | 4.7 | MEDIUM | SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=. |
| CVE-2026-37345 | 2026-04-16 | 9.8 | CRITICAL | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php. |
| CVE-2026-37344 | 2026-04-16 | 7.2 | HIGH | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_location.php. |
| CVE-2026-37343 | 2026-04-16 | 7.2 | HIGH | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_user.php. |
| CVE-2026-37342 | 2026-04-16 | 7.2 | HIGH | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/view_parked_details.php. |
| CVE-2026-37341 | 2026-04-16 | 7.2 | HIGH | SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_category.php. |
| CVE-2026-37340 | 2026-04-16 | 9.8 | CRITICAL | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/edit_music.php. |
| CVE-2026-37339 | 2026-04-16 | 9.8 | CRITICAL | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_genre.php. |
| CVE-2026-37338 | 2026-04-16 | 9.4 | CRITICAL | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php. |
| CVE-2026-37337 | 2026-04-16 | 7.3 | HIGH | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php. |
| CVE-2026-37336 | 2026-04-16 | 7.3 | HIGH | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php. |
| CVE-2026-33804 | 2026-04-16 | 7.4 | HIGH | @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account… |
| CVE-2026-30656 | 2026-04-16 | 7.5 | HIGH | A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the in… |
| CVE-2026-30459 | 2026-04-16 | 7.1 | HIGH | An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-ma… |
| CVE-2026-2840 | 2026-04-16 | 6.4 | MEDIUM | The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4… |
| CVE-2026-6410 | 2026-04-16 | 5.3 | MEDIUM | @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static … |
| CVE-2026-6270 | 2026-04-16 | 9.1 | CRITICAL | @fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent sc… |
| CVE-2026-5785 | 2026-04-16 | 8.1 | HIGH | Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module. |
| CVE-2026-4160 | 2026-04-16 | 5.3 | MEDIUM | The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in v… |
| CVE-2026-31987 | 2026-04-16 | 7.5 | HIGH | JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to… |
| CVE-2026-6414 | 2026-04-16 | 5.9 | MEDIUM | @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows a… |
| CVE-2026-5968 | 2026-04-16 | — | N/A | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accide… |
| CVE-2026-31843 | 2026-04-16 | 9.8 | CRITICAL | The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment … |
| CVE-2025-15621 | 2026-04-16 | — | N/A | Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication |
| CVE-2026-3489 | 2026-04-16 | 7.5 | HIGH | The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insuf… |
| CVE-2026-3369 | 2026-04-16 | 5.4 | MEDIUM | The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insuffici… |
| CVE-2026-3155 | 2026-04-16 | 3.1 | LOW | The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user … |