CVE Vulnerabilities - 8 April 2026

A security setting in iGMS Direct Booking can be incorrectly configured, allowing unauthorized access to certain features. This means that users who shouldn't have access might still be able to make c...

A security weakness in UnitechPay, a mobile payment system, could allow unauthorized users to access and make transactions under certain configuration conditions. This issue affects versions 1.0.2 and...

A security issue in Cream Blog, a theme used in WordPress, allows unauthorized access to sensitive areas. This puts sensitive information at risk if an attacker gains access. Update to version 2.1.8 o...

A security flaw in Wp Ultimate Review allows unauthorized users to access parts of the plugin they shouldn't. If not fixed, this could lead to sensitive data being viewed or modified. Update to versio...

A security flaw in Mogi allows unauthorized access to sensitive data when access control levels are not properly configured. This means that attackers may be able to access sensitive information they ...

Versions of the Awesome Support WordPress plugin up to 6.3.7 have a security flaw that allows attackers to access sensitive information from any support ticket. This could happen even if the attacker ...

The Masteriyo LMS plugin for WordPress is vulnerable to a security issue that could allow anyone to access paid courses without paying. This is because the plugin doesn't properly check who is sending...

The Riaxe Product Customizer plugin on WordPress sites allows anyone to access sensitive customer information, such as names and order details, without needing a password. This is a concern for sites ...

Attackers with Subscriber-level access can delete any WordPress user account, including administrators, by making a special request to the plugin's AJAX endpoint. This is a significant issue because i...

An attacker with Subscriber-level access or higher can obtain sensitive information about your WordPress site's activity logs by sending a specific request. This includes user information, IP addresse...

The LTL Freight Quotes plugin for WordPress lacks proper security checks, allowing anyone to modify subscription settings, potentially downgrading paid plans or disabling premium features, without nee...

Untrusted input can cause errors when generating cookie headers. If you use Hono to generate cookies from user-controlled input, make sure to validate the cookie name to prevent errors. Update to the ...

Hono applications may encounter runtime errors if using untrusted input for cookie names in setCookie() or similar functions. This is due to invalid characters in cookie names, which can cause issues ...

Hono, a middleware, has a bug that allows attackers to access protected files by using multiple slashes in the request path, which can lead to unauthorized access to sensitive files. This affects appl...

A security risk exists in Node.js servers using the serveStatic middleware. If an attacker uses repeated slashes in a URL, they may be able to access files that are intended to be protected by securit...

An attacker can send a specially crafted JWE token to a JWCrypto server, causing it to use up all its memory. This can happen even if the token itself is small, because it's been compressed to a much ...

The Hustle plugin for WordPress, used for email marketing and lead generation, is missing a security check that could let hackers manipulate marketing data. This means they could fake conversion track...

A low-privileged user in a shared RustFS storage system can copy and steal objects from other users' accounts without permission. This can happen in multi-user environments. Update to the latest versi...

Prior to version 9.8.0-alpha.7 and 8.6.75, the Parse Server returns sensitive session data that's meant to be hidden. This can happen when an authenticated user requests their own session details. To ...

Prior to version 8.39.0, the Emissary configuration API had a weakness that could allow attackers to access sensitive files. This was fixed in version 8.39.0. To protect your system, make sure you're ...

A security issue in pyLoad's tar archive extraction feature allows a malicious file to be saved outside the intended directory. This could lead to unauthorized files being written to your system. Upgr...

Unauthenticated attackers can run malicious code in your browser if you visit a specially crafted URL. This can happen if you use Sonatype Nexus Repository versions 3.0.0 through 3.90.2. Update to a f...

Early versions of the CourseVault Preview utility can allow an attacker to access files outside the intended directory. This is a security risk because it could potentially allow unauthorized access t...

Authenticated users can register more devices than allowed, potentially allowing them to resell subscriptions and consume excessive traffic. This can lead to financial losses for the business. Update ...

OpenEXR image file decoder can access memory outside its allocated space, potentially leading to a security issue. This affects versions 3.2.0 to 3.2.7, 3.3.9, and 3.4.9. Update to the latest version ...