CVE Vulnerabilities - 8 April 2026

# Summary The `webapi` authentication layer trusts a client-controlled `X-lobe-chat-auth` header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded i...

Nodemailer versions 8.0.4 and earlier are vulnerable to email spoofing and phishing attacks. An attacker can manipulate the email sender's name to trick recipients. Update to a fixed version of Nodema...

Nodemailer, a popular email library, allows hackers to send emails pretending to be from your company by manipulating the email server settings. This could lead to phishing attacks and other security ...

## Summary The blacklist (ban) note parameter in `UserController::ajax_blackList_post()` is stored in the database without sanitization and rendered into an HTML `data-note` attribute without escapin...

A security issue in Hono's cookie handling code allows attackers to set malicious cookies that can override secure cookies, potentially leading to session hijacking or other security risks. Affected a...

An administrator can upload a malicious file to your MATCHA INVOICE server, potentially allowing hackers to execute code on the server. This poses a risk to your data and system security. Update to th...

A weakness in the Gravity Forms plugin for WordPress allows hackers to inject malicious scripts into web pages by tricking users into clicking on links. This can cause problems for unauthenticated vis...

A maliciously crafted ISO image can cause the Sleuth Kit to read data it shouldn't, potentially exposing sensitive information. This affects users who work with disk images, especially those who rely ...

An attacker can create a malicious APFS disk image that, when processed by certain Sleuth Kit tools, may reveal sensitive information or crash the system. This vulnerability affects all versions of Th...

The Kamailio SIP server may crash if it receives a specially crafted authentication request. This could potentially disrupt service to users. Update to version 6.0.5 or 5.8.7 to fix this issue.

Dell PowerScale OneFS versions 9.5 to 9.13 contain a flaw that could allow an attacker with high-level access to access sensitive server information. This could potentially compromise the security of ...

An attacker with administrator access to a WordPress site using the Inquiry Form to Posts or Pages plugin can inject malicious scripts that will run on the plugin settings page or on pages with the [i...

An attacker with admin access on a multisite WordPress installation can inject malicious scripts that will run when users visit specific pages. This can lead to unauthorized actions being performed on...

A bug in GitLab EE allowed an authenticated user with limited access to modify vulnerability flags in private projects. This could have led to incorrect vulnerability data being displayed. Update to t...

Authenticated users in GitLab Community Edition and Enterprise Edition can potentially access confidential issues assigned to other users if they have permission to export issues in CSV format. This i...

An attacker with a developer account and special permissions could modify sensitive settings for projects and environments. This could lead to unintended changes to your project's security and workflo...

An authenticated user could see other users' email addresses under certain circumstances. This issue has been fixed in all affected versions. To stay secure, update to the latest version of GitLab.

A security flaw in old versions of Google Chrome allows a hacker who has taken control of a user's browsing session to steal sensitive information from other websites. This is a concern because it cou...

A security issue in older versions of Google Chrome could allow an attacker who has already compromised the browser's inner workings to steal data from other websites. This is a low-risk issue, but it...

Google Chrome's content security policy can be bypassed by a malicious HTML page, allowing an attacker to potentially inject and execute unauthorized scripts. This affects older versions of Google Chr...

A vulnerability in Google Chrome allows an attacker to bypass security policies on a website by tricking a user into visiting a malicious webpage. This could potentially allow an attacker to inject ma...

A security weakness in older versions of Google Chrome on Android can be exploited by a malicious website to display a fake address in the address bar. This could potentially trick users into visiting...

A security issue in Google Chrome on Android devices allows a hacker to create a fake webpage that can trick users into thinking they are on a different website. This could potentially lead to users e...

A vulnerability in openstatusHQ openstatus allows an attacker to execute malicious code by manipulating links. This is a security risk because it could allow an attacker to take control of your system...

Versions prior to 8.2.0 allow attackers to access private conversations and sensitive information by guessing conversation IDs. This could happen if you're using an outdated version of Wimi Teamwork O...