CVE Vulnerabilities - 8 April 2026

AVideo's Electronic Program Guide feature in versions 26.0 and earlier allows attackers to inject malicious JavaScript code into the guide, which can steal user sessions and take control of accounts w...

An attacker with Subscriber-level access or higher can obtain sensitive information about your WordPress site's activity logs by sending a specific request. This includes user information, IP addresse...

The LTL Freight Quotes plugin for WordPress lacks proper security checks, allowing anyone to modify subscription settings, potentially downgrading paid plans or disabling premium features, without nee...

Hono applications may encounter runtime errors if using untrusted input for cookie names in setCookie() or similar functions. This is due to invalid characters in cookie names, which can cause issues ...

Hono, a middleware, has a bug that allows attackers to access protected files by using multiple slashes in the request path, which can lead to unauthorized access to sensitive files. This affects appl...

A security risk exists in Node.js servers using the serveStatic middleware. If an attacker uses repeated slashes in a URL, they may be able to access files that are intended to be protected by securit...

An attacker can send a specially crafted JWE token to a JWCrypto server, causing it to use up all its memory. This can happen even if the token itself is small, because it's been compressed to a much ...

The Hustle plugin for WordPress, used for email marketing and lead generation, is missing a security check that could let hackers manipulate marketing data. This means they could fake conversion track...

A low-privileged user in a shared RustFS storage system can copy and steal objects from other users' accounts without permission. This can happen in multi-user environments. Update to the latest versi...

Prior to version 9.8.0-alpha.7 and 8.6.75, the Parse Server returns sensitive session data that's meant to be hidden. This can happen when an authenticated user requests their own session details. To ...

Prior to version 8.39.0, the Emissary configuration API had a weakness that could allow attackers to access sensitive files. This was fixed in version 8.39.0. To protect your system, make sure you're ...

A security issue in File Browser's file management interface allowed users without permission to download text files. This has been fixed in version 2.63.1. Update to the latest version to ensure secu...

A security issue in pyLoad's tar archive extraction feature allows a malicious file to be saved outside the intended directory. This could lead to unauthorized files being written to your system. Upgr...

Early versions of the CourseVault Preview utility can allow an attacker to access files outside the intended directory. This is a security risk because it could potentially allow unauthorized access t...

A security issue in Hono's cookie handling code allows attackers to set malicious cookies that can override secure cookies, potentially leading to session hijacking or other security risks. Affected a...

An administrator can upload a malicious file to your MATCHA INVOICE server, potentially allowing hackers to execute code on the server. This poses a risk to your data and system security. Update to th...

A weakness in the Gravity Forms plugin for WordPress allows hackers to inject malicious scripts into web pages by tricking users into clicking on links. This can cause problems for unauthenticated vis...

Cosign, a code signing tool, had a flaw that allowed it to incorrectly verify malicious code as legitimate. This flaw was fixed in versions 3.0.6 and 2.6.3. Users should update to the latest version t...

The LightRAG API allows attackers to create fake login tokens, allowing them to access protected resources without a valid account. This is because the API doesn't properly check the type of token bei...

A vulnerability in parisneo/lollms allows an attacker to keep using an old session after a password reset, potentially giving them continued access to a compromised account. This happens because the a...

If you use Kube-router with per-node BGP passwords and enable detailed logging, anyone with access to the logs can see the passwords. This is a concern because logging is often shared with support tea...

A security issue exists in JustHTML when using custom settings to allow certain HTML elements. If you've set up JustHTML to allow specific elements like SVG or MathML, an attacker could inject malicio...

Ado::Sessions versions up to 0.935 generate session IDs that can be guessed by attackers, allowing them to access systems. This is due to the use of a weak random number generator and predictable inpu...

Versions 7.00 through 7.03 of Amon2::Plugin::Web::CSRFDefender for Perl generate weak session IDs that can be guessed or predicted, potentially allowing unauthorized access to user sessions. This issu...