CVE Vulnerabilities - 8 April 2026

Prior to version 9.8.0-alpha.7 and 8.6.75, the Parse Server returns sensitive session data that's meant to be hidden. This can happen when an authenticated user requests their own session details. To ...

Prior to version 8.39.0, the Emissary configuration API had a weakness that could allow attackers to access sensitive files. This was fixed in version 8.39.0. To protect your system, make sure you're ...

A security issue in File Browser's file management interface allowed users without permission to download text files. This has been fixed in version 2.63.1. Update to the latest version to ensure secu...

A security issue in pyLoad's tar archive extraction feature allows a malicious file to be saved outside the intended directory. This could lead to unauthorized files being written to your system. Upgr...

Early versions of the CourseVault Preview utility can allow an attacker to access files outside the intended directory. This is a security risk because it could potentially allow unauthorized access t...

A security issue in Hono's cookie handling code allows attackers to set malicious cookies that can override secure cookies, potentially leading to session hijacking or other security risks. Affected a...

An administrator can upload a malicious file to your MATCHA INVOICE server, potentially allowing hackers to execute code on the server. This poses a risk to your data and system security. Update to th...

A weakness in the Gravity Forms plugin for WordPress allows hackers to inject malicious scripts into web pages by tricking users into clicking on links. This can cause problems for unauthenticated vis...

An attacker with administrator access to a WordPress site using the Inquiry Form to Posts or Pages plugin can inject malicious scripts that will run on the plugin settings page or on pages with the [i...

An attacker with admin access on a multisite WordPress installation can inject malicious scripts that will run when users visit specific pages. This can lead to unauthorized actions being performed on...

The Blog2Social plugin for WordPress has a security flaw that lets attackers with a certain level of account access modify or delete scheduled social media posts that belong to other users. This means...

An attacker can trick an administrator into clicking a link, allowing them to change plugin settings without permission. This can happen in all versions of the Quran Translations plugin for WordPress ...

Cosign, a code signing tool, had a flaw that allowed it to incorrectly verify malicious code as legitimate. This flaw was fixed in versions 3.0.6 and 2.6.3. Users should update to the latest version t...

The LightRAG API allows attackers to create fake login tokens, allowing them to access protected resources without a valid account. This is because the API doesn't properly check the type of token bei...

A vulnerability in parisneo/lollms allows an attacker to keep using an old session after a password reset, potentially giving them continued access to a compromised account. This happens because the a...

If you use Kube-router with per-node BGP passwords and enable detailed logging, anyone with access to the logs can see the passwords. This is a concern because logging is often shared with support tea...

A security issue exists in JustHTML when using custom settings to allow certain HTML elements. If you've set up JustHTML to allow specific elements like SVG or MathML, an attacker could inject malicio...

The WordPress ActivityPub plugin has a security issue that allows anyone, even without a login, to view posts that are not yet published. This means sensitive or draft content might be exposed. Update...

Ado::Sessions versions up to 0.935 generate session IDs that can be guessed by attackers, allowing them to access systems. This is due to the use of a weak random number generator and predictable inpu...

Versions 7.00 through 7.03 of Amon2::Plugin::Web::CSRFDefender for Perl generate weak session IDs that can be guessed or predicted, potentially allowing unauthorized access to user sessions. This issu...

Apache's Log4j library, used in many Java applications, has a critical flaw that can allow hackers to run malicious code on a server. This could lead to data theft, system compromise, and other securi...

The rootio-linux package in Root:Debian:13 has a security issue that allows attackers to execute malicious code without being authenticated. This could let someone access sensitive information or take...

The rootio-linux package in Root is affected by a security issue that could allow an attacker to execute malicious code with elevated privileges. This issue was patched by Root, and we recommend updat...