CVE Vulnerabilities - 8 April 2026

An attacker can impersonate a trusted TimeStamping Authority by manipulating digital certificates, allowing them to bypass authorization checks. This can lead to unauthorized access or actions. Update...

The Gravity Forms plugin for WordPress has a security flaw that allows attackers to inject malicious code into form entries. This can lead to unauthorized access to sensitive information when an admin...

A bug in Brecht Visual Link Preview's preview feature lets attackers access internal servers and data. This affects versions of the software up to 2.3.0. Update to the latest version to fix the issue.

Using Axios with HTTP/2 before version 1.13.2 can cause a client crash if a malicious server closes multiple sessions at the same time. To fix this, update Axios to version 1.13.2 or later. If you can...

Some NiceGUI applications on Windows may allow attackers to write files to unintended locations, potentially leading to data loss, data corruption, or even code execution. This happens when malicious ...

The CoolerControl software allows anyone to access and change sensitive information without needing a password. This means unauthorized users can view and alter data that might be meant for authorized...

A malicious response from AWS can cause the Go SDK to crash, potentially disrupting services. This issue affects older versions of the AWS SDK for Go v2. To fix it, update to the latest version of the...

The AWS SDK for Go v2 can crash if it receives a malformed response from a server. This can happen if a malicious actor sends a specially crafted response. To fix this, update to the latest version of...

A security issue affects the Hono framework, allowing attackers to write files outside the intended output directory during static site generation. This could lead to unintended files being overwritte...

A security issue was found in older versions of GitLab EE that could have allowed an authenticated user to see the IP addresses of others who viewed certain reports. If you're using one of these affec...

An attacker can delete protected transactions by updating them via a PUT request, bypassing the intended protection. This allows them to hide transactions from normal views. To fix this, organizations...

An attacker with staff permissions can craft a malicious template that executes arbitrary code when rendered. Affected are InvenTree versions 1.2.3 to 1.2.6. Update to 1.2.7 or 1.3.0 to fix this issue...

An attacker with admin privileges can inject malicious JavaScript into page content, which will be executed on all visitors' browsers. This can lead to unauthorized access to sensitive information or ...

An attacker with admin access can inject malicious JavaScript code into a Google Maps iframe, which executes when non-admin users visit the site. This allows the attacker to steal user data or take co...

A new API endpoint in Pretix 2025 exposes sensitive data about all events managed by the same organizer, allowing unauthorized users to access information they shouldn't have. This includes check-in e...

The SourceCodester Pharmacy Product Management System 1.0 has a security issue that can be exploited remotely. An attacker can manipulate sales quantities, potentially causing unintended business logi...

A security issue in the SourceCodester Online Food Ordering System's save_product function could allow an attacker to manipulate product prices, potentially causing business logic errors. This vulnera...

GitLab has fixed a security issue in its Enterprise Edition that could have allowed users to inject malicious code into other users' browsers. This was possible in customizable analytics dashboards, a...

If you use Hayabusa, an attacker could potentially inject malicious code into reports generated from exported logs, allowing them to steal sensitive information or take control of the examiner's sessi...

A security weakness in the RT-Theme 18 Extensions allows hackers to trick users into performing unintended actions on your website. This could lead to unauthorized changes or data theft. To protect yo...

A security issue in Grand Magazine allows an attacker to trick users into performing actions on a website without their knowledge or consent. This means that an attacker could make changes to a user's...

The Attendance Manager plugin for WordPress, used in all versions up to 0.6.2, allows an attacker with a Subscriber account or higher to access sensitive information from the database. This is a serio...

The AM LottiePlayer plugin for WordPress is not properly checking some user-uploaded files, which means attackers with certain levels of access can inject malicious code into certain pages on your sit...

MATCHA SNS users may be at risk of having malicious scripts executed on their web browsers if they visit a compromised website. This could potentially lead to unauthorized actions or data theft. Users...

An authenticated user with 'ADD' or 'DELETE' permission can execute actions meant for 'MODIFY' permission. This can lead to unintended changes to the system. To fix this, update the WebUI JSON endpoin...