CVE Vulnerabilities - 14 April 2026

The Smart Post Show plugin for WordPress versions 3.0.12 and below has a security flaw that could allow attackers with administrator access to access sensitive data or delete files if they have anothe...

An attacker can inject SQL code into table names and access unauthorized data or alter query results. This is due to a misconfigured `table_prefix` value. To fix, review and secure your configuration ...

A security weakness in PraisonAI's database system before version 4.5.133 allows an attacker to access and alter internal data if they can influence the system's configuration settings. This makes it ...

PraisonAI's SQLite database may be accessed without permission if an attacker controls the 'table_prefix' configuration value. This could allow them to view internal database tables or alter query res...

The BackWPup plugin for WordPress has a security flaw that lets attackers with administrator access view sensitive files or take control of the server. This issue affects all versions of the plugin up...

The Old Form Maker plugin for WordPress can allow attackers to inject malicious code into forms submitted to your website. This could allow them to take control of your site if an administrator views ...

## Summary The CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1...

Adobe Video Server has a security issue that allows attackers to see sensitive user data. This is because the server incorrectly allows anyone to access certain API endpoints, potentially revealing us...

AVideo's admin panel has security weaknesses in certain endpoints, allowing an attacker to trick an administrator into performing unauthorized actions like creating, deleting categories, or running ma...

Three admin-only features in AVideo's admin panel can be exploited by a malicious page, allowing an attacker to create or delete categories and execute plugin scripts. This is due to a missing securit...

### Impact This vulnerability impacts users of `zarf package inspect sbom` or `zarf package inspect documentation` on untrusted packages. ### Patches #4793, now fixed in version v0.74.2 ### Workarou...

An attacker can enroll any user into any course without permission. This can give users access to course materials and bypass enrollment controls. Update to version 2.0.0-RC.3 to fix this issue.

Older versions of libsixel have a bug that can cause the program to crash or run unauthorized code. This can happen if the program is shown a specially crafted image. To fix this, update to version 1....

Libsixel, a library for encoding and decoding images, has a bug in its handling of image cropping that can cause a crash or expose sensitive data. This affects versions 1.8.7 and prior. Update to vers...

An attacker with admin access to a Chamilo learning management system can potentially steal sensitive data from the database by exploiting a flaw in the statistics feature. This can be prevented by up...

A vulnerability in Microsoft Excel could allow an attacker to access and read sensitive data stored on a local computer. This could happen if a user opens a malicious file or visits a compromised webs...

An attacker can trick users into connecting to a fake server, potentially intercepting sensitive information. This affects Windows Remote Desktop users who connect to remote servers, and it's essentia...

An attacker can inject malicious SQL code into Krayin CRM, potentially gaining unauthorized access to sensitive data. This vulnerability affects Krayin CRM version 2.2.x and could be exploited by an a...

A malicious file name can trick the Autodesk Fusion desktop app into running malicious code. This can allow a hacker to access sensitive local files or take control of your computer. To protect yourse...

A maliciously crafted design name in Autodesk Fusion can be exported to a CSV file, potentially allowing an attacker to access sensitive local files or execute unauthorized code. This vulnerability af...

A flaw in the Autodesk Fusion desktop application could allow a malicious actor to execute code on your computer if a user clicks on a specially crafted link or file name while viewing a delete confir...

A security issue in Industrial Edge Management Pro allows an attacker to access devices without proper authentication. This could happen if the attacker knows the remote connection details. To protect...

The External Secrets Operator's template engine can leak secrets to the internet if an attacker creates or updates a templated ExternalSecret resource. This can happen if the controller can perform DN...

An attacker with access to the system can modify critical reports without permission, potentially causing system unavailability and disrupting operations. This affects SAP ERP and S/4HANA systems, bot...

### Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block `<iframe>` tags, allowing stored XSS via `srcdoc` attributes containing embedded...