CVE Vulnerabilities - 14 April 2026

An attacker can inject malicious code into FortiSandbox's web interface by sending a specially crafted HTTP request, potentially allowing them to take control of the system or steal sensitive informat...

Fortinet's FortiNDR and FortiVoice software has a security flaw that could allow an authorized but unauthorized actor to access sensitive backup information by sending specially crafted HTTP requests....

Ivanti N-ITSM versions before 2025.4 contain a security weakness that lets an attacker who has already logged in to the system steal information from other users' sessions. This requires the attacker ...

A security issue in Kiuwan SAST affects how it handles user accounts. Disabled users can still access the application through single sign-on (SSO) logins. Affected versions of Kiuwan Cloud and on-prem...

Craft CMS 5.6.0 through 5.9.14 allows users with limited permissions to remove users from groups. This means that someone with only viewing permissions could accidentally or intentionally remove other...

AVideo's LiveLinks proxy in AVideo has a security issue that allows hackers to view internal IP addresses. This is a concern because it could allow unauthorized access to sensitive areas of your netwo...

The AVideo LiveLinks proxy in AVideo has not fully fixed a security weakness that could allow attackers to access internal systems. This affects users of AVideo who rely on the LiveLinks proxy. To sta...

An attacker can easily bypass the CAPTCHA protection on AVideo by manipulating the CAPTCHA length parameter, allowing them to bypass CAPTCHAs in as few as 33 attempts. This vulnerability affects CAPTC...

AVideo's CAPTCHA can be easily bypassed by an attacker, allowing them to force the server to generate a single-character CAPTCHA word. This makes it possible for an attacker to brute-force CAPTCHA val...

### Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block `<iframe>` tags, allowing stored XSS via `srcdoc` attributes containing embedded...

An unauthenticated user can access a PHP script that reveals developer email addresses and the exact version of AVideo's code deployed, which can be used to identify potential security vulnerabilities...

AVideo's git.json.php script allows anyone to access sensitive information, including deployed version, developer emails, and internal system references. This can be used to identify potential vulnera...

October CMS versions 3.7.13 and earlier, and 4.1.9 and earlier, contain a security flaw that allows hackers to upload malicious SVG files through the Media Manager. If a site administrator views or em...

The Nexi XPay plugin for WordPress is not properly securing redirects, allowing unauthorized users to mark WooCommerce orders as paid or completed. This could lead to incorrect order status and potent...

Old versions of October CMS have a security flaw that could allow an attacker to take over the system by tricking an administrator into opening a specially crafted document. To fix this, update to ver...

A user with administrative access can crash the system by flooding it with requests, causing the system to create too many zip files and run out of resources. This can happen when an administrator rep...

A vulnerability in the Web Admin interface can cause log entries to be cut off prematurely, potentially hiding important information about what's happening on your system. This can make it harder to t...

A vulnerability in the application's POST request handling could allow a malicious Web Admin user to reset user credentials. This could happen if a user with elevated privileges alters a specific requ...

A security risk exists in Python versions 3.14 and later, specifically in the remote debugging feature. This allows a malicious process to potentially access and control a target process if it is conn...

Versions of MCPHub below 0.11.0 have a security issue where anyone can access and act as other users without being authorized. This can lead to unauthorized access and actions on the system. Update to...

Apache APISIX versions 2.99.0 to 3.15.0 send sensitive information over an unsecured connection. This means that anyone with access to the network could intercept and read that information. To fix thi...

The chat export feature in MaxKB versions 2.7.1 and below can create Excel files that can harm your computer if you open them with Microsoft Excel. This is a security risk, so update to version 2.8.0 ...

A security issue in older Chamilo LMS versions allows an attacker to upload a malicious file, which can take over a user's session and perform actions on their behalf. This affects users who have not ...

Older versions of the October CMS platform are vulnerable to a security risk that allows malicious emails to run code on your website. This could allow hackers to steal sensitive information or take c...

Older versions of MaxKB contain a security flaw that allows attackers to inject malicious code into the system, potentially allowing them to access sensitive information and take unauthorized actions....