CVE Vulnerabilities - 16 April 2026

If users can input math expressions in your app, a bad actor could inject malicious code. This affects mathjs versions before 15.2.0. To stay safe, update to version 15.2.0 or later.

An attacker can view private or hidden calendar events on any WordPress site, or crash the site on single-site installations. This can happen because the My Calendar plugin doesn't properly check who ...

### Summary The webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containi...

Weblate's user patching API in older versions allowed anyone to make changes to translations without proper authorization. This could lead to unauthorized edits being made to translations. Update to W...

The Career Section plugin for WordPress has a security flaw that lets attackers delete files on your website if an administrator clicks on a malicious link. This can happen if an attacker tricks an ad...

If you use the Livemesh Addons for Elementor plugin with WordPress, an attacker could trick an administrator into installing a malicious file. This would allow the attacker to access and potentially e...

The AcyMailing plugin for WordPress is vulnerable to a security risk that allows attackers to gain unauthorized access to administrative features and potentially take control of the site. This risk af...

Some Festo MSE6 products have a hidden test mode that can be accessed by an authorized user who shouldn't have it. This could potentially allow an attacker to see sensitive information and disrupt sys...

The WinMatrix agent from Simopro Technology has a security weakness that allows someone with a valid login on the same computer to run any code with administrator-level access, not just on that comput...

Remote users can access and change settings in OpenHarness through chat sessions. This is a security risk because it allows unauthorized changes to the system. Update to the latest version of OpenHarn...

Apache ActiveMQ Classic's web console has a security flaw that lets an attacker inject malicious code and take control of the system. This can happen if an attacker logs in to the console and uses a s...

A security issue in Paperclip allowed it to access your connected Gmail account and send emails without permission. This happened because of a misconfigured setting that allowed the program to bypass ...

A vulnerability in Angular's Server-Side Rendering (SSR) feature allows an attacker to trick the application into thinking a malicious website is the local origin, potentially exposing internal APIs o...

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether the...

The Free5GC UDR system has a security weakness that allows unauthorized users to access sensitive data by sending a special request. This means attackers can potentially get access to confidential inf...

The free5GC UDR service has a security weakness that lets anyone delete traffic influence subscriptions without logging in. This is because the system doesn't properly check the path of incoming reque...

The Flowise GraphCypherQAChain node in Flowise allows malicious users to inject arbitrary commands into the Neo4j database, potentially leading to unauthorized data access, modification, or deletion. ...

The CloneSite plugin in WWBN AVideo contains a vulnerability that allows an attacker to inject malicious commands, potentially leading to remote code execution on the server. This could allow an attac...

DataEase versions 2.10.20 and below contain a security risk that allows an attacker with valid login credentials to access and modify your database. This is a serious issue that allows unauthorized ch...

A large HTTP request can cause the server to run out of memory and crash. This can happen if an attacker sends a very large POST request to the server. To fix this, MCP-Framework should set a limit on...

ApostropheCMS versions 4.28.0 and earlier contain a security flaw that allows an attacker to inject malicious code into SEO fields, potentially allowing them to access sensitive user data and perform ...

A security flaw in the SPDY protocol used by Google Chrome can allow a malicious actor to send a special type of packet that crashes the service. This affects any program using the spdystream library,...

DataEase users may be at risk of unauthorized data access due to a flaw in the data sorting feature. An attacker with an account on the platform can potentially inject malicious code to access sensiti...

DataEase versions 2.10.20 and below are vulnerable to a security issue that allows an attacker to access and manipulate data in the database. This could lead to unauthorized data extraction or the web...

Using DataEase versions 2.10.20 and below, an attacker can inject malicious SQL code into the dataset export feature, potentially stealing sensitive data or disrupting the application. This issue has ...