CVE Vulnerabilities - 16 April 2026

The Meridian software has a security issue that allows unauthorized access to sensitive data. This issue affects users who rely on Meridian for data mapping and processing. To fix this, update to the ...

A bug in ngtcp2's QUIC implementation can cause a server to crash if it receives a large QUIC parameter from a remote peer. This is fixed in version 1.22.1. If you can't update right away, you can dis...

Flowise's password reset feature sends a reset link over an unsecured connection, making it possible for an attacker on the same network to intercept the link and gain unauthorized access to your acco...

Flowise exposes sensitive data, including API keys and passwords, in public chatbot configurations without authentication. This means an attacker can access and steal sensitive information by knowing ...

An attacker can consume a Basic-FTP server's memory by sending an extremely large or never-ending directory listing. This can cause the server to become unstable or crash. To avoid this, consider usin...

The basic-ftp software is at risk of crashing or becoming unstable if it receives an extremely large or never-ending directory listing from a remote FTP server. This could happen if an attacker sends ...

DataEase versions 2.10.20 and below are at risk of a security breach that could allow an attacker to gain full control of the system. If an attacker with permission to schedule jobs can exploit this v...

### Summary The upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.pa...

### Summary The upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.pa...

An attacker can cause the proxy server to run out of memory by sending a specially crafted cookie, taking down the server for all users. This requires no authentication and can be done with a single m...

A security update is available for BIND, a key component of many organizations' DNS infrastructure. This update fixes a critical issue where a maliciously crafted DNS message could cause the DNS serve...

Apache SkyWalking versions 9.7.0 through 10.3.0 may expose sensitive database settings. This could allow unauthorized access to your database credentials. To fix, update to version 10.4.0 or later.

A flaw in fio 3.41 causes it to crash when processing certain job files. This means fio might stop working unexpectedly, making it difficult to run I/O tests. Update to a fixed version of fio to preve...

The DirectoryPress plugin for WordPress has a security flaw that allows hackers to access sensitive information from the database without needing a password. This affects versions up to 3.6.26. Update...

WSO2's XML parsers don't safely handle user-submitted data, allowing hackers to access sensitive files or crash servers. This can lead to unauthorized data exposure or service disruptions. Update your...

LangChain Core's legacy loading functions can read arbitrary files on the host filesystem when user-influenced config is passed to them. This can happen if an attacker can control prompt configuration...

Versions of this WordPress plugin may allow attackers to fake payments and mark orders as paid without a real payment being made. This can lead to incorrect order fulfillment and financial loss. Updat...

The Riaxe Product Customizer plugin for WordPress allows attackers to extract sensitive database information without needing a login. This is because the plugin doesn't properly protect user input, al...

A flaw in MailGates/MailAudit allows attackers to view sensitive system files without a password. This could lead to the exposure of confidential information. Update MailGates/MailAudit to the latest ...

A security issue in Froxlor allows a malicious user to take ownership of any directory on the system, which can lead to unauthorized access and control of sensitive files. This is due to a missing sec...

A security issue in Froxlor's DataDump feature allows an attacker to take control of arbitrary directories on the system if the ExportCron runs as root. This is due to a missed patch in the DataDump.a...

A security issue in outdated versions of @fastify/middie allows attackers to bypass security checks. This happens when a specific option is enabled, but it's not recommended to use. To fix it, update ...

A security update is available for Adobe Photoshop and other apps that use OpenEXR, a type of image file format. If you use these apps, be aware that hackers could potentially run malicious code if th...

A bug in rsync's xattr feature can cause it to crash on Linux systems, but only if you're using a specific option. To fix, update to a newer version of rsync or disable the xattr feature if you don't ...

Old versions of radare2, a debugging tool, are vulnerable to a security risk on some Unix systems. If not using the latest version, hackers could potentially inject malicious commands. Update to the l...