CVE Vulnerabilities - 16 April 2026

Mako's TemplateLookup can access any file readable by the process if given a specially crafted URL. This can happen if an application passes untrusted input to TemplateLookup.get_template(). To fix, u...

The Arcserve UDP Console may reveal sensitive information to an unintended server if the activation server hostname is set to an invalid URL. This could potentially put sensitive data at risk. Users s...

Renovate's Bazel manager allowed a malicious dependency to execute code on your system if you used a specific feature. This has been fixed, but you should review your settings to ensure you're not vul...

Renovate's Bazel module and Bazelisk managers had a vulnerability that could allow malicious code to be executed on your system if you used the lockFileMaintenance feature. This was fixed by default, ...

The update service in OnlyOffice Desktop Editors has a security weakness that could allow an attacker to access and modify files with elevated privileges. This could potentially lead to unauthorized c...

AdonisJS applications using an outdated version of the HTTP server are vulnerable to redirects to malicious sites. An attacker can trick users into visiting a fake site by manipulating the URL link. T...

An attacker can trick a user into clicking a malicious link, leading to arbitrary JavaScript execution on the OAuth server. This can allow the attacker to initiate new OAuth flows or submit forms on b...

A bug in ApostropheCMS's form and textarea handling can let hackers inject malicious code into forms and text areas. This is a risk for sites using ApostropheCMS's form builders or CMS platforms. Upgr...

An attacker can inject malicious scripts into the authentication page, potentially redirecting users to fake sites, manipulating the page, or stealing information. This does not allow hackers to steal...

Apache HTTP Server's authentication endpoint doesn't properly check user input, allowing hackers to inject malicious code that can redirect users to fake sites, alter web page content, or steal inform...

The Customer Reviews for WooCommerce plugin for WordPress has a security flaw that lets attackers put malicious code on a website if a user clicks on a link. This could allow the attacker to steal sen...

The CodeColorer WordPress plugin is at risk because attackers can inject malicious code into web pages. This could happen when a user views a page with a malicious comment. To stay safe, update the pl...

The Flowise Execute Flow node in some versions of Flowise allows an attacker to trick the system into making unauthorized requests to internal network addresses, potentially exposing sensitive informa...

A locked user account in WSO2 Identity Server can still access protected resources using previously issued access tokens. This means that a locked account can continue to access sensitive data or perf...

The Eaton Intelligent Power Protector software has a security flaw that allows an attacker with admin access to the system to run unauthorized code. This could lead to unauthorized changes or data the...

The Fastify Static package incorrectly decodes path separators in URLs, allowing attackers to bypass security protections. This affects users of Fastify Static versions 8.0.0 through 9.1.0. To fix thi...

The junrar software has a bug that lets attackers write files to any directory on your computer if they send a special kind of RAR file. This could be used to spread malware or steal sensitive data. U...

WinRAR has a flaw that lets attackers write files to other folders on your computer by crafting a special type of archive. This can happen if you extract a malicious RAR file in a certain way. To stay...

A security weakness in the Oauth server allows an attacker who intercepts an authorization code to try different code verifier values until they guess the correct one, allowing them to obtain an acces...

A security flaw in the OAuth server allows an attacker to steal tokens by guessing a weak code verifier. This can happen if an attacker intercepts an authorization code and tries different weak code v...

A flaw in the Ruby Zlib interface can cause data to be stored in an incorrect location, potentially leading to memory corruption. This issue affects users of the affected versions who decompress data ...

A security issue in AMD EPYC 9005 Series CPUs could allow a user with certain privileges to access sensitive data in a virtual environment. This could potentially happen when a user with authorized ac...

A security flaw in Eaton's Intelligent Power Protector software could allow hackers to launch web-based attacks. This issue has been fixed in the latest version, which is available for download. Updat...

The Sparx Systems Enterprise Architect software does not properly check the identity of the recipient when sharing sensitive login credentials. This could allow an attacker to intercept and misuse the...

The Eaton Intelligent Power Protector software uses a weak login cookie that can be intercepted by an attacker on the same network. This could allow an unauthorized person to access your account and c...