{"pagination":{"currentPage":1,"totalPages":45,"totalEntries":1119,"resultsPerPage":25},"vulnerabilities":[{"cveID":"CVE-2026-5721","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-5721","sourceIdentifier":"security@wordfence.com","published":"2026-04-20T23:16:24.403","lastModified":"2026-04-20T23:16:24.403","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is due to insufficient input sanitization and output escaping in the prepareCellOutput() method of the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, given that they can trick an Administrator into importing data from an attacker-controlled source and the affected column types (Link, Image, or Email) are configured."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":2.7}]},"weaknesses":[{"source":"security@wordfence.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://plugins.trac.wordpress.org/changeset/3510613/","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/8db736fb-cd6c-4a52-9dd3-eefd0a8d9267?source=cve","source":"security@wordfence.com"}]}}},"_id":"CVE-2026-5721"},{"cveID":"CVE-2026-34082","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-34082","sourceIdentifier":"security-advisories@github.com","published":"2026-04-20T23:16:24.250","lastModified":"2026-04-20T23:16:24.250","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"},{"lang":"en","value":"CWE-863"}]}],"references":[{"url":"https://github.com/langgenius/dify/releases/tag/1.13.1","source":"security-advisories@github.com"},{"url":"https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p","source":"security-advisories@github.com"}]}}},"_id":"CVE-2026-34082"},{"cveID":"CVE-2026-6729","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-6729","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-04-20T22:16:23.800","lastModified":"2026-04-20T22:16:23.800","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification. Attackers can reuse another user's conversation state and replace or interrupt their active tasks by colliding into the same session boundary through the shared chat or thread scope."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]}],"references":[{"url":"https://github.com/HKUDS/OpenHarness/commit/3186851c479ee714a9bb9aa6cd77017db7e589e2","source":"disclosure@vulncheck.com"},{"url":"https://github.com/HKUDS/OpenHarness/pull/159","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/hkuds-openharness-session-key-collision-privilege-escalation","source":"disclosure@vulncheck.com"}]}}},"_id":"CVE-2026-6729"},{"cveID":"CVE-2026-29643","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-29643","sourceIdentifier":"cve@mitre.org","published":"2026-04-20T22:16:23.507","lastModified":"2026-04-20T22:16:23.507","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"XiangShan (Open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) contains an improper exceptional-condition handling flaw in its CSR subsystem (NewCSR). On affected versions, certain sequences of CSR operations targeting non-existent/custom CSR addresses may trigger an illegal-instruction exception but fail to reliably transfer control to the configured trap handler (mtvec), causing control-flow disruption and potentially leaving the core in a hung or unrecoverable state. This can be exploited by a local attacker able to execute code on the processor to cause a denial of service and potentially inconsistent architectural state."}],"metrics":{},"references":[{"url":"https://docs.riscv.org/reference/isa/priv/machine.html","source":"cve@mitre.org"},{"url":"https://docs.riscv.org/reference/isa/priv/priv-csrs.html","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/XiangShan/issues/3959","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/XiangShan/pull/3966","source":"cve@mitre.org"}]}}},"_id":"CVE-2026-29643"},{"cveID":"CVE-2026-22051","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-22051","sourceIdentifier":"security-alert@netapp.com","published":"2026-04-20T22:16:23.367","lastModified":"2026-04-20T22:16:23.367","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with low privileges to run arbitrary metrics queries, revealing metric results that they do not have access to."}],"metrics":{"cvssMetricV40":[{"source":"security-alert@netapp.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"references":[{"url":"https://security.netapp.com/advisory/ntap-20260420-0001","source":"security-alert@netapp.com"}]}}},"_id":"CVE-2026-22051"},{"cveID":"CVE-2026-0930","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-0930","sourceIdentifier":"facts@wolfssl.com","published":"2026-04-20T22:16:23.210","lastModified":"2026-04-20T22:16:23.210","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Potential read out of bounds case with wolfSSHd on Windows while handling a terminal resize request. An authenticated user could trigger the out of bounds read after establishing a connection which would leak the adjacent stack memory to the pseudo-console output."}],"metrics":{"cvssMetricV40":[{"source":"facts@wolfssl.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"facts@wolfssl.com","type":"Secondary","description":[{"lang":"en","value":"CWE-126"}]}],"references":[{"url":"https://github.com/wolfssl/wolfssh/pull/846","source":"facts@wolfssl.com"}]}}},"_id":"CVE-2026-0930"},{"cveID":"CVE-2026-5928","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-5928","sourceIdentifier":"3ff69d7a-14f2-4f67-a097-88dee7810d18","published":"2026-04-20T21:16:36.963","lastModified":"2026-04-20T21:16:36.963","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets."}],"metrics":{},"weaknesses":[{"source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary","description":[{"lang":"en","value":"CWE-127"}]}],"references":[{"url":"https://sourceware.org/bugzilla/show_bug.cgi?id=33998","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18"}]}}},"_id":"CVE-2026-5928"},{"cveID":"CVE-2026-5450","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-5450","sourceIdentifier":"3ff69d7a-14f2-4f67-a097-88dee7810d18","published":"2026-04-20T21:16:36.850","lastModified":"2026-04-20T21:16:36.850","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."}],"metrics":{},"weaknesses":[{"source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary","description":[{"lang":"en","value":"CWE-122"}]}],"references":[{"url":"https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18"},{"url":"https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18"}]}}},"_id":"CVE-2026-5450"},{"cveID":"CVE-2026-5358","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-5358","sourceIdentifier":"3ff69d7a-14f2-4f67-a097-88dee7810d18","published":"2026-04-20T21:16:36.713","lastModified":"2026-04-20T21:16:36.713","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an attacker to spoof a crafted response to a UDP request generated by this function and overwrite neighboring static data in the requesting application.\n\nNIS support is obsolete and has been deprecated in the GNU C Library since version 2.26 and is only maintained for legacy usage. Applications should port away from NIS to more modern identity and access management services."}],"metrics":{},"weaknesses":[{"source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary","description":[{"lang":"en","value":"CWE-120"}]}],"references":[{"url":"https://sourceware.org/bugzilla/show_bug.cgi?id=34067","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18"}]}}},"_id":"CVE-2026-5358"},{"cveID":"CVE-2026-4852","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-4852","sourceIdentifier":"security@wordfence.com","published":"2026-04-20T21:16:36.560","lastModified":"2026-04-20T21:16:36.560","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment field in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":2.7}]},"weaknesses":[{"source":"security@wordfence.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/image-source-control-isc/tags/3.8.0/public/views/global-list.php#L37","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/db0222e2-5a50-43f4-8620-12b97c712dec?source=cve","source":"security@wordfence.com"}]}}},"_id":"CVE-2026-4852"},{"cveID":"CVE-2026-34403","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-34403","sourceIdentifier":"security-advisories@github.com","published":"2026-04-20T21:16:36.267","lastModified":"2026-04-20T21:16:36.267","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1385"}]}],"references":[{"url":"https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5","source":"security-advisories@github.com"},{"url":"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj","source":"security-advisories@github.com"}]}}},"_id":"CVE-2026-34403"},{"cveID":"CVE-2026-33626","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-33626","sourceIdentifier":"security-advisories@github.com","published":"2026-04-20T21:16:35.097","lastModified":"2026-04-20T21:16:35.097","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626","source":"security-advisories@github.com"},{"url":"https://github.com/InternLM/lmdeploy/pull/4447","source":"security-advisories@github.com"},{"url":"https://github.com/InternLM/lmdeploy/releases/tag/v0.12.3","source":"security-advisories@github.com"},{"url":"https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq","source":"security-advisories@github.com"}]}}},"_id":"CVE-2026-33626"},{"cveID":"CVE-2026-33432","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-33432","sourceIdentifier":"security-advisories@github.com","published":"2026-04-20T21:16:34.970","lastModified":"2026-04-20T21:16:34.970","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]}],"references":[{"url":"https://github.com/roxy-wi/roxy-wi/blob/v8.2.8.2/app/modules/roxywi/auth.py","source":"security-advisories@github.com"},{"url":"https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m","source":"security-advisories@github.com"}]}}},"_id":"CVE-2026-33432"},{"cveID":"CVE-2026-33431","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-33431","sourceIdentifier":"security-advisories@github.com","published":"2026-04-20T21:16:34.823","lastModified":"2026-04-20T21:16:34.823","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing `../` sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-24"}]}],"references":[{"url":"https://github.com/roxy-wi/roxy-wi/commit/d4d100067dd0ee04317f05d3b51be8fcfdc3f802","source":"security-advisories@github.com"},{"url":"https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w3c9-36jf-qrw4","source":"security-advisories@github.com"}]}}},"_id":"CVE-2026-33431"},{"cveID":"CVE-2026-33031","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-33031","sourceIdentifier":"security-advisories@github.com","published":"2026-04-20T21:16:32.783","lastModified":"2026-04-20T21:16:32.783","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"},{"lang":"en","value":"CWE-863"}]}],"references":[{"url":"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v","source":"security-advisories@github.com"}]}}},"_id":"CVE-2026-33031"},{"cveID":"CVE-2026-32613","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-32613","sourceIdentifier":"security-advisories@github.com","published":"2026-04-20T21:16:32.623","lastModified":"2026-04-20T21:16:32.623","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2","source":"security-advisories@github.com"},{"url":"https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2","source":"security-advisories@github.com"},{"url":"https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1","source":"security-advisories@github.com"},{"url":"https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6","source":"security-advisories@github.com"}]}}},"_id":"CVE-2026-32613"},{"cveID":"CVE-2026-32604","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-32604","sourceIdentifier":"security-advisories@github.com","published":"2026-04-20T21:16:32.457","lastModified":"2026-04-20T21:16:32.457","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-20"}]}],"references":[{"url":"https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2","source":"security-advisories@github.com"},{"url":"https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2","source":"security-advisories@github.com"},{"url":"https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1","source":"security-advisories@github.com"},{"url":"https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r","source":"security-advisories@github.com"}]}}},"_id":"CVE-2026-32604"},{"cveID":"CVE-2026-29648","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-29648","sourceIdentifier":"cve@mitre.org","published":"2026-04-20T21:16:19.733","lastModified":"2026-04-20T21:16:19.733","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read or write these CSRs without the required exception, potentially bypassing intended state-enable based isolation controls in virtualized or multi-privilege environments."}],"metrics":{},"references":[{"url":"https://docs.riscv.org/reference/isa/priv/smstateen.html","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/NEMU/issues/690","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/XiangShan/pull/3978","source":"cve@mitre.org"}]}}},"_id":"CVE-2026-29648"},{"cveID":"CVE-2026-29647","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-29647","sourceIdentifier":"cve@mitre.org","published":"2026-04-20T21:16:19.637","lastModified":"2026-04-20T21:16:19.637","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"In OpenXiangShan NEMU, insufficient Smstateen permission enforcement allows lower-privileged code to access IMSIC state via stopei/vstopei CSRs even when mstateen0.IMSIC is cleared, potentially enabling cross-context information leakage or disruption of interrupt handling."}],"metrics":{},"references":[{"url":"https://docs.riscv.org/reference/isa/priv/smstateen.html#state-enable-0-registers","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/NEMU/issues/691","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/XiangShan/pull/3978","source":"cve@mitre.org"}]}}},"_id":"CVE-2026-29647"},{"cveID":"CVE-2026-29646","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-29646","sourceIdentifier":"cve@mitre.org","published":"2026-04-20T21:16:19.503","lastModified":"2026-04-20T21:16:19.503","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for correct interrupt virtualization."}],"metrics":{},"references":[{"url":"https://docs.riscv.org/reference/isa/priv/hypervisor.html","source":"cve@mitre.org"},{"url":"https://docs.riscv.org/reference/isa/priv/machine.html","source":"cve@mitre.org"},{"url":"https://docs.riscv.org/reference/isa/priv/supervisor.html","source":"cve@mitre.org"},{"url":"https://docs.riscv.org/reference/isa/unpriv/zicsr.html","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/NEMU/issues/951","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/NEMU/pull/938","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/NEMU/pull/938/commits/55295c46580456d8d5a9d5736e1fda924b8825ab","source":"cve@mitre.org"}]}}},"_id":"CVE-2026-29646"},{"cveID":"CVE-2026-29642","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-29642","sourceIdentifier":"cve@mitre.org","published":"2026-04-20T21:16:19.393","lastModified":"2026-04-20T21:16:19.393","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as \"writes preserve values, reads ignore values,\" i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields."}],"metrics":{},"references":[{"url":"https://docs.riscv.org/reference/isa/priv/machine.html","source":"cve@mitre.org"},{"url":"https://docs.riscv.org/reference/isa/priv/priv-csrs.html","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/XiangShan/commit/5e3dd63","source":"cve@mitre.org"},{"url":"https://github.com/OpenXiangShan/XiangShan/issues/3934","source":"cve@mitre.org"}]}}},"_id":"CVE-2026-29642"},{"cveID":"CVE-2026-6550","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-6550","sourceIdentifier":"ff89ba41-3aa1-4d27-914a-91399e9639e5","published":"2026-04-20T20:16:49.283","lastModified":"2026-04-20T20:16:49.283","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version  4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.\n\nTo remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above."}],"metrics":{"cvssMetricV40":[{"source":"ff89ba41-3aa1-4d27-914a-91399e9639e5","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"ff89ba41-3aa1-4d27-914a-91399e9639e5","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.0,"impactScore":3.6}]},"weaknesses":[{"source":"ff89ba41-3aa1-4d27-914a-91399e9639e5","type":"Secondary","description":[{"lang":"en","value":"CWE-757"}]}],"references":[{"url":"https://aws.amazon.com/security/security-bulletins/2026-017-aws/","source":"ff89ba41-3aa1-4d27-914a-91399e9639e5"},{"url":"https://github.com/aws/aws-encryption-sdk-python/releases/tag/v3.3.1","source":"ff89ba41-3aa1-4d27-914a-91399e9639e5"},{"url":"https://github.com/aws/aws-encryption-sdk-python/releases/tag/v4.0.5","source":"ff89ba41-3aa1-4d27-914a-91399e9639e5"},{"url":"https://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-v638-38fc-rhfv","source":"ff89ba41-3aa1-4d27-914a-91399e9639e5"}]}}},"_id":"CVE-2026-6550"},{"cveID":"CVE-2026-6257","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-6257","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-04-20T20:16:49.107","lastModified":"2026-04-20T20:16:49.107","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-executable MIME types, then uploading another file and renaming it to .php to execute arbitrary operating system commands as the www-data user."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.2,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-434"}]}],"references":[{"url":"https://github.com/givanz/Vvveb/commit/6fb8eaa998265e33e8802cbc220d8859dbc144f2","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/vvveb-cms-remote-code-execution-via-media-management","source":"disclosure@vulncheck.com"}]}}},"_id":"CVE-2026-6257"},{"cveID":"CVE-2026-6249","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-6249","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-04-20T20:16:48.943","lastModified":"2026-04-20T20:16:48.943","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-434"}]}],"references":[{"url":"https://github.com/givanz/Vvveb/commit/23ac0e8c758d80f3c4d9224763c8b2359648270e","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/vvveb-cms-remote-code-execution-via-media-upload","source":"disclosure@vulncheck.com"}]}}},"_id":"CVE-2026-6249"},{"cveID":"CVE-2026-5478","namespaces":{"nvd_nist_gov":{"cve":{"id":"CVE-2026-5478","sourceIdentifier":"security@wordfence.com","published":"2026-04-20T20:16:48.800","lastModified":"2026-04-20T20:16:48.800","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"weaknesses":[{"source":"security@wordfence.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.4/includes/abstracts/class-evf-form-fields-upload.php#L1306","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.4/includes/abstracts/class-evf-form-fields-upload.php#L1581","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.4/includes/abstracts/class-evf-form-fields-upload.php#L1665","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/changeset/3507814/everest-forms","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/8641eb53-6a9a-4549-b8ef-e37acbcc7f03?source=cve","source":"security@wordfence.com"}]}}},"_id":"CVE-2026-5478"}]}