Najnowsze numery CVE krytycznych podatności :
- CVE ID :CVE-2026-23853 Published : April 17, 2026, 8:16 a.m. | 28 minutes ago Description :Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a use of weak credentials vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to the system. Severity: 8.4 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…
- CVE ID :CVE-2026-6443 Published : April 17, 2026, 7:16 a.m. | 1 hour, 28 minutes ago Description :The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more…
- CVE ID :CVE-2026-6482 Published : April 17, 2026, 6:16 a.m. | 2 hours, 27 minutes ago Description :The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent’s SYSTEM […]
- CVE ID :CVE-2026-3605 Published : April 17, 2026, 4:16 a.m. | 4 hours, 28 minutes ago Description :An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Severity: 8.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…
- CVE ID :CVE-2026-40262 Published : April 17, 2026, 1:17 a.m. | 7 hours, 26 minutes ago Description :Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to […]
- CVE ID :CVE-2026-22734 Published : April 17, 2026, 1:17 a.m. | 7 hours, 26 minutes ago Description :Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted. This issue affects UUA from v77.30.0 to v78.7.0 (inclusive) and it affects CF Deployment from v48.7.0 to v54.14.0 (inclusive). Severity: 8.6 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…
- CVE ID :CVE-2026-40259 Published : April 16, 2026, 11:16 p.m. | 9 hours, 27 minutes ago Description :SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model function that unconditionally deletes the corresponding attribute view file from the workspace without verifying that the caller has write privileges or that the target attribute view is actually unused. An authenticated publish-service reader can permanently delete arbitrary attribute view definitions by extracting publicly exposed data-av-id values from published […]
- CVE ID :CVE-2026-40318 Published : April 16, 2026, 11:16 p.m. | 9 hours, 27 minutes ago Description :SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata. This issue has been fixed in version 3.6.4. Severity: 8.5 | HIGH Visit the link for more details, such as […]
- CVE ID :CVE-2026-40322 Published : April 16, 2026, 11:16 p.m. | 9 hours, 27 minutes ago Description :SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered […]
- CVE ID :CVE-2026-41113 Published : April 16, 2026, 10:16 p.m. | 10 hours, 27 minutes ago Description :sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c. Severity: 8.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…