CVEs from 2026
Total
14,769
critical
critical 1,335
high
high 5,011
medium
medium 4,834
low
low 504
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45718 | medium | 5.4 | 5.4 | 11d ago | Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is… | |||
| CVE-2026-4390 | medium | 5.4 | 5.4 | 11d ago | A weakness has been identified in TeamSpeak 3 Server up to 3.13.7. This affects the function process_resend_queue of the component Connection State Management. This manipulation causes use after free… | |||
| CVE-2026-42082 | medium | 5.4 | 5.4 | 11d ago | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AM… | |||
| CVE-2026-45335 | medium | 5.4 | 5.4 | 11d ago | WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically th… | |||
| CVE-2026-45571 | medium | 5.4 | 5.4 | 11d ago | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside… | |||
| CVE-2026-6287 | medium | 5.4 | 5.4 | 12d ago | The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks… | |||
| CVE-2026-38931 | medium | 5.4 | 5.4 | 12d ago | A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload. | |||
| CVE-2026-32389 | medium | 5.4 | 5.4 | 13d ago | Missing Authorization vulnerability in Linethemes NanoCare allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NanoCare: from n/a before 1.2.2. | |||
| CVE-2026-24586 | medium | 5.4 | 5.4 | 13d ago | Missing Authorization vulnerability in Themeansar Newses allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Newses: from n/a through 2.0.0.77. | |||
| CVE-2026-48589 | medium | 5.4 | 5.4 | 13d ago | Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value coul… | |||
| CVE-2026-44598 | medium | 5.4 | 5.4 | 13d ago | With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha… | |||
| CVE-2026-9078 | medium | 5.4 | 5.4 | 13d ago | Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portio… | |||
| CVE-2026-9438 | medium | 5.4 | 5.4 | 14d ago | A vulnerability was found in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file courseDel.php. The manipulation of the arg… | |||
| CVE-2026-39964 | medium | 5.4 | 5.4 | 16d ago | Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers | |||
| CVE-2026-28735 | medium | 5.4 | 5.4 | 16d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to g… | |||
| CVE-2026-9251 | medium | 5.4 | 5.4 | 16d ago | Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain ac… | |||
| CVE-2026-8381 | medium | 5.4 | 5.4 | 16d ago | A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an a… | |||
| CVE-2026-7798 | medium | 5.4 | 5.4 | 16d ago | The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions… | |||
| CVE-2026-8245 | medium | 5.4 | 5.4 | 17d ago | Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL fi… | |||
| CVE-2026-8139 | medium | 5.4 | 5.4 | 17d ago | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnera… | |||
| CVE-2026-4929 | medium | 5.4 | 5.4 | 17d ago | Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_fie… | |||
| CVE-2026-4093 | medium | 5.4 | 5.4 | 17d ago | In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token di… | |||
| CVE-2026-22678 | medium | 5.4 | 5.4 | 17d ago | Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attack… | |||
| CVE-2026-8203 | medium | 5.4 | 5.4 | 17d ago | Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that execute… | |||
| CVE-2026-48230 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsan… | |||
| CVE-2026-48229 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va… | |||
| CVE-2026-48228 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized v… | |||
| CVE-2026-48227 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized val… | |||
| CVE-2026-48226 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va… | |||
| CVE-2026-48225 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value… | |||
| CVE-2026-48224 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48223 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va… | |||
| CVE-2026-48222 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48221 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized val… | |||
| CVE-2026-48220 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48219 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics202.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48218 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an uns… | |||
| CVE-2026-48217 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitiz… | |||
| CVE-2026-48216 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized v… | |||
| CVE-2026-48215 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48214 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu… | |||
| CVE-2026-48213 | medium | 5.4 | 5.4 | 17d ago | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value t… | |||
| CVE-2026-44924 | medium | 5.4 | 5.4 | 18d ago | InfoScale VIOM 9.1.3 allows XSS. | |||
| CVE-2026-9056 | medium | 5.4 | 5.4 | 19d ago | A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a differ… | |||
| CVE-2026-6394 | medium | 5.4 | 5.4 | 19d ago | The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due… | |||
| CVE-2026-8493 | medium | 5.4 | 5.4 | 19d ago | This module enables you to open content already on the page within a colorbox. The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading … | |||
| CVE-2026-36827 | medium | 5.4 | 5.4 | 19d ago | A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters … | |||
| CVE-2026-8922 | medium | 5.4 | 5.4 | 20d ago | Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Level `notBefore` Revocation Policies are Configured | |||
| CVE-2026-45244 | medium | 5.4 | 5.4 | 20d ago | Summarize contains a missing authorization vulnerability | |||
| CVE-2026-45494 | medium | 5.4 | 5.4 | 20d ago | Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||
| CVE-2026-45492 | medium | 5.4 | 5.4 | 20d ago | Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. | |||
| CVE-2026-45660 | medium | 5.4 | 5.4 | 20d ago | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't nor… | |||
| CVE-2026-1631 | medium | 5.4 | 5.4 | 21d ago | The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and galle… | |||
| CVE-2026-45365 | medium | 5.4 | 5.4 | 23d ago | Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED] | |||
| CVE-2026-45347 | medium | 5.4 | 5.4 | 23d ago | Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function | |||
| CVE-2026-45346 | medium | 5.4 | 5.4 | 23d ago | Open WebUI Has Stored Cross-Site Scripting in SVG Renderer | |||
| CVE-2026-45318 | medium | 5.4 | 5.4 | 23d ago | Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify) | |||
| CVE-2026-46363 | medium | 5.4 | 5.4 | 23d ago | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authent… | |||
| CVE-2026-46360 | medium | 5.4 | 5.4 | 23d ago | phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass san… | |||
| CVE-2026-46365 | medium | 5.4 | 5.4 | 23d ago | phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, incl… | |||
| CVE-2026-45396 | medium | 5.4 | 5.4 | 23d ago | Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation | |||
| CVE-2026-44564 | medium | 5.4 | 5.4 | 23d ago | Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO | |||
| CVE-2026-44563 | medium | 5.4 | 5.4 | 23d ago | Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show | |||
| CVE-2026-44561 | medium | 5.4 | 5.4 | 23d ago | Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels | |||
| CVE-2026-44558 | medium | 5.4 | 5.4 | 23d ago | Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants | |||
| CVE-2026-45580 | medium | 5.4 | 5.4 | 23d ago | WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream … | |||
| CVE-2026-23695 | medium | 5.4 | 5.4 | 23d ago | Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option | |||
| CVE-2026-44310 | medium | 5.4 | 5.4 | 23d ago | Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereference… | |||
| CVE-2026-24662 | medium | 5.4 | 5.4 | 24d ago | Cross-site scripting vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a file containing malicious contents is uploaded, an arbitrary script … | |||
| CVE-2026-44429 | medium | 5.4 | 5.4 | 24d ago | MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` | |||
| CVE-2026-8561 | medium | 5.4 | 5.4 | 24d ago | Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-8539 | medium | 5.4 | 5.4 | 24d ago | Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security s… | |||
| CVE-2026-45299 | medium | 5.4 | 5.4 | 24d ago | Open WebUI has Stored Cross-Site Scripting In Profile Picture | |||
| CVE-2026-22707 | medium | 5.4 | 5.4 | 24d ago | Strapi Upload Plugin MIME Validation Bypass via Content API | |||
| CVE-2026-20210 | medium | 5.4 | 5.4 | 24d ago | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to modify configurations and perform … | |||
| CVE-2026-20209 | medium | 5.4 | 5.4 | 24d ago | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate their privileges from low … | |||
| CVE-2026-42159 | medium | 5.4 | 5.4 | 24d ago | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, whic… | |||
| CVE-2026-6472 | medium | 5.4 | 5.4 | 24d ago | PostgreSQL vulnerabilities | |||
| CVE-2026-7481 | medium | 5.4 | 5.4 | 25d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer… | |||
| CVE-2026-7377 | medium | 5.4 | 5.4 | 25d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allow… | |||
| CVE-2026-6335 | medium | 5.4 | 5.4 | 25d ago | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in ano… | |||
| CVE-2026-6073 | medium | 5.4 | 5.4 | 25d ago | GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to execute arb… | |||
| CVE-2026-3829 | medium | 5.4 | 5.4 | 25d ago | The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks… | |||
| CVE-2026-44425 | medium | 5.4 | 5.4 | 25d ago | ShellHub has crash-DoS via field injection in filter and sort-by parameters | |||
| CVE-2026-45228 | medium | 5.4 | 5.4 | 25d ago | Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without… | |||
| CVE-2026-44576 | medium | 5.4 | 5.4 | 25d ago | Next.js vulnerable to cache poisoning in React Server Component responses | |||
| CVE-2026-40703 | medium | 5.4 | 5.4 | 25d ago | A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not eval… | |||
| CVE-2026-44794 | medium | 5.4 | 5.4 | 25d ago | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to referen… | |||
| CVE-2026-7051 | medium | 5.4 | 5.4 | 26d ago | The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verific… | |||
| CVE-2026-44873 | medium | 5.4 | 5.4 | 26d ago | A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated wh… | |||
| CVE-2026-42838 | medium | 5.4 | 5.4 | 26d ago | Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a netw… | |||
| CVE-2026-35423 | medium | 5.4 | 5.4 | 26d ago | Out-of-bounds read in Telnet Client allows an unauthorized attacker to disclose information over a network. | |||
| CVE-2026-45210 | medium | 5.4 | 5.4 | 26d ago | Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a thr… | |||
| CVE-2026-40132 | medium | 5.4 | 5.4 | 27d ago | Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unaut… | |||
| CVE-2026-0502 | medium | 5.4 | 5.4 | 27d ago | Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This ha… | |||
| CVE-2026-39960 | medium | 5.4 | 5.4 | 27d ago | MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values | |||
| CVE-2026-44998 | medium | 5.4 | 5.4 | 27d ago | OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restr… | |||
| CVE-2026-44993 | medium | 5.4 | 5.4 | 27d ago | OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enfo… | |||
| CVE-2026-43638 | medium | 5.4 | 5.4 | 27d ago | Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organiz… | |||
| CVE-2026-42857 | medium | 5.4 | 5.4 | 27d ago | Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags … |