Common Vulnerabilities and Exposures (CVE)

CVE-2026-20930

Apr 17, 2026 16:11:46 UTC

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.

CVE-2026-40515

Apr 17, 2026 16:00:07 UTC

OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glo...

CVE-2026-21672

Apr 17, 2026 15:32:11 UTC

A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.

CVE-2026-21708

Apr 17, 2026 15:32:10 UTC

A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

CVE-2026-37749

Apr 17, 2026 15:23:39 UTC

A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php.

CVE-2026-6284

Apr 17, 2026 15:14:06 UTC

An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration ...

CVE-2025-70795

Apr 17, 2026 14:58:56 UTC

STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficien...

CVE-2026-6492

Apr 17, 2026 14:32:34 UTC

A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. The impacted element is an unknown function of the file /api/health/detailed of the component Health Check Endpoint. Pe...

CVE-2026-5231

Apr 17, 2026 14:30:43 UTC

The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin...

CVE-2026-41153

Apr 17, 2026 14:29:04 UTC

In JetBrains Junie before 252.549.29 command execution was possible via malicious project file

CVE-2026-5502

Apr 17, 2026 14:28:01 UTC

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_cour...

CVE-2026-6451

Apr 17, 2026 14:21:59 UTC

The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle,...

CVE-2026-6493

Apr 17, 2026 14:15:15 UTC

A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a mani...

CVE-2026-6490

Apr 17, 2026 14:04:14 UTC

A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown function of the file admin/deletecourse.php of the component GET Request Parameter Handler. This manipulation of the argu...

CVE-2026-40458

Apr 17, 2026 14:00:04 UTC

PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with...