Recent Advisories

Severity ID Title Vendor Product Date Type
HIGH 7.1 CVE-2026-50284

Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users’ assets_CVE-2026-50284

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDele...

craftcms cms =>= 5.0.0-RC1, < 5.9.22 CVE
HIGH 7.6 CVE-2026-14440

Cloudflare Universal SSL automatically managed CAA RRset supersedes customer-configured CAA records_CVE-2026-14440

Description: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset...

Cloudflare Universal SSL CVE
HIGH 7.4 CVE-2026-55790

Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget_CVE-2026-55790

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub ...

craftcms cms >= 5.0.0-RC1, < 5.9.23 CVE
HIGH 8.7 CVE-2026-55794

Craft CMS: Potential authenticated Remote Code Execution via referrer redirect_CVE-2026-55794

Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries c...

craftcms cms >= 5.9.0, < 5.10.0 CVE
HIGH 7.6 CVE-2026-50279

Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap_CVE-2026-50279

Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs e...

craftcms cms >= 5.0.0-RC1, < 5.9.21 CVE
HIGH 8.8 CVE-2026-14087

CVE-2026-14087_CVE-2026-14087

Heap buffer overflow in WebNN in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process...

Google Chrome 150.0.7871.47 CVE
HIGH 7.4 CVE-2026-57736

WordPress HubSpot plugin <= 11.3.51 - Sensitive Data Exposure vulnerability_CVE-2026-57736

Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data. This issue affects HubSpot: fr...

HubSpot HubSpot n/a CVE
HIGH 7.4 CVE-2026-57723

WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.12 - CSRF to Arbitrary File Deletion vulnerability_CVE-2026-57723

Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows Path Traversal. This issue affects VikBoo...

e4jvikwp VikBooking Hotel Booking Engine & PMS n/a CVE
HIGH 7.5 CVE-2026-54428

Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK_CVE-2026-54428

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and ea...

Apache Software Foundation Apache HttpComponents Core 5.5-alpha CVE
HIGH 8 CVE-2026-49091

Improper Output Neutralization for Logs in Kibana Leading to Log Injection_CVE-2026-49091

Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker c...

Elastic Kibana 8.0.0 CVE