// LIVE THREAT FEED
Vulnerability Tracker
Real-time CVE tracking across Android, iOS, and mobile infrastructure. Updated continuously from NVD, Exploit-DB, and GitHub Advisory.
74 TOTAL TRACKED
10 CRITICAL
34 HIGH
30 MEDIUM
2 EXPLOITED ITW
LIVE
74 results
| CVE ID | Severity | CVSS | Title | Platform | Category | Published | ITW |
|---|---|---|---|---|---|---|---|
| CVE-2026-5234 | MEDIUM | 5.3 | The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Refer | Cross-platform | Vulnerability | 2026-04-17 | — |
| CVE-2026-5231 | HIGH | 7.2 | The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Script | Cross-platform | Remote Code Execution | 2026-04-17 | — |
| CVE-2026-3488 | MEDIUM | 6.5 | The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in | Cross-platform | Remote Code Execution | 2026-04-17 | — |
| CVE-2026-40265 | MEDIUM | 5.9 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prio | Cross-platform | Remote Code Execution | 2026-04-17 | — |
| CVE-2026-40262 | HIGH | 8.7 | Note Mark is an open-source note-taking application. In versions 0.19.1 and prio | Cross-platform | Remote Code Execution | 2026-04-17 | — |
| CVE-2026-40253 | MEDIUM | 6.8 | openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In ver | Linux | Memory Corruption | 2026-04-16 | — |
| CVE-2026-41113 | HIGH | 8.1 | sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of | Cross-platform | Remote Code Execution | 2026-04-16 | — |
| CVE-2026-40170 | HIGH | 7.5 | ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.2 | Cross-platform | Buffer Overflow | 2026-04-16 | — |
| CVE-2026-6442 | HIGH | 8.3 | Improper validation of bash commands in Snowflake Cortex Code CLI versions prior | Cross-platform | Remote Code Execution | 2026-04-16 | — |
| CVE-2025-43937 | MEDIUM | 6.6 | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sens | Cross-platform | Vulnerability | 2026-04-16 | — |
| CVE-2026-37337 | HIGH | 7.3 | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Inj | Cloud | Remote Code Execution | 2026-04-16 | — |
| CVE-2026-37336 | HIGH | 7.3 | SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Inj | Cloud | Remote Code Execution | 2026-04-16 | — |
| CVE-2026-4160 | MEDIUM | 5.3 | The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Fo | Cross-platform | Vulnerability | 2026-04-16 | — |
| CVE-2026-6414 | MEDIUM | 5.9 | @fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separat | Network | Remote Code Execution | 2026-04-16 | — |
| CVE-2026-31843 | CRITICAL | 9.8 | The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerabili | Cross-platform | Remote Code Execution | 2026-04-16 | — |
| CVE-2024-10242 | MEDIUM | 6.1 | The authentication endpoint fails to adequately validate user-supplied input bef | Cross-platform | Vulnerability | 2026-04-16 | — |
| CVE-2026-23772 | HIGH | 7.3 | Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, con | Windows | Vulnerability | 2026-04-16 | — |
| CVE-2024-2374 | HIGH | 7.5 | The XML parsers within multiple WSO2 products accept user-supplied XML data with | Cross-platform | Remote Code Execution | 2026-04-16 | — |
| CVE-2026-3861 | MEDIUM | 6.5 | LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in- | iOS | Vulnerability | 2026-04-16 | — |
| CVE-2026-3355 | MEDIUM | 6.1 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Refle | Cross-platform | Remote Code Execution | 2026-04-16 | — |
| CVE-2026-34621 | HIGH | 8.6 | CVE-2026-34621: Prototype Pollution RCE in Adobe Acrobat Reader | Cross-platform | Remote Code Execution | 2026-04-11 | YES |
| CVE-2026-33032 | CRITICAL | 9.8 | CVE-2026-33032: Nginx UI MCP Endpoint Auth Bypass Enables Full Service Takeover | Cloud | Vulnerability | 2026-03-30 | — |
| CVE-2025-20658 | MEDIUM | 6.0 | CVE-2025-20658: MediaTek DA2 USB Handler Heap Overflow → ACE | Cross-platform | Vulnerability | 2025-04-07 | — |
| CVE-2026-6351 | HIGH | 7.5 | MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, al | Cross-platform | Vulnerability | 2026-04-16 | — |
| CVE-2026-6350 | CRITICAL | 9.8 | MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vuln | Cross-platform | Remote Code Execution | 2026-04-16 | — |
| CVE-2026-40504 | CRITICAL | 9.8 | Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in t | Cross-platform | Remote Code Execution | 2026-04-16 | — |
| CVE-2026-40960 | HIGH | 8.1 | Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environ | Cross-platform | Remote Code Execution | 2026-04-16 | — |
| CVE-2026-40502 | HIGH | 8.8 | OpenHarness prior to commit dd1d235 contains a command injection vulnerability t | Cross-platform | Vulnerability | 2026-04-16 | — |
| CVE-2026-39857 | MEDIUM | 5.3 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28 | Cross-platform | Remote Code Execution | 2026-04-15 | — |
| CVE-2026-35569 | HIGH | 8.7 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28 | Cross-platform | Remote Code Execution | 2026-04-15 | — |
| CVE-2026-33889 | MEDIUM | 5.4 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28 | Cross-platform | Remote Code Execution | 2026-04-15 | — |
| CVE-2026-33888 | MEDIUM | 5.3 | ApostropheCMS is an open-source Node.js content management system. Versions 4.28 | Cross-platform | Remote Code Execution | 2026-04-15 | — |
| CVE-2025-41118 | CRITICAL | 9.1 | Pyroscope is an open-source continuous profiling database. The database supports | Cloud | Remote Code Execution | 2026-04-15 | — |
| CVE-2026-30615 | HIGH | 8.0 | A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers t | Cross-platform | Vulnerability | 2026-04-15 | — |
| CVE-2026-20204 | HIGH | 7.1 | In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splu | Cloud | Remote Code Execution | 2026-04-15 | — |
| CVE-2026-20202 | MEDIUM | 6.6 | In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splu | Cloud | Remote Code Execution | 2026-04-15 | — |
| CVE-2024-53412 | HIGH | 8.4 | Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allo | Cross-platform | Remote Code Execution | 2026-04-15 | — |
| CVE-2026-3590 | MEDIUM | 6.5 | Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11 | Cross-platform | Remote Code Execution | 2026-04-15 | — |
| CVE-2025-64893 | HIGH | 7.1 | DNG SDK versions 1.7.0 and earlier are affected by an Out-of-bounds Read vulnera | Cross-platform | Memory Corruption | 2025-12-09 | — |
| CVE-2025-58411 | HIGH | 8.8 | Software installed and run as a non-privileged user may conduct improper GPU sys | Cross-platform | Remote Code Execution | 2026-01-13 | — |
| CVE-2025-52908 | CRITICAL | 9.8 | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wear | Android | Buffer Overflow | 2026-04-07 | — |
| CVE-2025-13476 | CRITICAL | 9.8 | Rakuten Viber Cloak mode in Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 u | Android | Vulnerability | 2026-03-05 | — |
| CVE-2025-48587 | MEDIUM | 6.2 | In multiple functions of ProfilingService.java, there is a possible persistent d | Cross-platform | Vulnerability | 2026-03-02 | — |
| CVE-2025-38616 | HIGH | 7.1 | CVE-2025-38616: Linux TLS ULP Dangling Anchor After Queue Drain | Linux | Memory Corruption | 2025-08-22 | — |
| CVE-2025-64720 | HIGH | 7.1 | CVE-2025-64720: libpng OOB Read via Palette Alpha Invariant Violation | Network | Memory Corruption | 2025-11-25 | — |
| CVE-2026-5445 | CRITICAL | 9.1 | CVE-2026-5445: DICOM Palette OOB Read Leaks Heap via Android Image Decoder | Android | Memory Corruption | 2026-04-09 | — |
| CVE-2026-0006 | CRITICAL | 9.8 | In multiple locations, there is a possible out of bounds read and write due to a | Cross-platform | Remote Code Execution | 2026-03-02 | — |
| CVE-2024-43766 | MEDIUM | 6.5 | In multiple functions of btm_ble_sec.cc, there is a possible unencrypted communi | Cross-platform | Information Disclosure | 2026-03-02 | — |
| CVE-2026-27289 | HIGH | 7.8 | Photoshop Desktop versions 27.4 and earlier are affected by an out-of-bounds rea | Cross-platform | Memory Corruption | 2026-04-14 | — |
| CVE-2026-27222 | MEDIUM | 5.5 | Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Divide By Zero vuln | Cross-platform | Vulnerability | 2026-04-14 | — |
| CVE-2026-34625 | MEDIUM | 5.4 | Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D | Cross-platform | Vulnerability | 2026-04-14 | — |
| CVE-2026-34624 | MEDIUM | 5.4 | Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D | Cross-platform | Vulnerability | 2026-04-14 | — |
| CVE-2026-34623 | MEDIUM | 5.4 | Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a D | Cross-platform | Vulnerability | 2026-04-14 | — |
| CVE-2026-27285 | MEDIUM | 5.5 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based | Cross-platform | Buffer Overflow | 2026-04-14 | — |
| CVE-2026-27284 | HIGH | 7.8 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bou | Cross-platform | Memory Corruption | 2026-04-14 | — |
| CVE-2026-27283 | HIGH | 7.8 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Use After F | Cross-platform | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-27238 | HIGH | 7.8 | InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based | Cross-platform | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-38527 | HIGH | 8.5 | A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component | Cross-platform | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-23708 | HIGH | 7.5 | A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through | Cross-platform | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-22828 | HIGH | 8.1 | A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 | Cloud | Remote Code Execution | 2026-04-14 | — |
| CVE-2025-61624 | MEDIUM | 6.0 | An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' | iOS | Vulnerability | 2026-04-14 | — |
| CVE-2025-53847 | MEDIUM | 6.5 | A missing authentication for critical function vulnerability in Fortinet FortiOS | iOS | Vulnerability | 2026-04-14 | — |
| CVE-2026-37980 | MEDIUM | 6.9 | A flaw was found in Keycloak, specifically in the organization selection login p | Cross-platform | Vulnerability | 2026-04-14 | — |
| CVE-2026-33892 | HIGH | 7.1 | Critical Authentication Bypass in Siemens Industrial Edge Management Exposes OT Networks | Cross-platform | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-21385 | HIGH | 7.8 | Critical Memory Corruption in Qualcomm Firmware Exploited in Wild: CVE-2026-21385 Analysis | Cross-platform | Vulnerability | 2026-03-02 | YES |
| CVE-2026-6264 | CRITICAL | 9.8 | CVE-2026-6264: Critical Unauthenticated RCE in Talend JobServer via JMX Monitoring Port | Cross-platform | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-2582 | MEDIUM | 6.5 | The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitra | Cross-platform | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-6227 | HIGH | 7.2 | The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the | Cross-platform | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-4352 | HIGH | 7.5 | The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom | Cross-platform | Vulnerability | 2026-04-14 | — |
| CVE-2026-39421 | MEDIUM | 6.3 | MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co | Linux | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-39420 | MEDIUM | 6.3 | MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below | Network | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-39418 | MEDIUM | 5.0 | MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below | Linux | Remote Code Execution | 2026-04-14 | — |
| CVE-2026-34256 | HIGH | 7.1 | Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud a | Cloud | Vulnerability | 2026-04-14 | — |
| CVE-2026-40164 | HIGH | 7.5 | jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02 | Cross-platform | Vulnerability | 2026-04-14 | — |
No vulnerabilities match your filters. Reset filters