Severity hub

High-severity CVEs from the last 30 days

Review recently published high-severity CVEs, compare scores, and move straight into the underlying CVE records when you need remediation detail.

RSSWindow snapshot: Mar 29, 2026 - Apr 27, 2026.

Matched CVEs

983

Published in the current 30-day window.

Pages

At 20 records per page.

Average CVSS

7.3

Across the currently loaded page.

KEV on page

Entries already flagged in the CISA KEV catalog.

Search results

Filtered vulnerability results

Showing 1-20 of 983 vulnerabilities.

Severity: HIGHRange: Mar 29, 2026 - Apr 27, 2026

Sort current page

CVE-2026-7119HighCVSS7.4Published Apr 27, 2026

A vulnerability was detected in Tenda HG3 2.0. The impacted element is an unknown function of the file /boaform/formCountrystr. The manipulation of the argument countrystr results in os command injection. The attack may be performed from remote. The exploit is now public and may be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7101HighCVSS7.4Published Apr 27, 2026

A vulnerability has been found in Tenda F456 1.0.0.5. This affects the function fromWrlclientSet of the file /goform/WrlclientSet of the component httpd. The manipulation leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7100HighCVSS7.4Published Apr 27, 2026

A flaw has been found in Tenda F456 1.0.0.5. The impacted element is the function fromNatlimitof of the file /goform/Natlimit of the component httpd. Executing a manipulation can lead to buffer overflow. The attack may be launched remotely. The exploit has been published and may be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7099HighCVSS7.4Published Apr 27, 2026

A vulnerability was detected in Tenda F456 1.0.0.5. The affected element is the function formQuickIndex of the file /goform/QuickIndex of the component httpd. Performing a manipulation of the argument mit_linktype results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7098HighCVSS7.4Published Apr 27, 2026

A security vulnerability has been detected in Tenda F456 1.0.0.5. Impacted is the function fromDhcpListClient of the file /goform/DhcpListClient of the component httpd. Such manipulation of the argument page leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7097HighCVSS7.4Published Apr 27, 2026

A weakness has been identified in Tenda F456 1.0.0.5. This issue affects the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter of the component httpd. This manipulation of the argument page causes buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7096HighCVSS7.4Published Apr 27, 2026

A security flaw has been discovered in Tenda HG3 2.0 300003070. This vulnerability affects the function formgponConf of the file /boaform/admin/formgponConf. The manipulation of the argument fmgpon_loid results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7094MediumCVSS6.9Published Apr 27, 2026

A vulnerability was determined in ShadowCloneLabs GlutamateMCPServers up to e2de73280b01e5d943593dd1aa2c01c5b9112f78. Affected by this issue is some unknown functionality of the file src/puppeteer/index.ts of the component puppeteer_navigate. Executing a manipulation of the argument url can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

6.9

MEDIUM

Published

Apr 27, 2026

CVE-2026-7088MediumCVSS6.9Published Apr 27, 2026

A weakness has been identified in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=save_receiving. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

6.9

MEDIUM

Published

Apr 27, 2026

CVE-2026-7087MediumCVSS6.9Published Apr 27, 2026

A security flaw has been discovered in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=save_sales. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

6.9

MEDIUM

Published

Apr 27, 2026

CVE-2026-7082HighCVSS7.4Published Apr 27, 2026

A flaw has been found in Tenda F456 1.0.0.5. Affected by this vulnerability is the function formWrlExtraSet of the file /goform/WrlExtraSet of the component httpd. Executing a manipulation of the argument Go can lead to buffer overflow. The attack can be executed remotely. The exploit has been published and may be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7081HighCVSS7.4Published Apr 27, 2026

A vulnerability was detected in Tenda F456 1.0.0.5. Affected is the function fromGstDhcpSetSer of the file /goform/GstDhcpSetSer of the component httpd. Performing a manipulation of the argument dips results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7106HighCVSS8.8Published Apr 27, 2026

The Highland Software Custom Role Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 1.0.0. This is due to insufficient authorization checks in the hscrm_save_user_roles() function, which is hooked to the personal_options_update action accessible by any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access or higher, to potentially modify user roles via the profile update form.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

8.8

HIGH

Published

Apr 27, 2026

CVE-2026-7080HighCVSS7.4Published Apr 27, 2026

A security vulnerability has been detected in Tenda F456 1.0.0.5. This impacts the function fromPPTPUserSetting of the file /goform/PPTPUserSetting of the component httpd. Such manipulation of the argument delno leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7079HighCVSS7.4Published Apr 27, 2026

A weakness has been identified in Tenda F456 1.0.0.5. This affects the function fromAdvSetWan of the file /goform/AdvSetWan of the component httpd. This manipulation of the argument wanmode causes buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7078HighCVSS7.4Published Apr 27, 2026

A security flaw has been discovered in Tenda F456 1.0.0.5. The impacted element is the function fromSetIpBind of the file /goform/SetIpBind of the component httpd. The manipulation of the argument page results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

7.4

HIGH

Published

Apr 27, 2026

CVE-2026-7077MediumCVSS6.9Published Apr 27, 2026

A vulnerability was identified in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /edit_parcel.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

6.9

MEDIUM

Published

Apr 27, 2026

CVE-2026-7076MediumCVSS6.9Published Apr 27, 2026

A vulnerability was determined in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /edit_branch.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

6.9

MEDIUM

Published

Apr 27, 2026

CVE-2026-7075MediumCVSS6.9Published Apr 27, 2026

A vulnerability was found in itsourcecode Construction Management System 1.0. This issue affects some unknown processing of the file /locations.php. Performing a manipulation of the argument address results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

6.9

MEDIUM

Published

Apr 27, 2026

CVE-2026-7074MediumCVSS6.9Published Apr 27, 2026

A vulnerability has been found in itsourcecode Construction Management System 1.0. This vulnerability affects unknown code of the file /execute1.php. Such manipulation of the argument code leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.

Affected vendor

Structured metadata unavailable

Affected product

Product metadata unavailable

Coverage

No structured product entries

CVSS

6.9

MEDIUM

Published

Apr 27, 2026