Published threat advisories for April 21, 2026

An internal attacker can bypass Oxia security by reusing tokens from other services to gain unauthorized access. This puts critical business data at risk of exposure or modification and could cause major operational disruptions.

NVD published: April 21, 2026

Flowise contains a flaw that allows an internal attacker with existing access to run unauthorized commands on the host server. This could enable them to take full control of the application environment, putting sensitive data and underlying infrastructure at risk.

NVD published: April 21, 2026

A critical flaw in WWBN AVideo lets anyone steal accounts and sessions by broadcasting malicious code to all users. This impacts internet-facing video platforms, making it easy for attackers to take over user accounts and run commands.

NVD published: April 21, 2026

A vulnerability in the frp reverse proxy allows attackers to bypass authentication in specific HTTP vhost routing configurations. This could lead to unauthorized access to protected backend services, posing a risk to organizations using this feature.

NVD published: April 21, 2026

An external attacker can exploit a flaw in the Oracle Identity Manager Connector to bypass security and access or manipulate critical identity records. This allows them to create, delete, or modify sensitive business data, potentially compromising the integrity of identity management systems.

NVD published: April 21, 2026

An external attacker can exploit a flaw in the Oracle Identity Manager Connector to access, modify, or delete sensitive identity records without needing to log in. This could lead to unauthorized administrative control over enterprise systems, placing critical business data and security at risk.

NVD published: April 21, 2026

An external attacker can exploit a flaw in the Oracle Identity Manager Connector to access, modify, or delete sensitive identity data without logging in. This could allow unauthorized access to connected organizational resources and lead to the compromise of critical enterprise credentials.

NVD published: April 21, 2026

An internal attacker with existing administrative credentials could take over the Oracle Enterprise Manager Base Platform. This would allow them to seize control of managed infrastructure and compromise the wider IT environment.

NVD published: April 21, 2026

A serious vulnerability in Oracle Advanced Inbound Telephony lets anyone take over the system without a password over the internet, impacting critical communication services. This needs immediate attention.

NVD published: April 21, 2026

An internal attacker with valid developer credentials can exploit a flaw in Esri Portal for ArcGIS to bypass permission checks, enabling unauthorized access to private geospatial datasets and sensitive map configurations. This poses a risk of administrative compromise and the exposure of confidential organizational da…

NVD published: April 21, 2026

An internal attacker with existing high-level access to Esri Portal for ArcGIS could exploit a credential creation flaw to grant themselves unauthorized administrative privileges. This allows them to access sensitive information and gain control over the platform, jeopardizing business operations.

NVD published: April 21, 2026

An external attacker can exploit the goshs file server to retrieve sensitive GitHub access tokens embedded in build artifacts. This grants unauthorized access to our code repositories and deployment pipelines, potentially leading to data theft or software supply chain tampering.

NVD published: April 21, 2026

An unauthenticated flaw in the Vendure Shop API lets attackers run malicious commands against your database, potentially exposing customer data or disrupting services. This is critical as it affects public-facing commerce operations and all major databases.

NVD published: April 21, 2026

The goshs SFTP service has a critical flaw allowing anyone on the network to access files without a password. Update your goshs server immediately to prevent unauthorized data access.

NVD published: April 21, 2026

A vulnerability in mailcow: dockerized allows unauthenticated attackers to run code by tricking administrators into viewing specially crafted logs, potentially taking over your email service.

NVD published: April 21, 2026

A critical security flaw in Microsoft's ASP.NET Core allows unauthenticated attackers to gain unauthorized control over web applications from anywhere on the internet. This serious vulnerability needs immediate attention.

NVD published: April 21, 2026

FreeScout, a self-hosted help desk system, has a critical flaw allowing authenticated admins to write files anywhere on your server, potentially leading to a full system takeover.

NVD published: April 21, 2026

Crafty Controller contains a flaw that allows an internal attacker with valid credentials to modify settings for other users. This unauthorized access can lead to a complete takeover of administrative accounts, giving the attacker control over the server management interface.

NVD published: April 21, 2026

Excel-mcp-server has a critical flaw allowing remote attackers to read or overwrite any file on your server due to improper file path handling. This is a serious risk because it requires no authentication and is easily exploitable over the network by default.

NVD published: April 21, 2026

FreeScout admins can silently steal or redirect all outgoing emails by exploiting a flaw in mailbox settings. This affects self-hosted help desks and could lead to sensitive data leaks or phishing.

NVD published: April 21, 2026

An external attacker can take advantage of a security issue in CrowdStrike LogScale to remotely access sensitive server files, such as configuration data and stored credentials. This unauthorized access could allow them to gain administrative control over the server or view integrated business data.

NVD published: April 21, 2026

A critical vulnerability in Tenda W30E firmware allows attackers to remotely execute commands and gain control of your network device, potentially impacting internet-facing operations.

NVD published: April 21, 2026

An internal attacker with valid credentials can take full control of Bamboo Data Center to manipulate build plans and steal sensitive data. This flaw puts the integrity of critical development pipelines at risk and could expose interconnected business systems.

NVD published: April 21, 2026

Seeyon OA A8 has a critical flaw allowing unauthenticated attackers to write malicious files to servers, potentially gaining full control. This issue is actively exploited and affects internet-facing systems.

NVD published: April 21, 2026

An external attacker can exploit a flaw in Zeon Academy Pro to view, modify, or delete sensitive information in the company database. This access allows the attacker to steal user records or take over accounts, resulting in a loss of critical business data and operational control.

NVD published: April 21, 2026

A critical flaw in Net::Dropbear, a module for Perl, could let unauthorized individuals take over systems and access sensitive data. This is urgent because it affects how secure connections are managed.

NVD published: April 21, 2026

An external attacker can submit malicious inputs to applications using the Perl Storable module to trigger memory errors. This allows them to run unauthorized code or crash the system, potentially resulting in full control over the host application or service interruptions.

NVD published: April 21, 2026

An external attacker can exploit Firefox and Thunderbird by luring users to malicious websites or email content. By bypassing security protections, they could execute unauthorized code and steal sensitive user data or credentials, risking unauthorized access to business systems.

NVD published: April 21, 2026

An external attacker can trick users of Firefox and Thunderbird into visiting malicious websites to bypass session protections. This could allow them to compromise active web sessions, potentially leading to unauthorized account access and exposure of sensitive data.

NVD published: April 21, 2026

An external attacker can exploit a flaw in Firefox and Thunderbird by luring users to malicious websites to bypass security controls and steal sensitive cookie data. This could allow the attacker to hijack active sessions and gain unauthorized access to user accounts.

NVD published: April 21, 2026

Firefox and Thunderbird contain a flaw that allows an external attacker to steal sensitive personal information or hijack active user sessions. This risk arises when an employee views malicious web content, potentially exposing stored credentials and private data to unauthorized access.

NVD published: April 21, 2026

An internal attacker can exploit a flaw in NewSoftOA to run unauthorized commands on the server. This could grant them full control of the system, leading to unauthorized access to sensitive files and critical business data.

NVD published: April 21, 2026

An internal attacker could exploit a flaw in OpenClaw to bypass its security boundaries and escalate their access privileges. This could result in unauthorized administrative control over the host system and compromise protected business resources.

NVD published: April 21, 2026