Published threat advisories for April 22, 2026

An internal attacker can exploit a flaw in Jellystat to steal administrative credentials and run unauthorized commands on the server. This could lead to a full system compromise and the exposure of sensitive database contents.

NVD published: April 22, 2026

EspoCRM lets administrators overwrite server files by manipulating file paths, potentially impacting sensitive data or systems. Update to version 9.3.4 immediately.

NVD published: April 22, 2026

A critical flaw in Nimiq allows a malicious validator to bypass security checks and potentially control the blockchain by forging signatures. This could compromise the integrity of the entire network.

NVD published: April 22, 2026

Xerte Online Toolkits has a critical flaw letting anyone take full control of your server by uploading malicious code. This could lead to a complete system compromise.

NVD published: April 22, 2026

An external attacker could gain full administrative control over Dell PowerProtect Data Domain systems by sending specific network requests. This exposes critical backup data to potential theft, tampering, or disruption, threatening the integrity of enterprise data protection.

NVD published: April 22, 2026

DDEV is vulnerable to an internal attacker who could use malicious archives to overwrite critical files on a developer's computer. This could allow unauthorized control over the machine, risking the integrity of proprietary code and local development environments.

NVD published: April 22, 2026

An external attacker can take advantage of default credentials in the ELBA5 database to gain administrative access. This allows them to run unauthorized commands, steal sensitive business data, and take complete control of the host server.

NVD published: April 22, 2026

ThinkPHP's critical flaw lets unauthenticated attackers run any code on your servers by sending malicious web requests, potentially impacting widely deployed internet-facing applications.

NVD published: April 22, 2026

A flaw in the web application allows an internal attacker with a standard account to gain full administrative access. This could enable unauthorized changes to critical system configurations and expose sensitive organizational or user data.

NVD published: April 22, 2026

A critical flaw in PowerDNS Authoritative lets attackers disable your DNS service by sending a bad request, causing it to stop working until manually fixed. This affects internet-facing systems.

NVD published: April 22, 2026

A critical flaw in PowerDNS dnsdist could let an attacker crash your service or access sensitive data using specially crafted DNS responses, especially if you use custom scripting.

NVD published: April 22, 2026

An external attacker can send specific network traffic to exploit a vulnerability in the Linux kernel’s TI ICSSG PRU Ethernet driver. This flaw could cause a system crash, resulting in service outages or potentially allowing unauthorized access to the affected system.

NVD published: April 22, 2026

An external attacker can exploit a flaw in the Linux file-sharing service by sending malicious network requests to crash the system or gain unauthorized access to sensitive files. This vulnerability threatens the stability of business operations and the security of corporate data.

NVD published: April 22, 2026

A Linux kernel bug allows attackers with existing system access to potentially disrupt services or gain unauthorized control by exploiting how file reads are handled. Updates are available.

NVD published: April 22, 2026

An internal attacker with existing system access can exploit a flaw in the Linux kernel ext4 filesystem to cause a system-wide freeze. This disruption forces the machine to become unresponsive, resulting in a complete denial of service.

NVD published: April 22, 2026

An internal attacker with access to the Linux file sharing service could exploit a flaw to force a server crash. This could result in the loss of critical file access and disrupt daily business operations.

NVD published: April 22, 2026

A logic error in the Linux kernel could allow an internal attacker to trigger system crashes or memory corruption. This flaw threatens business continuity by enabling individuals with local system access to disrupt service availability or destabilize host operations.

NVD published: April 22, 2026

The Sendmachine for WordPress plugin allows attackers to intercept sensitive emails like password resets by changing your site's email settings, even without an account.

NVD published: April 22, 2026

The Create DB Tables plugin for WordPress allows any logged-in user to delete or create database tables, which could destroy your entire website.

NVD published: April 22, 2026

Progress Telerik UI for AJAX has a critical flaw allowing attackers to run malicious code on your servers by tricking a web component into processing bad data. This could impact internet-facing applications.

NVD published: April 22, 2026

An external attacker can exploit F' (F Prime) to overwrite critical files on embedded hardware, potentially granting them full control over the device. This capability allows unauthorized system access, creating a serious security risk for critical infrastructure.

NVD published: April 22, 2026

A critical flaw in WWBN AVideo versions up to 29.0 allows unauthorized access to sensitive files and potential server takeover, as the application improperly handles certain web addresses.

NVD published: April 22, 2026

OAuth2 Proxy can be tricked into letting attackers bypass authentication and access protected routes, which is a serious risk for any system relying on it for security.

NVD published: April 22, 2026