High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Grafana–Pyroscope | Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program. | 2026-04-15 | 9.1 | CVE-2025-41118 | https://grafana.com/security/security-advisories/cve-2025-41118 |
| n/a–Grocery Store Management System v1.0 | Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter. | 2026-04-14 | 9.8 | CVE-2025-63939 | https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939 |
| n/a–manikandan580 School-management-system v1.0 | In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. | 2026-04-14 | 9.8 | CVE-2025-65135 | https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-65135 |
| Owen–WebStack | The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2026-04-15 | 9.8 | CVE-2026-1555 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b97805de-1b47-4c9f-baae-2e37c1b78570?source=cve https://github.com/owen0o0/WebStack/blob/master/inc/ajax.php#L5 https://github.com/owen0o0/WebStack/tree/master |
| Cisco–Cisco Identity Services Engine Software | A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In […] Content was cut in order to protect the source.Please visit the source for the rest of the article. This article has been indexed from Bulletins
Read the original article: Post navigation |