Total CVEs

143,081

Critical Severity

4,044

High Severity

14,530

Last 7 Days

1,245
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 1 - 20 of 39,486 CVEs
CVE-2026-5955 CRITICAL - 9.8

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Inrove Software and Internet Services BiEticaret allows SQL Injection. This issue affects BiEticaret: before v3.3.57.

Published: Jul 09, 2026
Source: NVD
CVE-2026-5793 MEDIUM - 6.1

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Inrove Software and Internet Services BiEticaret allows Reflected XSS. This issue affects BiEticaret: before v3.3.57.

Published: Jul 09, 2026
Source: NVD
CVE-2026-56460 MEDIUM - 6.5

HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.

Vendor: HCLSoftware
Product: HCL DevOps Deploy / HCL Launch
Published: Jul 09, 2026
Source: NVD
CVE-2026-56459 MEDIUM - 6.2

HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure.  The application stores potentially sensitive information in log files that could be read by a local user.

Vendor: HCLSoftware
Product: HCL DevOps Deploy / HCL Launch
Published: Jul 09, 2026
Source: NVD
CVE-2026-56458 MEDIUM - 5.4

HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.

Vendor: HCLSoftware
Product: HCL DevOps Deploy
Published: Jul 09, 2026
Source: NVD
CVE-2026-2342 CRITICAL - 9.3

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OceanicSoft Informatics Systems Ltd. ValeApp allows Stored XSS. This issue affects ValeApp: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respon...

Published: Jul 09, 2026
Source: NVD
CVE-2026-1989 HIGH - 7.5

Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers. This issue affects PAVO Pay: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published: Jul 09, 2026
Source: NVD
CVE-2026-1365 MEDIUM - 6.5

Insertion of sensitive information into sent data vulnerability in Sayax Energy Technologies Inc. OSOS allows Authentication Bypass. This issue affects OSOS: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published: Jul 09, 2026
Source: NVD
CVE-2026-15158 CRITICAL - 9.8

The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the save_attachments function. This is due to the Custom Fonts extension registering a wp_check_filetype_and_ext filter that approves any filename containing .woff2 or ....

Vendor: creativethemeshq
Product: Blocksy Companion
Published: Jul 09, 2026
Source: NVD
CVE-2026-12433 MEDIUM - 4.3

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only ...

Vendor: themefic
Product: Hydra Booking — Appointment Scheduling & Booking Calendar
Published: Jul 09, 2026
Source: NVD
CVE-2026-8996 MEDIUM - 6.5

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the download_recent_decrypted_file_wptc. This makes it possible for authenticated attackers, with subscriber-level access and above, to ext...

Published: Jul 09, 2026
Source: NVD
CVE-2026-8848 HIGH - 7.2

The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.22.0. This is due to the plugin not properly verifying that a user is authorized to perform an action....

Published: Jul 09, 2026
Source: NVD
CVE-2026-7558 MEDIUM - 5.3

The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to unauthorized access in all versions up to and including 4.0.2. This is due to the handle_export_table() function being registered on the WordPress 'init' hook, which fires for all reque...

Published: Jul 09, 2026
Source: NVD
CVE-2026-6910 MEDIUM - 6.4

The Bookero.pl – system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `bookero_products` shortcode's `hide_products` (and `filter_products`) attributes in versions up to and including 2.2. This is due to insufficient input sanitization and output es...

Published: Jul 09, 2026
Source: NVD

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supervisor server is running with an ActiveDirectoryIdentityProvider resource configured; the ActiveDirec...

Vendor: VMware
Product: Pinniped
Published: Jul 09, 2026
Source: NVD

Permissive Cross-Origin Resource Sharing (CORS) in the REST API (helix-rest, org.apache.helix.rest.server.filters.CORSFilter) in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin req...

Vendor: Apache Software Foundation
Product: Apache Helix REST
Published: Jul 09, 2026
Source: NVD
CVE-2026-4653 MEDIUM - 6.4

The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

Published: Jul 09, 2026
Source: NVD
CVE-2026-33390 HIGH - 8.1

An Incorrect Privilege Assignment vulnerability was discovered in the synchronization functionality due to Arc sensors receiving CLI permissions. An authenticated user with limited privileges can push administrative CLI commands through the sync, altering the device configuration, and/or affecting i...

Vendor: Nozomi Networks
Product: Guardian, CMC
Published: Jul 09, 2026
Source: NVD
CVE-2026-31985 HIGH - 8.1

When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configuration disabled TLS certificate verification, and no option was provided to enable it. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Re...

Vendor: Nozomi Networks
Product: Remote Collector
Published: Jul 09, 2026
Source: NVD
CVE-2026-31984 HIGH - 7.5

A denial-of-service vulnerability caused by unbounded resource allocation was discovered in the audit logging functionality, due to a missing size limit on input recorded into audit entries. An unauthenticated attacker can submit requests containing excessively large input that is recorded into audi...

Vendor: Nozomi Networks
Product: Guardian, CMC
Published: Jul 09, 2026
Source: NVD