Total CVEs

143,768

Critical Severity

4,091

High Severity

14,768

Last 7 Days

1,527
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 2,061 - 2,080 of 40,173 CVEs
CVE-2026-11946 HIGH - 7.5

An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered acros...

Vendor: open62541 project / o6 Automation GmbH
Product: open62541
Published: Jul 02, 2026
Source: NVD
CVE-2025-69156 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions.

Vendor: Design themes
Product: Kids Zone - Children WordPress Theme
Published: Jul 02, 2026
Source: NVD
CVE-2025-69155 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.

Vendor: Designthemes
Product: Fitness Zone WordPress Theme
Published: Jul 02, 2026
Source: NVD
CVE-2025-69154 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.

Vendor: designthemes
Product: SpaLab | Beauty Salon WordPress Theme
Published: Jul 02, 2026
Source: NVD
CVE-2025-69153 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.

Vendor: designthemes
Product: Trendy Travel
Published: Jul 02, 2026
Source: NVD
CVE-2025-69152 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.

Vendor: ThemeGoods
Product: Artale | Wedding Photography WordPress
Published: Jul 02, 2026
Source: NVD
CVE-2025-69134 HIGH - 7.5

Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions.

Vendor: Merkulove
Product: OpenAI Chatbot for WordPress – Helper
Published: Jul 02, 2026
Source: NVD
CVE-2025-69133 HIGH - 7.5

Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions.

Vendor: GoodLayers
Product: Tourmaster
Published: Jul 02, 2026
Source: NVD
CVE-2025-69132 MEDIUM - 6.5

Subscriber Sensitive Data Exposure in Corpkit <= 1.0.5 versions.

Vendor: Zozothemes
Product: Corpkit
Published: Jul 02, 2026
Source: NVD
CVE-2025-69094 HIGH - 8.5

Subscriber SQL Injection in Unicamp <= 2.2.2 versions.

Vendor: ThemeMove
Product: Unicamp
Published: Jul 02, 2026
Source: NVD
CVE-2025-66076 MEDIUM - 5.3

Unauthenticated Broken Access Control in Woostify Sites Library <= 1.6.2 versions.

Vendor: dylan ngo
Product: Woostify Sites Library
Published: Jul 02, 2026
Source: NVD
CVE-2025-58902 HIGH - 8.1

Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.

Vendor: AncoraThemes
Product: Lighthouse
Published: Jul 02, 2026
Source: NVD

In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof tha...

Vendor: OpenIDC
Product: liboauth2
Published: Jul 02, 2026
Source: NVD

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and t...

Vendor: OpenIDC
Product: liboauth2
Published: Jul 02, 2026
Source: NVD
CVE-2026-9834 HIGH - 7.2

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the `wp_db_exclude_table` parameter. This is due to the direct concatenation of user-supplied `$_POST['wp_db_ex...

Published: Jul 02, 2026
Source: NVD
CVE-2026-9188 MEDIUM - 5.3

The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the `appointmentkey` parameter due to the appointment `edit_key` — the sole authorization token consumed by `tryCa...

Published: Jul 02, 2026
Source: NVD
CVE-2026-9145 MEDIUM - 6.5

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up to, and including, 1.5.1. The function reads raw_value from Elementor Pro's Form_Record object for upload-type fields and passes ...

Published: Jul 02, 2026
Source: NVD
CVE-2026-8482 MEDIUM - 4.3

A vulnerability was discovered on StormShield Network Security 4.3.0 to 4.3.41 (included), 4.8.0 to 4.8.15 (included) , 5.0.0 to 5.0.5 (included) There is a possible leak of secret information if administration commands have been passed with the CLI command line tool. Someone with SSH access to th...

Published: Jul 02, 2026
Source: NVD
CVE-2026-8441 HIGH - 7.5

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp_load_more_revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $_POST['notinstring'] and passed through sanitize_text_field() —...

Published: Jul 02, 2026
Source: NVD
CVE-2026-14336 HIGH - 8.2

PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://ci.ecl...

Vendor: Eclipse Foundation
Product: Eclipse CSI - PIA
Published: Jul 02, 2026
Source: NVD