Total CVEs

144,278

Critical Severity

4,164

High Severity

14,985

Last 7 Days

1,612
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 21,001 - 21,020 of 40,683 CVEs
CVE-2026-41030 MEDIUM - 6.2

In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.

Vendor: Ascensio
Product: ONLYOFFICE DesktopEditors
Published: Apr 16, 2026
Source: NVD
CVE-2026-3995 MEDIUM - 4.4

The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() which strips HTML tags bu...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3876 HIGH - 7.2

The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismati...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3875 MEDIUM - 6.4

The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3861 MEDIUM - 6.5

LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs, potentially causing the iOS device to become temporarily inoperable.

Published: Apr 16, 2026
Source: NVD
CVE-2026-3355 MEDIUM - 6.1

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘crsearch’ parameter in all versions up to, and including, 5.101.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inj...

Published: Apr 16, 2026
Source: NVD
CVE-2026-1620 HIGH - 8.8

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach...

Published: Apr 16, 2026
Source: NVD
CVE-2026-1572 MEDIUM - 6.4

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient...

Published: Apr 16, 2026
Source: NVD
CVE-2025-13364 MEDIUM - 6.4

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output...

Vendor: flippercode
Product: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Published: Apr 16, 2026
Source: NVD
CVE-2026-5050 HIGH - 7.5

The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request bef...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3773 MEDIUM - 6.5

The Accessibility Suite by Ability, Inc plugin for WordPress is vulnerable to SQL Injection via the 'scan_id' parameter in all versions up to, and including, 4.20. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL que...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3614 HIGH - 8.8

The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and a...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3599 HIGH - 7.5

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insuffic...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3596 CRITICAL - 9.8

The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.2. The plugin registers an unauthenticated AJAX action ('wp_ajax_nopriv_install-imprint') that maps to the ink_pd_add_option() function. This function reads �...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3595 MEDIUM - 5.3

The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission_callback, causing WordPr...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3581 MEDIUM - 5.3

The Basic Google Maps Placemarks plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.10.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify stored...

Published: Apr 16, 2026
Source: NVD
CVE-2026-3551 MEDIUM - 4.4

The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mai...

Published: Apr 16, 2026
Source: NVD
CVE-2026-22619 HIGH - 7.8

Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest version of Eaton IPP software which is available on the...

Vendor: Eaton
Product: IPP software
Published: Apr 16, 2026
Source: NVD
CVE-2026-22618 MEDIUM - 5.9

A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP software which is available ...

Vendor: Eaton
Product: IPP software
Published: Apr 16, 2026
Source: NVD
CVE-2026-22617 MEDIUM - 5.7

Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP software which is available on th...

Vendor: Eaton
Product: IPP Software
Published: Apr 16, 2026
Source: NVD