Total CVEs

143,835

Critical Severity

4,094

High Severity

14,788

Last 7 Days

1,470
Quick preset (or use dates below)
Clear Filters
Showing 2,121 - 2,140 of 143,835 CVEs
CVE-2026-27414 HIGH - 8.8

Contributor PHP Object Injection in Werkstatt <= 4.8.3 versions.

Vendor: Fuelthemes
Product: Werkstatt
Published: Jul 02, 2026
Source: NVD
CVE-2026-27412 HIGH - 8.1

Unauthenticated Local File Inclusion in Pearl - Corporate Business <= 3.4.10 versions.

Vendor: StylemixThemes
Product: Pearl - Corporate Business
Published: Jul 02, 2026
Source: NVD
CVE-2026-27408 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in NativeChurch <= 4.8.8.2 versions.

Vendor: imithemes
Product: NativeChurch
Published: Jul 02, 2026
Source: NVD
CVE-2026-27404 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in LMS <= 9.7 versions.

Vendor: Designthemes
Product: LMS
Published: Jul 02, 2026
Source: NVD
CVE-2026-27402 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Kids Life | Children School WordPress <= 5.2 versions.

Vendor: Designthemes
Product: Kids Life | Children School WordPress
Published: Jul 02, 2026
Source: NVD
CVE-2026-27060 HIGH - 8.8

Contributor PHP Object Injection in ARMember Premium <= 7.0 versions.

Vendor: Reputeinfosystems
Product: ARMember Premium
Published: Jul 02, 2026
Source: NVD

u5CMS through v12.8.8 is vulnerable to reflected XSS via the ‘thanks’ parameter in multiple form components

Vendor: u5CMS
Product: u5CMS
Published: Jul 02, 2026
Source: NVD
CVE-2026-11946 HIGH - 7.5

An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered acros...

Vendor: open62541 project / o6 Automation GmbH
Product: open62541
Published: Jul 02, 2026
Source: NVD
CVE-2025-69156 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions.

Vendor: Design themes
Product: Kids Zone - Children WordPress Theme
Published: Jul 02, 2026
Source: NVD
CVE-2025-69155 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.

Vendor: Designthemes
Product: Fitness Zone WordPress Theme
Published: Jul 02, 2026
Source: NVD
CVE-2025-69154 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.

Vendor: designthemes
Product: SpaLab | Beauty Salon WordPress Theme
Published: Jul 02, 2026
Source: NVD
CVE-2025-69153 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.

Vendor: designthemes
Product: Trendy Travel
Published: Jul 02, 2026
Source: NVD
CVE-2025-69152 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.

Vendor: ThemeGoods
Product: Artale | Wedding Photography WordPress
Published: Jul 02, 2026
Source: NVD
CVE-2025-69134 HIGH - 7.5

Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions.

Vendor: Merkulove
Product: OpenAI Chatbot for WordPress – Helper
Published: Jul 02, 2026
Source: NVD
CVE-2025-69133 HIGH - 7.5

Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions.

Vendor: GoodLayers
Product: Tourmaster
Published: Jul 02, 2026
Source: NVD
CVE-2025-69132 MEDIUM - 6.5

Subscriber Sensitive Data Exposure in Corpkit <= 1.0.5 versions.

Vendor: Zozothemes
Product: Corpkit
Published: Jul 02, 2026
Source: NVD
CVE-2025-69094 HIGH - 8.5

Subscriber SQL Injection in Unicamp <= 2.2.2 versions.

Vendor: ThemeMove
Product: Unicamp
Published: Jul 02, 2026
Source: NVD
CVE-2025-66076 MEDIUM - 5.3

Unauthenticated Broken Access Control in Woostify Sites Library <= 1.6.2 versions.

Vendor: dylan ngo
Product: Woostify Sites Library
Published: Jul 02, 2026
Source: NVD
CVE-2025-58902 HIGH - 8.1

Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.

Vendor: AncoraThemes
Product: Lighthouse
Published: Jul 02, 2026
Source: NVD

In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof tha...

Vendor: OpenIDC
Product: liboauth2
Published: Jul 02, 2026
Source: NVD