Total CVEs

144,218

Critical Severity

4,148

High Severity

14,965

Last 7 Days

1,642
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 21,901 - 21,920 of 40,623 CVEs
CVE-2026-23900 MEDIUM - 6.5

Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.

Vendor: phoca.cz
Product: phoca.cz - Phoca Maps for Joomla
Published: Apr 11, 2026
Source: NVD
CVE-2026-5809 HIGH - 7.1

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without...

Published: Apr 11, 2026
Source: NVD
CVE-2026-34621 CRITICAL - 9.6

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this i...

Vendor: Adobe
Product: Acrobat Reader
Published: Apr 11, 2026
Source: NVD
CVE-2026-5226 MEDIUM - 6.1

The Optimole โ€“ Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into Jav...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5217 HIGH - 7.2

The Optimole โ€“ Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied &...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5207 MEDIUM - 6.5

The LifterLMS plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 9.2.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible ...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5144 HIGH - 8.8

The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper aut...

Published: Apr 11, 2026
Source: NVD
CVE-2026-4979 MEDIUM - 5.0

The UsersWP โ€“ Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the process_image_crop(...

Published: Apr 11, 2026
Source: NVD
CVE-2026-4895 MEDIUM - 6.4

The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.8.9 This is due to insufficient input sanitization and output escaping in the gspb_greenShift_block_script_assets() function. The function uses st...

Published: Apr 11, 2026
Source: NVD
CVE-2026-3498 MEDIUM - 6.4

The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

Published: Apr 11, 2026
Source: NVD
CVE-2026-3371 MEDIUM - 4.3

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by...

Published: Apr 11, 2026
Source: NVD
CVE-2026-3358 MEDIUM - 5.4

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endp...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5496 HIGH - 7.8

Labcenter Electronics Proteus PDSPRJ File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that th...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5495 HIGH - 7.8

Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in th...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5494 HIGH - 7.8

Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in th...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5493 HIGH - 7.8

Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in th...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5059 CRITICAL - 9.8

aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling ...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5058 CRITICAL - 9.8

aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the a...

Published: Apr 11, 2026
Source: NVD
CVE-2026-5055 HIGH - 7.8

NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exp...

Vendor: nomachine
Product: nomachine
Published: Apr 11, 2026
Source: NVD
CVE-2026-5054 HIGH - 7.8

NoMachine External Control of File Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit...

Vendor: nomachine
Product: nomachine
Published: Apr 11, 2026
Source: NVD