Total CVEs

145,521

Critical Severity

4,252

High Severity

15,657

Last 7 Days

2,313
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 23,701 - 23,720 of 41,926 CVEs
CVE-2026-1830 CRITICAL - 9.8

The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated at...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5837 HIGH - 7.3

A vulnerability was found in PHPGurukul News Portal Project 4.1. This affects an unknown part of the file /news-details.php. The manipulation of the argument Comment results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.

Published: Apr 09, 2026
Source: NVD
CVE-2026-5836 LOW - 2.4

A vulnerability has been found in code-projects Online Shoe Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_product.php. The manipulation of the argument product_name leads to cross site scripting. The attack can be initiated remotely. The exploit has been di...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5835 LOW - 2.4

A flaw has been found in code-projects Online Shoe Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Executing a manipulation of the argument product_name can lead to cross site scripting. It is possible to launch the attack remotely. The ex...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5834 LOW - 2.4

A vulnerability was detected in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /admin/admin_running.php. Performing a manipulation of the argument product_name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5833 MEDIUM - 5.3

A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Identifier leads to command injection. The attack must be carried out locally. The exploit has been dis...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5357 MEDIUM - 6.4

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid...

Published: Apr 09, 2026
Source: NVD
CVE-2026-4429 MEDIUM - 6.4

The OSM โ€“ OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and o...

Published: Apr 09, 2026
Source: NVD
CVE-2026-4124 MEDIUM - 5.4

The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce�...

Published: Apr 09, 2026
Source: NVD
CVE-2026-3574 MEDIUM - 4.4

The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields (including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Fo...

Published: Apr 09, 2026
Source: NVD
CVE-2026-3568 MEDIUM - 4.3

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist,...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5832 HIGH - 7.3

A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyze_api_spec/generate_test_scenarios/test_http_endpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5831 MEDIUM - 6.3

A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impacts an unknown function of the file src/mcp/server/handlers.ts of the component terminal_execute. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. Upgrading to...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5830 HIGH - 8.8

A vulnerability was identified in Tenda AC15 15.03.05.18. This affects the function websGetVar of the file /goform/SysToolChangePwd. Such manipulation of the argument oldPwd/newPwd/cfmPwd leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5829 HIGH - 7.3

A vulnerability was determined in code-projects Simple IT Discussion Forum 1.0. The impacted element is an unknown function of the file /pages/content.php. This manipulation of the argument post_id causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly dis...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5828 HIGH - 7.3

A vulnerability was found in code-projects Simple IT Discussion Forum 1.0. The affected element is an unknown function of the file /functions/addcomment.php. The manipulation of the argument postid results in sql injection. The attack may be launched remotely. The exploit has been made public and co...

Published: Apr 09, 2026
Source: NVD
CVE-2026-4326 HIGH - 8.8

The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capabi...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5827 HIGH - 7.3

A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0. Impacted is an unknown function of the file /question-function.php. The manipulation of the argument content leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and ...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5826 MEDIUM - 4.3

A flaw has been found in code-projects Simple IT Discussion Forum 1.0. This issue affects some unknown processing of the file /edit-category.php. Executing a manipulation of the argument Category can lead to cross site scripting. The attack can be launched remotely. The exploit has been published an...

Published: Apr 09, 2026
Source: NVD
CVE-2026-5825 MEDIUM - 4.3

A vulnerability was detected in code-projects Simple Laundry System 1.0. This vulnerability affects unknown code of the file /delmemberinfo.php. Performing a manipulation of the argument userid results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may b...

Published: Apr 09, 2026
Source: NVD