Total CVEs

145,923

Critical Severity

4,293

High Severity

15,785

Last 7 Days

2,200
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 23,841 - 23,860 of 42,328 CVEs
CVE-2026-5997 CRITICAL - 9.8

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass results in os command injection. It is possible to launch the attack...

Published: Apr 10, 2026
Source: NVD
CVE-2026-5996 CRITICAL - 9.8

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tty_server leads to os command injection. It is possible to in...

Published: Apr 10, 2026
Source: NVD
CVE-2026-4977 MEDIUM - 4.3

The UsersWP โ€“ Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the upload_file_remove() AJAX handle...

Published: Apr 10, 2026
Source: NVD
CVE-2026-4664 MEDIUM - 5.3

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta...

Published: Apr 10, 2026
Source: NVD
CVE-2026-4351 HIGH - 8.1

The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or nonce verif...

Published: Apr 10, 2026
Source: NVD
CVE-2026-4305 MEDIUM - 6.1

The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attack...

Published: Apr 10, 2026
Source: NVD
CVE-2026-4057 MEDIUM - 4.3

The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capab...

Published: Apr 10, 2026
Source: NVD
CVE-2026-3360 HIGH - 7.5

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an...

Published: Apr 10, 2026
Source: NVD
CVE-2026-2712 MEDIUM - 5.4

The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly i...

Published: Apr 10, 2026
Source: NVD
CVE-2026-25203 HIGH - 7.8

Samsung MagicINFO 9 Server Incorrect Default Permissions Local Privilege Escalation Vulnerability This issue affects MagicINFO 9 Server: less than 21.1091.1.

Vendor: Samsung Electronics
Product: MagicINFO 9 Server
Published: Apr 10, 2026
Source: NVD
CVE-2026-1924 MEDIUM - 4.3

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settin...

Published: Apr 10, 2026
Source: NVD
CVE-2026-1263 MEDIUM - 6.4

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'webling_admin_save_form' and 'webling_admin_save_memb...

Published: Apr 10, 2026
Source: NVD
CVE-2026-5995 CRITICAL - 9.8

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument lan_info can lead to os command injection. The attack may be performed from ...

Published: Apr 10, 2026
Source: NVD
CVE-2026-5994 CRITICAL - 9.8

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument telnet_enabled results in os command injection. The attack is possible t...

Published: Apr 10, 2026
Source: NVD
CVE-2026-5993 CRITICAL - 9.8

A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setWiFiGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wifiOff leads to os command injection. The attack can be executed remotely...

Published: Apr 10, 2026
Source: NVD
CVE-2026-5992 HIGH - 8.8

A vulnerability was determined in Tenda F451 1.0.0.7. This affects the function fromP2pListFilter of the file /goform/P2pListFilter. This manipulation of the argument page causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and m...

Published: Apr 10, 2026
Source: NVD
CVE-2026-5991 HIGH - 8.8

A vulnerability was found in Tenda F451 1.0.0.7. Affected by this issue is the function formWrlExtraSet of the file /goform/WrlExtraSet. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used...

Published: Apr 10, 2026
Source: NVD
CVE-2026-5990 HIGH - 8.8

A vulnerability has been found in Tenda F451 1.0.0.7. Affected by this vulnerability is the function fromSafeEmailFilter of the file /goform/SafeEmailFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclos...

Published: Apr 10, 2026
Source: NVD
CVE-2026-5989 HIGH - 8.8

A flaw has been found in Tenda F451 1.0.0.7. Affected is the function fromRouteStatic of the file /goform/RouteStatic. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.

Published: Apr 10, 2026
Source: NVD

A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handling path of TLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the inner function TLSX_KeyShare_ProcessPqcClient_ex() frees a KyberKey object upon encountering an er...

Published: Apr 10, 2026
Source: NVD