Total CVEs

144,202

Critical Severity

4,148

High Severity

14,963

Last 7 Days

1,665
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 2,401 - 2,420 of 40,607 CVEs
CVE-2026-45045 MEDIUM - 5.3

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream serv...

Vendor: go
Product: github.com/gofiber/fiber/v3
Published: Jul 02, 2026
Source: GitHub
CVE-2026-44332 MEDIUM - 5.3

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username enum...

Vendor: go
Product: github.com/gofiber/fiber/v3
Published: Jul 02, 2026
Source: GitHub
CVE-2026-5524 CRITICAL - 9.8

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the do_image_upload() function where user-supplied input from the acceptFileTypes POS...

Published: Jul 02, 2026
Source: NVD
CVE-2026-58653 MEDIUM - 4.3

PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constrain...

Vendor: PraisonAI
Product: PraisonAI
Published: Jul 02, 2026
Source: NVD
CVE-2026-58652 HIGH - 7.5

luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.l...

Vendor: openwrt
Product: luci-app-travelmate, travelmate
Published: Jul 02, 2026
Source: NVD
CVE-2026-4772 MEDIUM - 5.4

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. WAF-ASP allows Stored XSS. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117.

Published: Jul 02, 2026
Source: NVD
CVE-2026-4770 MEDIUM - 4.6

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. Web Application Firewall allows DOM-Based XSS. This issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117.

Published: Jul 02, 2026
Source: NVD
CVE-2026-57766 HIGH - 8.8

Unauthenticated Cross Site Request Forgery (CSRF) in WPIDE – File Manager & Code Editor <= 3.5.6 versions.

Vendor: XplodedThemes
Product: WPIDE – File Manager & Code Editor
Published: Jul 02, 2026
Source: NVD
CVE-2026-57765 HIGH - 8.5

Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.

Vendor: Levelfourdevelopment
Product: WP EasyCart
Published: Jul 02, 2026
Source: NVD
CVE-2026-57764 MEDIUM - 6.5

Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.

Vendor: Surbma
Product: Surbma | Yoast SEO Breadcrumb Shortcode
Published: Jul 02, 2026
Source: NVD
CVE-2026-57763 MEDIUM - 6.5

Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions.

Vendor: Gordon Böhme
Product: Structured Content
Published: Jul 02, 2026
Source: NVD
CVE-2026-57762 MEDIUM - 5.9

Author Cross Site Scripting (XSS) in Simple URLs <= 151 versions.

Vendor: Andrew Fiebert
Product: Simple URLs
Published: Jul 02, 2026
Source: NVD
CVE-2026-57761 HIGH - 7.1

Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.

Vendor: BlueAstralThemes
Product: SEOWP
Published: Jul 02, 2026
Source: NVD
CVE-2026-57760 MEDIUM - 5.3

Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sendcloud Shipping: from n/a through 1.0.29.

Vendor: Sendcloud
Product: Sendcloud Shipping
Published: Jul 02, 2026
Source: NVD
CVE-2026-57759 HIGH - 8.8

Unauthenticated Cross Site Request Forgery (CSRF) in ProfileGrid <= 5.9.9.7 versions.

Vendor: Metagauss
Product: ProfileGrid
Published: Jul 02, 2026
Source: NVD
CVE-2026-57758 HIGH - 7.1

Unauthenticated Cross Site Request Forgery (CSRF) in Permalink Manager for WooCommerce <= 1.0.8.2 versions.

Vendor: BeRocket
Product: Permalink Manager for WooCommerce
Published: Jul 02, 2026
Source: NVD
CVE-2026-57757 HIGH - 7.1

Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.

Vendor: ploudapp
Product: pCloud WP Backup
Published: Jul 02, 2026
Source: NVD
CVE-2026-57756 HIGH - 8.5

Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.

Vendor: 友人a丶
Product: nicen-localize-image
Published: Jul 02, 2026
Source: NVD
CVE-2026-57755 MEDIUM - 6.5

Contributor Cross Site Scripting (XSS) in Mosaic Gallery &#8211; Advanced Gallery <= 1.2.0 versions.

Vendor: Misbah WP
Product: Mosaic Gallery &#8211; Advanced Gallery
Published: Jul 02, 2026
Source: NVD
CVE-2026-57754 MEDIUM - 6.5

Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions.

Vendor: Livemesh
Product: Livemesh Addons for WPBakery Page Builder
Published: Jul 02, 2026
Source: NVD