Total CVEs

145,743

Critical Severity

4,268

High Severity

15,733

Last 7 Days

2,316
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 24,361 - 24,380 of 42,148 CVEs

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8.

Vendor: WP Chill
Product: Download Monitor
Published: Apr 08, 2026
Source: NVD
CVE-2026-39485 MEDIUM - 4.3

Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youtube Embed Plus: from n/a through <= 14.2.4.

Vendor: embedplus
Product: Youtube Embed Plus
Published: Apr 08, 2026
Source: NVD
CVE-2026-39484 MEDIUM - 4.7

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows Phishing.This issue affects Hide My WP Ghost: from n/a through < 7.0.00.

Vendor: John Darrel
Product: Hide My WP Ghost
Published: Apr 08, 2026
Source: NVD
CVE-2026-39483 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.

Vendor: Hidekazu Ishikawa
Product: VK All in One Expansion Unit
Published: Apr 08, 2026
Source: NVD
CVE-2026-39482 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Post Expirator post-expirator allows DOM-Based XSS.This issue affects Post Expirator: from n/a through <= 4.9.4.

Vendor: PublishPress
Product: Post Expirator
Published: Apr 08, 2026
Source: NVD
CVE-2026-39479 HIGH - 7.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force OttoKit suretriggers allows Blind SQL Injection.This issue affects OttoKit: from n/a through <= 1.1.20.

Vendor: Brainstorm Force
Product: OttoKit
Published: Apr 08, 2026
Source: NVD
CVE-2026-39477 MEDIUM - 4.3

Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through <= 2.2.3.

Vendor: Brainstorm Force
Product: CartFlows
Published: Apr 08, 2026
Source: NVD
CVE-2026-39476 MEDIUM - 4.3

Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1.

Vendor: Syed Balkhi
Product: User Feedback
Published: Apr 08, 2026
Source: NVD
CVE-2026-39475 HIGH - 8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1.

Vendor: Syed Balkhi
Product: User Feedback
Published: Apr 08, 2026
Source: NVD
CVE-2026-39473 MEDIUM - 5.3

Insertion of Sensitive Information Into Sent Data vulnerability in Pär Thernström Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0.

Vendor: Pär Thernström
Product: Simple History
Published: Apr 08, 2026
Source: NVD
CVE-2026-39469 MEDIUM - 4.3

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n/a through <= 2.0.8.

Vendor: Softaculous
Product: PageLayer
Published: Apr 08, 2026
Source: NVD
CVE-2026-39466 HIGH - 7.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through <= 2.4.7.

Vendor: WPMU DEV - Your All-in-One WordPress Platform
Product: Broken Link Checker
Published: Apr 08, 2026
Source: NVD
CVE-2026-39464 MEDIUM - 5.5

Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19....

Vendor: SeedProd
Product: Coming Soon Page, Under Construction & Maintenance Mode by SeedProd
Published: Apr 08, 2026
Source: NVD
CVE-2026-33088 HIGH - 7.3

Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.

Vendor: Six Apart Ltd.
Product: Movable Type, Movable Type Advanced, Movable Type Premium, Movable Type Premium Advanced Edition, Movable Type Premium (MT8-based)
Published: Apr 08, 2026
Source: NVD
CVE-2026-25776 CRITICAL - 9.8

Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script.

Vendor: Six Apart Ltd.
Product: Movable Type, Movable Type Advanced, Movable Type Premium, Movable Type Premium Advanced Edition, Movable Type Premium (MT8-based)
Published: Apr 08, 2026
Source: NVD
CVE-2026-1396 MEDIUM - 6.4

The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

Published: Apr 08, 2026
Source: NVD
CVE-2026-4655 MEDIUM - 6.4

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the render_svg() funct...

Published: Apr 08, 2026
Source: NVD
CVE-2026-4654 MEDIUM - 5.3

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to ...

Published: Apr 08, 2026
Source: NVD

An exposed IOCTL with an  insufficient access control vulnerability has been identified in the utility, MxGeneralIo, for Moxa’s industrial x86 computers. The affected utility, MxGeneralIo, exposes IOCTL methods that permit direct read and write access to MSR and system memory. A local attacker with ...

Published: Apr 08, 2026
Source: NVD
CVE-2026-4330 MEDIUM - 4.3

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' par...

Published: Apr 08, 2026
Source: NVD