Total CVEs

145,743

Critical Severity

4,268

High Severity

15,733

Last 7 Days

2,313
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 24,401 - 24,420 of 42,148 CVEs
CVE-2026-33273 MEDIUM - 4.7

Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server.

Vendor: ICZ Corporation
Product: MATCHA INVOICE
Published: Apr 08, 2026
Source: NVD
CVE-2026-27787 MEDIUM - 5.4

Cross-site scripting vulnerability exists in MATCHA SNS 1.3.9 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product.

Vendor: ICZ Corporation
Product: MATCHA SNS
Published: Apr 08, 2026
Source: NVD
CVE-2026-24913 HIGH - 8.8

SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product.

Vendor: ICZ Corporation
Product: MATCHA INVOICE
Published: Apr 08, 2026
Source: NVD
CVE-2026-4785 MEDIUM - 6.4

The LatePoint โ€“ Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping...

Published: Apr 08, 2026
Source: NVD
CVE-2026-4341 MEDIUM - 6.4

The Prime Slider โ€“ Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follow_us_text' setting of the Mount widget in all versions up to, and including, 4.1.10. This is due to insufficient input sanitization and output escaping. Specifically, the...

Published: Apr 08, 2026
Source: NVD
CVE-2026-4333 MEDIUM - 6.4

The LearnPress โ€“ WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learn_press_courses shortcode in all versions up to and including 4.3.3. This is due to insufficient input sanitization and output escaping on the 's...

Published: Apr 08, 2026
Source: NVD
CVE-2026-4299 MEDIUM - 5.3

The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber...

Published: Apr 08, 2026
Source: NVD
CVE-2026-4003 CRITICAL - 9.8

The Users manager โ€“ PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. T...

Published: Apr 08, 2026
Source: NVD
CVE-2026-3646 MEDIUM - 5.3

The LTL Freight Quotes โ€“ R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that dir...

Published: Apr 08, 2026
Source: NVD
CVE-2026-3600 MEDIUM - 6.4

The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping ...

Published: Apr 08, 2026
Source: NVD
CVE-2026-3513 MEDIUM - 6.4

The TableOn โ€“ WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode att...

Published: Apr 08, 2026
Source: NVD
CVE-2026-3239 MEDIUM - 6.4

The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonial_view shortcode in all versions up to, and including, 3.2.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for a...

Published: Apr 08, 2026
Source: NVD
CVE-2026-4379 MEDIUM - 6.4

The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `group` attribute in the `[gallery]` shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the `group` attribute value without pr...

Published: Apr 08, 2026
Source: NVD
CVE-2026-2988 MEDIUM - 6.4

The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated a...

Published: Apr 08, 2026
Source: NVD
CVE-2026-5726 HIGH - 7.8

ASDA-Soft Stack-based Buffer Overflow Vulnerability

Vendor: deltaww
Product: asda_soft
Published: Apr 08, 2026
Source: NVD
CVE-2026-1163 MEDIUM - 4.1

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests ...

Vendor: pip
Product: lollms
Published: Apr 08, 2026
Source: NVD
CVE-2026-3499 HIGH - 8.8

The Product Feed PRO for WooCommerce by AdTribes โ€“ Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_a...

Published: Apr 08, 2026
Source: NVD
CVE-2026-3296 CRITICAL - 9.8

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry m...

Published: Apr 08, 2026
Source: NVD
CVE-2026-33810 HIGH - 7.5

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Root...

Vendor: Go standard library
Product: crypto/x509
Published: Apr 08, 2026
Source: NVD
CVE-2026-32289 MEDIUM - 6.1

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied...

Vendor: Go standard library
Product: html/template
Published: Apr 08, 2026
Source: NVD