Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,507
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 2,461 - 2,480 of 40,198 CVEs
CVE-2026-53905 HIGH - 7.1

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permi...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-53904 HIGH - 7.1

MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, password resets are not limited in any way. An attacker who pr...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-53903 HIGH - 8.1

MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrie...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-53902 MEDIUM - 6.5

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrary g...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-14198 CRITICAL - 9.1

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails t...

Vendor: fastify
Product: fastify\/middie
Published: Jul 01, 2026
Source: NVD
CVE-2026-14181 HIGH - 7.5

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder to t...

Vendor: fastify
Product: fastify\/middie
Published: Jul 01, 2026
Source: NVD
CVE-2026-13323 MEDIUM - 4.1

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX containing...

Vendor: Eclipse Foundation
Product: Eclipse Open VSX
Published: Jul 01, 2026
Source: NVD
CVE-2026-14258 MEDIUM - 6.5

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parse...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10
Published: Jul 01, 2026
Source: NVD
CVE-2026-13228 HIGH - 8.8

The LatePoint โ€“ Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, ...

Vendor: latepoint
Product: LatePoint โ€“ Calendar Booking Plugin for Appointments and Events
Published: Jul 01, 2026
Source: NVD
CVE-2026-12142 HIGH - 7.2

The NEX-Forms โ€“ Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthentic...

Vendor: webaways
Product: NEX-Forms โ€“ Ultimate Forms Plugin for WordPress
Published: Jul 01, 2026
Source: NVD
CVE-2026-10095 MEDIUM - 6.4

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contri...

Vendor: opajaap
Product: WP Photo Album Plus
Published: Jul 01, 2026
Source: NVD
CVE-2026-27435 MEDIUM - 5.3

Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33.

Vendor: WofficeIO
Product: Woffice
Published: Jul 01, 2026
Source: NVD
CVE-2026-13454 MEDIUM - 6.5

The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This mak...

Vendor: jetmonsters
Product: MotoPress Appointment Booking
Published: Jul 01, 2026
Source: NVD
CVE-2026-12754 MEDIUM - 6.1

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthentic...

Vendor: e4jvikwp
Product: VikBooking Hotel Booking Engine & PMS
Published: Jul 01, 2026
Source: NVD
CVE-2026-56016 MEDIUM - 5.9

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID ...

Vendor: MARKSTOS
Product: CGI::Session::ID::md5
Published: Jul 01, 2026
Source: NVD
CVE-2026-50043 HIGH - 7.2

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in SkyBridge MB-A100/MB-A110. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product with an administrative privilege.

Vendor: Seiko Solutions Inc.
Product: SkyBridge MB-A100/MB-A110
Published: Jul 01, 2026
Source: NVD
CVE-2026-13733 MEDIUM - 6.4

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'no_data_msg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with con...

Vendor: codename065
Product: Download Manager
Published: Jul 01, 2026
Source: NVD
CVE-2026-12732 MEDIUM - 6.4

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections() method at li...

Vendor: thimpress
Product: LearnPress โ€“ WordPress LMS Plugin for Create and Sell Online Courses
Published: Jul 01, 2026
Source: NVD

DVP80ES3 with Improperly Implemented Security Check for Standard vulnerability.

Vendor: deltaww
Product: DVP80ES3
Published: Jul 01, 2026
Source: NVD
CVE-2026-12576 HIGH - 7.5

DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability.

Vendor: deltaww
Product: DVP80ES3
Published: Jul 01, 2026
Source: NVD