Total CVEs

143,835

Critical Severity

4,094

High Severity

14,788

Last 7 Days

1,441
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 2,521 - 2,540 of 40,240 CVEs

DVP80ES3 with Improperly Implemented Security Check for Standard vulnerability.

Vendor: deltaww
Product: DVP80ES3
Published: Jul 01, 2026
Source: NVD
CVE-2026-12576 HIGH - 7.5

DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability.

Vendor: deltaww
Product: DVP80ES3
Published: Jul 01, 2026
Source: NVD
CVE-2026-12575 HIGH - 7.5

DVP80ES3 withΒ  Improper Resource Shutdown or Release vulnerability.

Vendor: deltaww
Product: DVP80ES3
Published: Jul 01, 2026
Source: NVD
CVE-2026-12435 MEDIUM - 4.3

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authentic...

Vendor: stylemix
Product: Motors – Car Dealership & Classified Listings Plugin
Published: Jul 01, 2026
Source: NVD
CVE-2026-12408 MEDIUM - 4.3

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. This is due to the endpoint's `permission_callback...

Vendor: rilwis
Product: Slim SEO – A Fast & Automated SEO Plugin For WordPress
Published: Jul 01, 2026
Source: NVD
CVE-2026-12224 HIGH - 8.8

The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the `update_capabilities()` REST handler accepting arbitrary capability strings from the request body and passing them directly ...

Vendor: wedevs
Product: Dokan Pro
Published: Jul 01, 2026
Source: NVD
CVE-2026-12158 HIGH - 8.8

The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the process_request function. This makes it possible for unauthenticated atta...

Vendor: metagauss
Product: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Published: Jul 01, 2026
Source: NVD
CVE-2026-11387 CRITICAL - 9.8

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior...

Vendor: cozyvision1
Product: SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery
Published: Jul 01, 2026
Source: NVD
CVE-2026-10540 MEDIUM - 5.6

The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an attacker. This vulnerability affects Control-M/Enterprise Manager unsupported versions 9.0.20.x and potentially e...

Vendor: BMC
Product: Control-M/Enterprise Manager
Published: Jul 01, 2026
Source: NVD
CVE-2026-10539 CRITICAL - 9.0

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.Β  This vulnera...

Vendor: BMC
Product: Control-M/Server
Published: Jul 01, 2026
Source: NVD
CVE-2026-10538 HIGH - 8.0

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to ...

Vendor: BMC
Product: Control-M/Enterprise Manager, Control-M/Server
Published: Jul 01, 2026
Source: NVD
CVE-2026-10096 MEDIUM - 4.3

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and ...

Vendor: qodeinteractive
Product: Qi Blocks
Published: Jul 01, 2026
Source: NVD
CVE-2026-1239 HIGH - 7.5

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible ...

Published: Jul 01, 2026
Source: NVD
CVE-2026-14193 HIGH - 7.5

DVP80ES300T with Improper Validation of Array Index Vulnerability

Vendor: deltaww
Product: DVP80ES300T
Published: Jul 01, 2026
Source: NVD
CVE-2026-12579 HIGH - 7.4

AS228T with Authentication Bypass Vulnerability

Vendor: deltaww
Product: AS228T
Published: Jul 01, 2026
Source: NVD
CVE-2026-11887 MEDIUM - 4.3

The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new boo...

Vendor: Unknown
Product: Salon Booking System
Published: Jul 01, 2026
Source: NVD
CVE-2026-11883 HIGH - 7.2

The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.

Vendor: Unknown
Product: WebAuthn Provider for Two Factor
Published: Jul 01, 2026
Source: NVD

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users.

Vendor: Unknown
Product: Fluent Forms
Published: Jul 01, 2026
Source: NVD
CVE-2026-11823 HIGH - 7.5

The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-suppli...

Vendor: Repute Infosystems
Product: BookingPress Appointment Booking Pro
Published: Jul 01, 2026
Source: NVD
CVE-2026-11794 HIGH - 8.1

The Advanced Form Integration β€” Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user r...

Vendor: Unknown
Product: Advanced Form Integration β€” Connect Forms to 200+ Apps
Published: Jul 01, 2026
Source: NVD