Total CVEs

144,218

Critical Severity

4,148

High Severity

14,965

Last 7 Days

1,632
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 2,881 - 2,900 of 40,623 CVEs
CVE-2026-5120 HIGH - 8.1

A Race Condition vulnerability affecting BIOVIA Workbook from Release 2021 through Release 2026 could allow a user to access unauthorized data from another user.

Published: Jul 01, 2026
Source: NVD
CVE-2026-53909 MEDIUM - 6.5

MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server. Because vendor contact attempts were unsuccessful, the ...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-53908 MEDIUM - 4.3

MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and emai...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-53907 MEDIUM - 5.4

MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor c...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-53906 HIGH - 8.2

MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages. Because...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-53905 HIGH - 7.1

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permi...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-53904 HIGH - 7.1

MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, password resets are not limited in any way. An attacker who pr...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-53903 HIGH - 8.1

MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrie...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-53902 MEDIUM - 6.5

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrary g...

Vendor: MyComplianceOffice
Product: MCO
Published: Jul 01, 2026
Source: NVD
CVE-2026-14198 CRITICAL - 9.1

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails t...

Vendor: fastify
Product: fastify\/middie
Published: Jul 01, 2026
Source: NVD
CVE-2026-14181 HIGH - 7.5

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder to t...

Vendor: fastify
Product: fastify\/middie
Published: Jul 01, 2026
Source: NVD
CVE-2026-13323 MEDIUM - 4.1

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX containing...

Vendor: Eclipse Foundation
Product: Eclipse Open VSX
Published: Jul 01, 2026
Source: NVD
CVE-2026-14258 MEDIUM - 6.5

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parse...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10
Published: Jul 01, 2026
Source: NVD
CVE-2026-13228 HIGH - 8.8

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, ...

Vendor: latepoint
Product: LatePoint – Calendar Booking Plugin for Appointments and Events
Published: Jul 01, 2026
Source: NVD
CVE-2026-12142 HIGH - 7.2

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthentic...

Vendor: webaways
Product: NEX-Forms – Ultimate Forms Plugin for WordPress
Published: Jul 01, 2026
Source: NVD
CVE-2026-10095 MEDIUM - 6.4

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contri...

Vendor: opajaap
Product: WP Photo Album Plus
Published: Jul 01, 2026
Source: NVD
CVE-2026-27435 MEDIUM - 5.3

Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33.

Vendor: WofficeIO
Product: Woffice
Published: Jul 01, 2026
Source: NVD
CVE-2026-13454 MEDIUM - 6.5

The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This mak...

Vendor: jetmonsters
Product: MotoPress Appointment Booking
Published: Jul 01, 2026
Source: NVD
CVE-2026-12754 MEDIUM - 6.1

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthentic...

Vendor: e4jvikwp
Product: VikBooking Hotel Booking Engine & PMS
Published: Jul 01, 2026
Source: NVD
CVE-2026-56016 MEDIUM - 5.9

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID ...

Vendor: MARKSTOS
Product: CGI::Session::ID::md5
Published: Jul 01, 2026
Source: NVD