Total CVEs

144,269

Critical Severity

4,162

High Severity

14,979

Last 7 Days

1,647
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 2,961 - 2,980 of 40,674 CVEs
CVE-2026-12158 HIGH - 8.8

The RegistrationMagic โ€“ User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the process_request function. This makes it possible for unauthenticated atta...

Vendor: metagauss
Product: RegistrationMagic โ€“ Custom Registration Forms, User Registration, Payment, and User Login
Published: Jul 01, 2026
Source: NVD
CVE-2026-11387 CRITICAL - 9.8

The SMS Alert โ€“ SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior...

Vendor: cozyvision1
Product: SMS Alert โ€“ SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery
Published: Jul 01, 2026
Source: NVD
CVE-2026-10540 MEDIUM - 5.6

The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an attacker. This vulnerability affects Control-M/Enterprise Manager unsupported versions 9.0.20.x and potentially e...

Vendor: BMC
Product: Control-M/Enterprise Manager
Published: Jul 01, 2026
Source: NVD
CVE-2026-10539 CRITICAL - 9.0

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server.ย  This vulnera...

Vendor: BMC
Product: Control-M/Server
Published: Jul 01, 2026
Source: NVD
CVE-2026-10538 HIGH - 8.0

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to ...

Vendor: BMC
Product: Control-M/Enterprise Manager, Control-M/Server
Published: Jul 01, 2026
Source: NVD
CVE-2026-10096 MEDIUM - 4.3

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and ...

Vendor: qodeinteractive
Product: Qi Blocks
Published: Jul 01, 2026
Source: NVD
CVE-2026-1239 HIGH - 7.5

The Ninja Forms โ€“ The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible ...

Published: Jul 01, 2026
Source: NVD
CVE-2026-14193 HIGH - 7.5

DVP80ES300T with Improper Validation of Array Index Vulnerability

Vendor: deltaww
Product: DVP80ES300T
Published: Jul 01, 2026
Source: NVD
CVE-2026-12579 HIGH - 7.4

AS228T with Authentication Bypass Vulnerability

Vendor: deltaww
Product: AS228T
Published: Jul 01, 2026
Source: NVD
CVE-2026-11887 MEDIUM - 4.3

The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new boo...

Vendor: Unknown
Product: Salon Booking System
Published: Jul 01, 2026
Source: NVD
CVE-2026-11883 HIGH - 7.2

The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.

Vendor: Unknown
Product: WebAuthn Provider for Two Factor
Published: Jul 01, 2026
Source: NVD

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users.

Vendor: Unknown
Product: Fluent Forms
Published: Jul 01, 2026
Source: NVD
CVE-2026-11823 HIGH - 7.5

The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-suppli...

Vendor: Repute Infosystems
Product: BookingPress Appointment Booking Pro
Published: Jul 01, 2026
Source: NVD
CVE-2026-11794 HIGH - 8.1

The Advanced Form Integration โ€” Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user r...

Vendor: Unknown
Product: Advanced Form Integration โ€” Connect Forms to 200+ Apps
Published: Jul 01, 2026
Source: NVD
CVE-2026-11570 MEDIUM - 4.2

The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.

Vendor: Unknown
Product: User Submitted Posts
Published: Jul 01, 2026
Source: NVD
CVE-2026-11568 HIGH - 7.5

The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data (title, price, weight, stock status, and configur...

Vendor: Unknown
Product: Product Configurator for WooCommerce
Published: Jul 01, 2026
Source: NVD
CVE-2026-11562 MEDIUM - 4.3

The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the WS Form LITE WordPress plugin before 1.11.8's settings.

Vendor: Unknown
Product: WS Form LITE
Published: Jul 01, 2026
Source: NVD
CVE-2026-10750 HIGH - 8.1

The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, o...

Vendor: Unknown
Product: Royal MCP
Published: Jul 01, 2026
Source: NVD
CVE-2025-15666 MEDIUM - 5.3

A security vulnerability has been detected in Open Asset Import Library Assimp up to 5.4.3. Affected by this vulnerability is the function Assimp::SceneCombiner::Copy of the file code/Common/SceneCombiner.cpp of the component Model File Handler. Such manipulation of the argument width/height leads t...

Vendor: Open Asset Import Library
Product: Assimp
Published: Jul 01, 2026
Source: NVD
CVE-2026-9107 MEDIUM - 6.4

The Kali Forms โ€” Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'meta[kaliforms_field_components]' parameter in all versions up to, and including, 2.4.13 due to insufficient input sanitization and output escaping. This mak...

Published: Jul 01, 2026
Source: NVD