Total CVEs

144,269

Critical Severity

4,162

High Severity

14,979

Last 7 Days

1,663
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 3,661 - 3,680 of 40,674 CVEs
CVE-2026-56137 HIGH - 7.8

RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.

Vendor: Gotcha Gotcha Games Inc.
Product: RPG MAKER MV, RPG MAKER MZ
Published: Jun 30, 2026
Source: NVD
CVE-2026-14164 HIGH - 7.5

A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free ...

Vendor: Red Hat
Product: Red Hat Hardened Images, Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat OpenShift Container Platform 4
Published: Jun 30, 2026
Source: NVD

Delta Electronics DVP12SE PLC exposes a Modbus TCP service over a specified port without authentication or access control, permitting unauthenticated interaction with security-sensitive PLC functions.

Vendor: deltaww
Product: DVP-12SE
Published: Jun 30, 2026
Source: NVD

Delta Electronics DVP12SE PLCs are susceptible to a resource allocation vulnerability without limits or throttling (CWE-770) within their Modbus TCP service.

Vendor: deltaww
Product: DVP-12SE
Published: Jun 30, 2026
Source: NVD
CVE-2026-12240 HIGH - 8.0

The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete a...

Vendor: qlstudio
Product: Export User Data
Published: Jun 30, 2026
Source: NVD
CVE-2026-11590 HIGH - 8.6

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.

Vendor: Unknown
Product: WP Support Plus Responsive Ticket System
Published: Jun 30, 2026
Source: NVD
CVE-2026-11589 HIGH - 8.8

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attack...

Vendor: Unknown
Product: WP Support Plus Responsive Ticket System
Published: Jun 30, 2026
Source: NVD
CVE-2026-11581 MEDIUM - 5.9

The Kali Forms โ€” Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that exec...

Vendor: Unknown
Product: Kali Forms โ€” Contact Form & Drag-and-Drop Builder
Published: Jun 30, 2026
Source: NVD
CVE-2026-8944 MEDIUM - 4.3

The Plugin for Google Analytics by IO technologies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the Google Analytics settings page (ga.php). This makes it possible for unauthenticated a...

Published: Jun 30, 2026
Source: NVD
CVE-2026-12560 MEDIUM - 4.4

The Editorial Rating โ€“ Product Review & Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Link URL' Field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated ...

Vendor: wpqode
Product: Editorial Rating โ€“ Product Review & Rating System
Published: Jun 30, 2026
Source: NVD
CVE-2026-12349 MEDIUM - 5.3

The Premium Addons for KingComposer plugin for WordPress is vulnerable to unauthorized modification and loss of data in versions up to, and including, 1.1.1. This is due to missing authorization and capability checks on the add_custom_sidebar() and remove_custom_sidebar() AJAX handlers, both of whic...

Vendor: octagonwebstudio
Product: Premium Addons for KingComposer
Published: Jun 30, 2026
Source: NVD
CVE-2026-12073 CRITICAL - 9.8

The ProfileGrid โ€“ User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don't contain this parameter,...

Vendor: metagauss
Product: ProfileGrid โ€“ User Profiles, Groups and Communities
Published: Jun 30, 2026
Source: NVD
CVE-2026-11367 MEDIUM - 6.5

The PixMagix โ€“ WordPress Image Editor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.2 via the move_image_on_server function. This makes it possible for authenticated attackers, with author-level access and above, to write files with attacker-cont...

Vendor: andrasweb
Product: PixMagix โ€“ WordPress Image Editor
Published: Jun 30, 2026
Source: NVD
CVE-2026-14160 MEDIUM - 5.9

Time-of-check time-of-use (TOCTOU) race condition vulnerability in Samsung Open Source Escargot allows Leveraging Race Conditions. This issue affects Escargot: bab3a5797557014ce3c2e28419a6310cfba90d0d.

Vendor: Samsung Open Source
Product: Escargot
Published: Jun 30, 2026
Source: NVD
CVE-2026-12114 MEDIUM - 4.4

The Team Members โ€“ Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with ...

Vendor: wpmart
Product: Team Members โ€“ Multi Language Supported Team Plugin
Published: Jun 30, 2026
Source: NVD
CVE-2026-58302 HIGH - 8.4

rtapi_app in linuxcnc-uspace in LinuxCNC before 2.9.9 allows privilege escalation. It is installed SUID root and loads shared library modules via dlopen() by using a user-supplied module name. Insufficient validation of the module name allows path traversal, enabling an unprivileged local user to lo...

Vendor: LinuxCNC
Product: LinuxCNC
Published: Jun 30, 2026
Source: NVD
CVE-2026-12243 HIGH - 7.5

NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks for literal `../` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. The `url2pathname()` func...

Vendor: nltk
Product: nltk
Published: Jun 30, 2026
Source: NVD
CVE-2026-8023 HIGH - 7.5

Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-...

Published: Jun 29, 2026
Source: NVD
CVE-2026-7656 HIGH - 8.1

The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code check using the wrong operator precedence: the form was '((length/hop/source/...

Published: Jun 29, 2026
Source: NVD
CVE-2026-51219 MEDIUM - 6.5

A heap buffer overflow in the HighPriorityASDUQueue_hasUnconfirmedIMessages function of lib60870 v2.3.3 to v2.3.6 allows attackers to cause a Denial of Service (DoS) via a crafted payload.

Published: Jun 29, 2026
Source: NVD