Total CVEs

138,210

Critical Severity

3,547

High Severity

12,695

Last 7 Days

1,888
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 381 - 400 of 12,881 CVEs
CVE-2026-39527 MEDIUM - 5.4

Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions.

Vendor: sc Internet Vivoo
Product: WpStream
Published: Jun 15, 2026
Source: NVD
CVE-2026-39525 MEDIUM - 6.5

Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions.

Vendor: Booking Activities Team
Product: Booking Activities
Published: Jun 15, 2026
Source: NVD
CVE-2026-39515 MEDIUM - 6.5

Subscriber Broken Access Control in Motors < 1.4.107 versions.

Vendor: StylemixThemes
Product: Motors
Published: Jun 15, 2026
Source: NVD
CVE-2026-39491 MEDIUM - 6.5

Subscriber Cross Site Scripting (XSS) in JupiterX Core <= 4.14.1 versions.

Vendor: artbees
Product: JupiterX Core
Published: Jun 15, 2026
Source: NVD
CVE-2026-39489 MEDIUM - 4.4

Author Arbitrary File Download in Download Monitor <= 5.1.9 versions.

Vendor: WP Chill
Product: Download Monitor
Published: Jun 15, 2026
Source: NVD
CVE-2026-39468 MEDIUM - 6.8

Contributor Arbitrary File Deletion in Meta Box โ€“ WordPress Custom Fields Framework <= 5.11.1 versions.

Vendor: eLightUp
Product: Meta Box โ€“ WordPress Custom Fields Framework
Published: Jun 15, 2026
Source: NVD
CVE-2026-39451 MEDIUM - 6.3

Unauthenticated Cross Site Scripting (XSS) in WP Google Review Slider <= 18.0 versions.

Vendor: jgwhite33
Product: WP Google Review Slider
Published: Jun 15, 2026
Source: NVD
CVE-2026-34892 MEDIUM - 6.5

Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions.

Vendor: Rank Math SEO
Product: Rank Math SEO
Published: Jun 15, 2026
Source: NVD
CVE-2026-25440 MEDIUM - 5.3

Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.

Vendor: WPDeveloper
Product: Essential Addons for Elementor
Published: Jun 15, 2026
Source: NVD
CVE-2025-69332 MEDIUM - 6.5

Subscriber Broken Access Control in Bookify <= 1.1.1 versions.

Vendor: myCred
Product: Bookify
Published: Jun 15, 2026
Source: NVD
CVE-2025-68049 MEDIUM - 6.3

Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.

Vendor: bunny.net
Product: bunny.net
Published: Jun 15, 2026
Source: NVD
CVE-2025-60175 MEDIUM - 4.4

Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.

Vendor: vynnus
Product: PopAd
Published: Jun 15, 2026
Source: NVD
CVE-2026-48988 MEDIUM - 5.3

markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and c...

Vendor: npm
Product: markdown-it
Published: Jun 15, 2026
Source: GitHub
CVE-2026-54285 MEDIUM - 5.3

OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation

Vendor: npm
Product: @opentelemetry/core
Published: Jun 15, 2026
Source: GitHub
CVE-2026-52721 MEDIUM - 5.3

Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element is primarily used in debugging pipelines, limiting real-world exposure. A local attacker could ...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jun 15, 2026
Source: NVD
CVE-2026-52718 MEDIUM - 6.5

A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jun 15, 2026
Source: NVD
CVE-2026-50892 MEDIUM - 6.5

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.

Published: Jun 15, 2026
Source: NVD
CVE-2026-50876 MEDIUM - 5.4

A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Published: Jun 15, 2026
Source: NVD
CVE-2026-49953 MEDIUM - 6.5

Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical characte...

Vendor: Discuz!
Product: Discuz! X5.0
Published: Jun 15, 2026
Source: NVD
CVE-2026-39197 MEDIUM - 6.5

An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector v0.54.0 allows attackers to cause a Denial of Service (DoS) via a crafted request or payload.

Published: Jun 15, 2026
Source: NVD