Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,884
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 4,241 - 4,260 of 38,432 CVEs
CVE-2026-9570 HIGH - 7.1

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.

Published: Jun 17, 2026
Source: NVD
CVE-2026-8607 MEDIUM - 6.4

The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program โ€“ myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output es...

Published: Jun 17, 2026
Source: NVD
CVE-2026-8494 MEDIUM - 6.4

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with Contributor-level...

Published: Jun 17, 2026
Source: NVD
CVE-2026-8383 MEDIUM - 5.3

The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a...

Published: Jun 17, 2026
Source: NVD

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: Jun 17, 2026
Source: NVD
CVE-2026-8089 HIGH - 7.1

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated att...

Published: Jun 17, 2026
Source: NVD
CVE-2026-7850 MEDIUM - 5.9

The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks agains...

Published: Jun 17, 2026
Source: NVD

Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air Conditioners (for Japan and outside Japan); Refrigerators (for...

Published: Jun 17, 2026
Source: NVD
CVE-2026-55706 MEDIUM - 5.8

sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths.

Vendor: OpenBSD
Product: OpenBSD
Published: Jun 17, 2026
Source: NVD
CVE-2026-54811 CRITICAL - 9.3

Unauthenticated SQL Injection in WP eMember < v10.9.4 versions.

Vendor: Tips and Tricks HQ
Product: WP eMember
Published: Jun 17, 2026
Source: NVD
CVE-2026-54807 CRITICAL - 9.8

Unauthenticated Privilege Escalation in Registration Form for WooCommerce <= 1.0.9 versions.

Vendor: ThemeGrill
Product: Registration Form for WooCommerce
Published: Jun 17, 2026
Source: NVD
CVE-2026-54806 CRITICAL - 9.8

Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions.

Vendor: Melapress
Product: WP Activity Log
Published: Jun 17, 2026
Source: NVD
CVE-2026-54805 HIGH - 8.8

Subscriber Privilege Escalation in Falang multilanguage <= 1.4.2 versions.

Vendor: sbouey
Product: Falang multilanguage
Published: Jun 17, 2026
Source: NVD
CVE-2026-54804 HIGH - 7.6

Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.

Vendor: melhorenvio
Product: Melhor Envio
Published: Jun 17, 2026
Source: NVD
CVE-2026-54803 CRITICAL - 9.8

Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.

Vendor: Cozy Vision Technologies Pvt. Ltd.
Product: SMS Alert Order Notifications
Published: Jun 17, 2026
Source: NVD
CVE-2026-54802 HIGH - 7.5

Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions.

Vendor: Cozy Vision Technologies Pvt. Ltd.
Product: SMS Alert Order Notifications
Published: Jun 17, 2026
Source: NVD
CVE-2026-54196 MEDIUM - 6.8

Subscriber Privilege Escalation in JetFormBuilder <= 3.6.1 versions.

Vendor: Jetmonsters
Product: JetFormBuilder
Published: Jun 17, 2026
Source: NVD
CVE-2026-54195 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in JetFormBuilder <= 3.6.0.1 versions.

Vendor: Jetmonsters
Product: JetFormBuilder
Published: Jun 17, 2026
Source: NVD
CVE-2026-54194 CRITICAL - 9.8

Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.

Vendor: ThemeFusion
Product: Fusion Builder
Published: Jun 17, 2026
Source: NVD
CVE-2026-54192 HIGH - 7.1

Unauthenticated Cross Site Scripting (XSS) in Popup box <= 6.2.9 versions.

Vendor: Ays Pro
Product: Popup box
Published: Jun 17, 2026
Source: NVD