Total CVEs

143,208

Critical Severity

4,054

High Severity

14,598

Last 7 Days

1,275
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 441 - 460 of 39,613 CVEs
CVE-2026-6820 HIGH - 7.2

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attac...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6740 MEDIUM - 6.4

The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes i...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6459 MEDIUM - 6.4

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles source...

Published: Jul 08, 2026
Source: NVD
CVE-2026-5459 MEDIUM - 5.3

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the payment_page() function due to missing validation on the 'user_i...

Published: Jul 08, 2026
Source: NVD
CVE-2026-5356 HIGH - 7.5

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes ...

Published: Jul 08, 2026
Source: NVD
CVE-2026-14454 CRITICAL - 9.8

Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. ...

Vendor: TONYC
Product: Imager
Published: Jul 08, 2026
Source: NVD
CVE-2026-12002 MEDIUM - 4.7

The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.11.1. This is due to missing or incorrect nonce validation on the maybe_connection_data function. This makes it possible for unauthe...

Vendor: smub
Product: Smash Balloon Social Photo Feed – Easy Social Feeds Plugin
Published: Jul 08, 2026
Source: NVD
CVE-2026-6854 HIGH - 7.5

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'mc_auth' parameter in all versions up to, and including, 3.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the exis...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6818 HIGH - 7.2

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'special_requests' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenti...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6742 MEDIUM - 6.4

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'additional' parameter in all versions up to, and including, 2026.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6371 MEDIUM - 4.8

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Limatek System Inc. LimRAD NAC allows Stored XSS. This issue affects LimRAD NAC: through 08072026.Β NOTE: The vendor was contacted early about this disclosure but did not respond in any wa...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6230 HIGH - 7.5

The Tainacan plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geoquery' parameter in all versions up to and including 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it p...

Published: Jul 08, 2026
Source: NVD
CVE-2026-41042 CRITICAL - 9.1

Unauthenticated callers can supply a malicious H2 JDBC URL through the testConnection API, which executes arbitrary Java code on the server via H2's INIT parameter. Vulnerability in Apache Gravitino. This issue affects Apache Gravitino: before 1.2.1. Users are recommended to upgrade to versio...

Vendor: Apache Software Foundation
Product: Apache Gravitino
Published: Jul 08, 2026
Source: NVD
CVE-2026-3688 HIGH - 8.1

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify...

Published: Jul 08, 2026
Source: NVD
CVE-2026-14250 MEDIUM - 6.3

The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled 'role' parameter...

Vendor: themehunk
Product: TH Login Registration
Published: Jul 08, 2026
Source: NVD
CVE-2026-12936 MEDIUM - 4.9

The Recurio – Ultimate Subscription for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...

Vendor: devitemsllc
Product: Recurio – Ultimate Subscription for WooCommerce
Published: Jul 08, 2026
Source: NVD
CVE-2025-14785 MEDIUM - 6.4

The Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `seedprodnestedmenuwidget` shortcode in all versions up to, and including, 6.20.2 due to insufficient inpu...

Vendor: seedprod
Product: Website Builder by SeedProd β€” Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
Published: Jul 08, 2026
Source: NVD

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash info...

Vendor: Red Hat
Product: Red Hat Directory Server 11, Red Hat Directory Server 12, Red Hat Directory Server 13, Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9
Published: Jul 08, 2026
Source: NVD
CVE-2026-56003 HIGH - 8.5

A heap buffer overflow due to missing size checking in the property buffer when parsing PCF files in libXfont2 ComputeScaledProperties() before libXfont2 before 2.0.8 could be used by attackers using authenticated X clients to execute code within the X server.

Vendor: X.Org
Product: libXfont2
Published: Jul 08, 2026
Source: NVD
CVE-2026-56002 HIGH - 8.5

A heap bufferflow in pcfReadFont() due to missing glyph bounds checkingΒ in libXfont2 before 2.0.8Β  allows attackers authenticated as X client to execute code within the X server.

Vendor: X.Org
Product: libXfont2
Published: Jul 08, 2026
Source: NVD