Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,242
Quick preset (or use dates below)
Clear Filters
Showing 461 - 480 of 143,232 CVEs
CVE-2026-15033 MEDIUM - 6.3

A flaw has been found in christopherthielen check-peer-dependencies up to 4.3.4. Affected by this vulnerability is the function shelljs.exec of the file dist/packageUtils.js of the component peerDependencies. This manipulation causes os command injection. The attack may be initiated remotely. The pr...

Vendor: christopherthielen
Product: check-peer-dependencies
Published: Jul 08, 2026
Source: NVD
CVE-2026-8315 MEDIUM - 5.4

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Webbeyaz Web Design Mediküm Web allows Stored XSS. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.

Published: Jul 08, 2026
Source: NVD
CVE-2026-8310 MEDIUM - 6.1

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Webbeyaz Web Design Mediküm Web allows Reflected XSS. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported...

Published: Jul 08, 2026
Source: NVD
CVE-2026-8307 CRITICAL - 9.8

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Design Mediküm Web allows SQL Injection. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6820 HIGH - 7.2

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attac...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6740 MEDIUM - 6.4

The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes i...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6459 MEDIUM - 6.4

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles source...

Published: Jul 08, 2026
Source: NVD
CVE-2026-5459 MEDIUM - 5.3

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the payment_page() function due to missing validation on the 'user_i...

Published: Jul 08, 2026
Source: NVD
CVE-2026-5356 HIGH - 7.5

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes ...

Published: Jul 08, 2026
Source: NVD
CVE-2026-14454 CRITICAL - 9.8

Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. ...

Vendor: TONYC
Product: Imager
Published: Jul 08, 2026
Source: NVD
CVE-2026-12002 MEDIUM - 4.7

The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.11.1. This is due to missing or incorrect nonce validation on the maybe_connection_data function. This makes it possible for unauthe...

Vendor: smub
Product: Smash Balloon Social Photo Feed – Easy Social Feeds Plugin
Published: Jul 08, 2026
Source: NVD
CVE-2026-6854 HIGH - 7.5

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'mc_auth' parameter in all versions up to, and including, 3.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the exis...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6818 HIGH - 7.2

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'special_requests' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenti...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6742 MEDIUM - 6.4

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'additional' parameter in all versions up to, and including, 2026.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6371 MEDIUM - 4.8

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Limatek System Inc. LimRAD NAC allows Stored XSS. This issue affects LimRAD NAC: through 08072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any wa...

Published: Jul 08, 2026
Source: NVD
CVE-2026-6230 HIGH - 7.5

The Tainacan plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geoquery' parameter in all versions up to and including 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it p...

Published: Jul 08, 2026
Source: NVD
CVE-2026-41042 CRITICAL - 9.1

Unauthenticated callers can supply a malicious H2 JDBC URL through the testConnection API, which executes arbitrary Java code on the server via H2's INIT parameter. Vulnerability in Apache Gravitino. This issue affects Apache Gravitino: before 1.2.1. Users are recommended to upgrade to versio...

Vendor: Apache Software Foundation
Product: Apache Gravitino
Published: Jul 08, 2026
Source: NVD
CVE-2026-3688 HIGH - 8.1

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify...

Published: Jul 08, 2026
Source: NVD
CVE-2026-14250 MEDIUM - 6.3

The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handle_frontend_register() function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled 'role' parameter...

Vendor: themehunk
Product: TH Login Registration
Published: Jul 08, 2026
Source: NVD
CVE-2026-12936 MEDIUM - 4.9

The Recurio – Ultimate Subscription for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...

Vendor: devitemsllc
Product: Recurio – Ultimate Subscription for WooCommerce
Published: Jul 08, 2026
Source: NVD