Total CVEs

143,226

Critical Severity

4,056

High Severity

14,605

Last 7 Days

1,268
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 521 - 540 of 39,631 CVEs
CVE-2026-12097 MEDIUM - 5.3

The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the plugin's ...

Vendor: saadiqbal
Product: User Management
Published: Jul 08, 2026
Source: NVD
CVE-2026-12041 MEDIUM - 4.4

The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administr...

Vendor: chatra
Product: Chatra Live Chat + ChatBot + Cart Saver
Published: Jul 08, 2026
Source: NVD
CVE-2026-11798 MEDIUM - 6.1

The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'heateor_mastodon_share' parameter in all versions up to, and including, 7.14.5 due to insufficient input sanitization and output escapi...

Vendor: the_champ
Product: Social Share, Social Login and Social Comments Plugin – Super Socializer
Published: Jul 08, 2026
Source: NVD
CVE-2026-10570 MEDIUM - 6.4

The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symp_arfe_replace_content() function, which us...

Vendor: idocoh
Product: Sympl Repeater for ACF and Elementor
Published: Jul 08, 2026
Source: NVD
CVE-2026-9842 HIGH - 7.5

The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the `manage_options` capability to the `backstage_customizer_user` demo role, which is more permissive than necessary for...

Published: Jul 08, 2026
Source: NVD
CVE-2026-9701 CRITICAL - 9.8

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key...

Published: Jul 08, 2026
Source: NVD
CVE-2026-14487 CRITICAL - 9.1

The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, ...

Vendor: tombgtn
Product: Simple Coherent Form
Published: Jul 08, 2026
Source: NVD
CVE-2026-14482 HIGH - 8.8

The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. The vulnerability exists due to a missing capability and nonce check on a directly web-accessible API endpoint, combined with a trivially forgeable HMAC-SHA1 signature keyed on an alway...

Vendor: shen2
Product: 多说社会化评论框
Published: Jul 08, 2026
Source: NVD
CVE-2026-14244 HIGH - 7.5

The Jssor Slider by jssor.com plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.1.24 via the 'url' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can cont...

Vendor: jssor
Product: Jssor Slider by jssor.com
Published: Jul 08, 2026
Source: NVD
CVE-2026-14158 HIGH - 8.8

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action...

Vendor: totalbounty
Product: Widget Logic Visual
Published: Jul 08, 2026
Source: NVD
CVE-2026-60002 HIGH - 7.7

ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-60001 MEDIUM - 6.5

sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD

sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59999 MEDIUM - 5.9

In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59998 MEDIUM - 4.8

sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59997 MEDIUM - 4.2

internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59996 MEDIUM - 4.2

scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59995 MEDIUM - 4.2

sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-56843 CRITICAL - 9.9

Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results i...

Vendor: Webpros
Product: Plesk
Published: Jul 08, 2026
Source: NVD

oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)

Vendor: go
Product: github.com/oasdiff/oasdiff
Published: Jul 07, 2026
Source: GitHub