Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,242
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 521 - 540 of 39,637 CVEs
CVE-2026-57895 HIGH - 7.8

Incorrect default permissions issue exists in Pupsman versions prior to 3.9.0. An attacker can place a malicious executable in the installation folder, which results in arbitrary code execution with SYSTEM privilege

Vendor: Fuji Electric Co.,Ltd.
Product: Pupsman
Published: Jul 08, 2026
Source: NVD
CVE-2026-56437 HIGH - 7.8

Uncontrolled search path element issue exists in Pupsman versions prior to 3.9.0. If a crafted DLL file is placed in the same folder as the affected installer and the installer is executed, arbitrary code may be executed with SYSTEM privilege.

Vendor: Fuji Electric Co.,Ltd.
Product: Pupsman
Published: Jul 08, 2026
Source: NVD
CVE-2026-14500 MEDIUM - 5.3

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouw_fetch_csv_data() AJAX handler being registered on the wp_ajax_nopriv_ hook with no capability or nonce check, and passing the attacker-suppli...

Vendor: sayantandas20
Product: Bulk Order Update for WooCommerce
Published: Jul 08, 2026
Source: NVD
CVE-2026-14495 HIGH - 8.8

The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the in...

Vendor: wpdo5ea
Product: DoLogin Security
Published: Jul 08, 2026
Source: NVD
CVE-2026-14489 HIGH - 8.8

The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect() function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Custom-level access and above, to upload arbitrary files on ...

Vendor: globalprogramming
Product: WHMCS Bridge
Published: Jul 08, 2026
Source: NVD
CVE-2026-12153 CRITICAL - 9.8

The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activate a...

Vendor: rabilal
Product: WP Learn Manager
Published: Jul 08, 2026
Source: NVD
CVE-2026-12097 MEDIUM - 5.3

The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the plugin's ...

Vendor: saadiqbal
Product: User Management
Published: Jul 08, 2026
Source: NVD
CVE-2026-12041 MEDIUM - 4.4

The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administr...

Vendor: chatra
Product: Chatra Live Chat + ChatBot + Cart Saver
Published: Jul 08, 2026
Source: NVD
CVE-2026-11798 MEDIUM - 6.1

The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'heateor_mastodon_share' parameter in all versions up to, and including, 7.14.5 due to insufficient input sanitization and output escapi...

Vendor: the_champ
Product: Social Share, Social Login and Social Comments Plugin – Super Socializer
Published: Jul 08, 2026
Source: NVD
CVE-2026-10570 MEDIUM - 6.4

The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symp_arfe_replace_content() function, which us...

Vendor: idocoh
Product: Sympl Repeater for ACF and Elementor
Published: Jul 08, 2026
Source: NVD
CVE-2026-9842 HIGH - 7.5

The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the `manage_options` capability to the `backstage_customizer_user` demo role, which is more permissive than necessary for...

Published: Jul 08, 2026
Source: NVD
CVE-2026-9701 CRITICAL - 9.8

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key...

Published: Jul 08, 2026
Source: NVD
CVE-2026-14487 CRITICAL - 9.1

The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, ...

Vendor: tombgtn
Product: Simple Coherent Form
Published: Jul 08, 2026
Source: NVD
CVE-2026-14482 HIGH - 8.8

The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. The vulnerability exists due to a missing capability and nonce check on a directly web-accessible API endpoint, combined with a trivially forgeable HMAC-SHA1 signature keyed on an alway...

Vendor: shen2
Product: 多说社会化评论框
Published: Jul 08, 2026
Source: NVD
CVE-2026-14244 HIGH - 7.5

The Jssor Slider by jssor.com plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.1.24 via the 'url' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can cont...

Vendor: jssor
Product: Jssor Slider by jssor.com
Published: Jul 08, 2026
Source: NVD
CVE-2026-14158 HIGH - 8.8

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action...

Vendor: totalbounty
Product: Widget Logic Visual
Published: Jul 08, 2026
Source: NVD
CVE-2026-60002 HIGH - 7.7

ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-60001 MEDIUM - 6.5

sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD

sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD
CVE-2026-59999 MEDIUM - 5.9

In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.

Vendor: OpenBSD
Product: OpenSSH
Published: Jul 08, 2026
Source: NVD