Total CVEs

145,712

Critical Severity

4,267

High Severity

15,730

Last 7 Days

2,309
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 5,741 - 5,760 of 42,117 CVEs
CVE-2025-68075 MEDIUM - 6.5

Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions.

Vendor: Kerry
Product: BNE Testimonials
Published: Jun 26, 2026
Source: NVD
CVE-2025-68074 MEDIUM - 6.5

Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.

Vendor: GhozyLab
Product: Image Carousel
Published: Jun 26, 2026
Source: NVD
CVE-2025-68064 HIGH - 7.5

Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.

Vendor: Everthemess
Product: Goya Core
Published: Jun 26, 2026
Source: NVD
CVE-2025-68063 HIGH - 7.5

Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.

Vendor: StylemixThemes
Product: Splash - Sport Club WordPress Theme for Basketball, Football, Hockey
Published: Jun 26, 2026
Source: NVD
CVE-2025-68052 HIGH - 8.8

Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.

Vendor: Eagle-Themes
Product: Eagle Booking
Published: Jun 26, 2026
Source: NVD
CVE-2025-66123 MEDIUM - 5.3

Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.

Vendor: About Envato
Product: BookPro
Published: Jun 26, 2026
Source: NVD
CVE-2025-64637 MEDIUM - 5.3

Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.

Vendor: Opal_WP
Product: Auros Core
Published: Jun 26, 2026
Source: NVD
CVE-2025-64636 MEDIUM - 5.3

Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.

Vendor: rhewlif
Product: Donation Thermometer
Published: Jun 26, 2026
Source: NVD
CVE-2025-63079 MEDIUM - 4.3

Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.

Vendor: bdthemes
Product: Live Copy Paste for Elementor
Published: Jun 26, 2026
Source: NVD
CVE-2025-63078 MEDIUM - 4.3

Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.

Vendor: jetmonsters
Product: Restaurant Menu by MotoPress
Published: Jun 26, 2026
Source: NVD
CVE-2025-63041 MEDIUM - 5.4

Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions.

Vendor: Code Amp
Product: Forget About Shortcode Buttons
Published: Jun 26, 2026
Source: NVD

HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privile...

Vendor: danpros
Product: HTMLy
Published: Jun 26, 2026
Source: NVD

In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack

Vendor: JetBrains
Product: YouTrack
Published: Jun 26, 2026
Source: NVD
CVE-2026-57925 MEDIUM - 4.3

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags

Vendor: JetBrains
Product: YouTrack
Published: Jun 26, 2026
Source: NVD
CVE-2026-57924 MEDIUM - 4.3

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details

Vendor: JetBrains
Product: YouTrack
Published: Jun 26, 2026
Source: NVD
CVE-2026-57923 MEDIUM - 5.3

In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings

Vendor: JetBrains
Product: YouTrack
Published: Jun 26, 2026
Source: NVD

In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible

Vendor: JetBrains
Product: YouTrack
Published: Jun 26, 2026
Source: NVD
CVE-2026-57921 MEDIUM - 4.3

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint

Vendor: JetBrains
Product: YouTrack
Published: Jun 26, 2026
Source: NVD
CVE-2026-53914 MEDIUM - 6.7

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata

Vendor: JetBrains
Product: Kotlin
Published: Jun 26, 2026
Source: NVD
CVE-2026-13426 MEDIUM - 5.4

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Adv...

Vendor: Mattermost
Product: github.com/mattermost/mattermost/server/public
Published: Jun 26, 2026
Source: NVD