Total CVEs

140,426

Critical Severity

3,747

High Severity

13,550

Last 7 Days

1,486
Quick preset (or use dates below)
Clear Filters
Showing 8,061 - 8,080 of 13,946 CVEs
CVE-2026-4848 MEDIUM - 4.3

A vulnerability was determined in dameng100 muucmf 1.9.5.20260309. This affects an unknown function of the file /admin/extend/list.html. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and ma...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4847 MEDIUM - 4.3

A vulnerability was found in dameng100 muucmf 1.9.5.20260309. The impacted element is an unknown function of the file /admin/config/list.html. Performing a manipulation of the argument Name results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and co...

Published: Mar 26, 2026
Source: NVD
CVE-2026-1890 MEDIUM - 5.3

The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data

Published: Mar 26, 2026
Source: NVD
CVE-2026-1430 MEDIUM - 4.8

The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: Mar 26, 2026
Source: NVD
CVE-2025-15488 MEDIUM - 6.5

The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_left_shortcode AJAX action that does not properly validate the content_rech_data parameter before pr...

Vendor: Unknown
Product: Responsive Plus
Published: Mar 26, 2026
Source: NVD
CVE-2025-15433 MEDIUM - 6.8

The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector

Vendor: Unknown
Product: Shared Files
Published: Mar 26, 2026
Source: NVD
CVE-2026-4846 MEDIUM - 4.3

A vulnerability has been found in dameng100 muucmf 1.9.5.20260309. The affected element is an unknown function of the file channel/admin.Account/autoReply.html. Such manipulation of the argument keyword leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4845 MEDIUM - 4.3

A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is an unknown function of the file /admin/Member/index.html. This manipulation of the argument Search causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. The ve...

Published: Mar 26, 2026
Source: NVD
CVE-2026-1206 MEDIUM - 4.3

The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates ...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4389 MEDIUM - 6.4

The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4331 MEDIUM - 4.3

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_securit...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4281 MEDIUM - 5.3

The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are ho...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4278 MEDIUM - 6.4

The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the &...

Published: Mar 26, 2026
Source: NVD
CVE-2026-33201 MEDIUM - 6.8

Digital Photo Frame GH-WDF10A provided by GREEN HOUSE CO., LTD. contains an active debug code vulnerability. If this vulnerability is exploited, files or configurations on the affected device may be read or written, or arbitrary files may be executed with root privileges.

Vendor: GREEN HOUSE CO., LTD.
Product: Digital Photo Frame GH-WDF10A
Published: Mar 26, 2026
Source: NVD
CVE-2026-4335 MEDIUM - 5.4

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Spe...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4075 MEDIUM - 6.4

The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as '...

Published: Mar 26, 2026
Source: NVD
CVE-2026-1986 MEDIUM - 6.1

The FloristPress for Woo โ€“ Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user s...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4836 MEDIUM - 6.3

A vulnerability was detected in code-projects Accounting System 1.0. The affected element is an unknown function of the file /my_account/delete.php. Performing a manipulation of the argument cos_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public an...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4830 MEDIUM - 5.6

A vulnerability was identified in kalcaddle kodbox 1.64. This issue affects the function Add of the file app/controller/explorer/userShare.class.php of the component Public Share Handler. Such manipulation leads to unrestricted upload. The attack can be executed remotely. This attack is characterize...

Published: Mar 26, 2026
Source: NVD
CVE-2026-33515 MEDIUM - 6.5

Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding wit...

Vendor: squid-cache
Product: squid
Published: Mar 26, 2026
Source: NVD