Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,830
Quick preset (or use dates below)
Clear Filters
Showing 8,781 - 8,800 of 13,738 CVEs
CVE-2019-25573 HIGH - 7.1

Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Attackers can send GET requests to index.php with m=admin, c=posts, a=index parameters and inject SQL code in the cat para...

Vendor: Greencms
Product: Green CMS
Published: Mar 21, 2026
Source: NVD
CVE-2019-25560 HIGH - 7.5

Lyric Video Creator 2.1 contains a denial of service vulnerability that allows attackers to crash the application by processing malformed MP3 files. Attackers can create a crafted MP3 file with an oversized buffer and trigger the crash by opening the file through the Browse song functionality.

Vendor: Lyricvideocreator
Product: Lyric Video Creator
Published: Mar 21, 2026
Source: NVD
CVE-2019-25552 HIGH - 7.5

CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an ap...

Vendor: Cewe-Photoworld
Product: CEWE PHOTO SHOW
Published: Mar 21, 2026
Source: NVD
CVE-2026-4373 HIGH - 7.5

The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload without valid...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4261 HIGH - 8.8

The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it p...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3478 HIGH - 7.2

The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the redux_p AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint (wp_ajax_nopriv_redux_p) that is accessible to unauthen...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3334 HIGH - 8.8

The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3003 HIGH - 7.2

The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vagaro_code’ parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2941 HIGH - 8.8

The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2468 HIGH - 7.5

The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in all versions up to, and including, 1.2.12. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `get_user_...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2440 HIGH - 7.2

The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing una...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2279 HIGH - 7.2

The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sort_by' and 'sort_order' parameters in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Th...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1800 HIGH - 7.5

The Fonts Manager | Custom Fonts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘fmcfIdSelectedFnt’ parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. T...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1648 HIGH - 7.2

The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1313 HIGH - 8.3

The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.20. This is due to the plugin making outbound HTTP requests to user-controlled URLs without proper validation when the "Show file size" option is enabled. Th...

Published: Mar 21, 2026
Source: NVD
CVE-2025-14037 HIGH - 8.1

The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated admin...

Vendor: invelity
Product: Invelity Product Feeds
Published: Mar 21, 2026
Source: NVD
CVE-2026-4302 HIGH - 7.2

The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint (optn/v1/integration-action) with a permission_callback of __return_true that ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-32064 HIGH - 7.7

OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32056 HIGH - 7.5

OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32055 HIGH - 7.6

OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to non-existent out-of-root targets. The vulnerability exists because the boundary check impr...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD