Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,585
Quick preset (or use dates below)
Clear Filters
Showing 10,181 - 10,200 of 14,444 CVEs
CVE-2026-3662 MEDIUM - 4.7

A vulnerability has been found in Wavlink WL-NU516U1 240425. This vulnerability affects the function usb_p910 of the file /cgi-bin/adm.cgi. Such manipulation of the argument Pr_mode leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public...

Vendor: wavlink
Product: wl-nu516u1_firmware
Published: Mar 07, 2026
Source: NVD
CVE-2026-3661 MEDIUM - 4.7

A flaw has been found in Wavlink WL-NU516U1 240425. This affects the function ota_new_upgrade of the file /cgi-bin/adm.cgi. This manipulation of the argument model causes command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was...

Vendor: wavlink
Product: wl-nu516u1_firmware
Published: Mar 07, 2026
Source: NVD
CVE-2026-2433 MEDIUM - 6.1

The RSS Aggregator โ€“ RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener w...

Published: Mar 07, 2026
Source: NVD
CVE-2026-2420 MEDIUM - 4.4

The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level acc...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1825 MEDIUM - 6.4

The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'syv' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authen...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1824 MEDIUM - 6.4

The Infomaniak Connect for OpenID plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'endpoint_login' parameter of the infomaniak_connect_generic_auth_url shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1823 MEDIUM - 6.4

The Consensus Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's consensus shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated a...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1820 MEDIUM - 6.4

The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bvmalt_sc_div_update_alt_text' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attrib...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1805 MEDIUM - 6.4

The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's damedia_giglist shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authen...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1574 MEDIUM - 6.4

The MyQtip โ€“ easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `myqtip` shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authentica...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1569 MEDIUM - 6.4

The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wueen-blocket` shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated att...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1087 MEDIUM - 4.3

The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings, ...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1086 MEDIUM - 4.3

The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plug...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1085 MEDIUM - 4.3

The True Ranker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.9. This is due to missing nonce validation on the seolocalrank-signout action. This makes it possible for unauthenticated attackers to disconnect the administrator's True R...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1073 MEDIUM - 4.3

The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing nonce validation on the settings page form handler in `inc/purchase-btn-options-page.php`. This makes it possible for unauthenti...

Published: Mar 07, 2026
Source: NVD
CVE-2026-1071 MEDIUM - 4.4

The Carta Online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.13.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and ...

Published: Mar 07, 2026
Source: NVD
CVE-2026-30842 MEDIUM - 4.3

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any auth...

Vendor: ellite
Product: Wallos
Published: Mar 07, 2026
Source: NVD
CVE-2026-30841 MEDIUM - 6.1

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(...

Vendor: ellite
Product: Wallos
Published: Mar 07, 2026
Source: NVD
CVE-2026-30839 MEDIUM - 4.3

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in vers...

Vendor: ellite
Product: Wallos
Published: Mar 07, 2026
Source: NVD
CVE-2026-30829 MEDIUM - 5.3

Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url en...

Vendor: bluewave-labs
Product: Checkmate
Published: Mar 07, 2026
Source: NVD