Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,667
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 10,481 - 10,500 of 37,697 CVEs
CVE-2026-3636 MEDIUM - 4.3

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various te...

Vendor: mattermost
Product: mattermost_server
Published: May 22, 2026
Source: NVD
CVE-2026-3473 HIGH - 7.1

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid ...

Vendor: mattermost
Product: mattermost_server
Published: May 22, 2026
Source: NVD

STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5.

Vendor: Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Product: STER
Published: May 22, 2026
Source: NVD

Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded. This issue was fixed in version 9.5.

Vendor: Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Product: STER
Published: May 22, 2026
Source: NVD

A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any other data that the app...

Vendor: Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy
Product: STER
Published: May 22, 2026
Source: NVD
CVE-2026-9011 HIGH - 7.5

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

Published: May 22, 2026
Source: NVD
CVE-2026-8692 MEDIUM - 4.3

The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This mak...

Published: May 22, 2026
Source: NVD
CVE-2026-8684 MEDIUM - 5.3

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or de...

Published: May 22, 2026
Source: NVD
CVE-2026-8679 HIGH - 7.5

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or ...

Published: May 22, 2026
Source: NVD
CVE-2026-8381 MEDIUM - 5.4

A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an authenticated user with low privileges to perform actions and access resources intended only for highe...

Published: May 22, 2026
Source: NVD
CVE-2026-7798 MEDIUM - 5.4

The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for ...

Published: May 22, 2026
Source: NVD
CVE-2026-7636 MEDIUM - 4.3

The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extrac...

Published: May 22, 2026
Source: NVD
CVE-2026-7615 MEDIUM - 4.3

The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on the save_widget_context_settings function. This makes it possible for unauthenticated attackers to modify widget vi...

Published: May 22, 2026
Source: NVD
CVE-2026-5072 MEDIUM - 6.5

A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set. When a subseq...

Published: May 22, 2026
Source: NVD
CVE-2026-9104 MEDIUM - 6.4

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inj...

Published: May 22, 2026
Source: NVD
CVE-2026-9018 HIGH - 8.8

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-co...

Published: May 22, 2026
Source: NVD
CVE-2026-7509 MEDIUM - 6.4

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attribute...

Published: May 22, 2026
Source: NVD
CVE-2026-7249 MEDIUM - 4.3

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated atta...

Published: May 22, 2026
Source: NVD
CVE-2026-6864 MEDIUM - 6.1

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to i...

Published: May 22, 2026
Source: NVD
CVE-2026-4070 MEDIUM - 4.3

The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() function which handles feed deletion via the 'delete' GET parameter. This makes it possible fo...

Published: May 22, 2026
Source: NVD