Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 10,861 - 10,880 of 14,221 CVEs
CVE-2025-56605 MEDIUM - 5.4

A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. The mobile POST parameter is improperly validated and echoed back in the HTTP response without sanitization, allowing an attacker to inject and execute arbitr...

Published: Feb 26, 2026
Source: NVD
CVE-2026-26077 MEDIUM - 6.5

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksController` accepted requests without a valid authentication token when no token was configured. This all...

Vendor: discourse
Product: discourse
Published: Feb 26, 2026
Source: NVD
CVE-2026-2680 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'customerVATNumber', in 'a3factura-app.wolterskluwer.es/#/incomes/salesDeliveryNotes' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.

Vendor: wolterskluwer
Product: a3factura
Published: Feb 26, 2026
Source: NVD
CVE-2026-2679 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'customerName', in 'a3factura-app.wolterskluwer.es/#/incomes/salesInvoices' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.

Vendor: wolterskluwer
Product: a3factura
Published: Feb 26, 2026
Source: NVD
CVE-2026-2678 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'name', parameter 'name', in 'a3factura-app.wolterskluwer.es/#/incomes/customers' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.

Vendor: wolterskluwer
Product: a3factura
Published: Feb 26, 2026
Source: NVD
CVE-2026-2677 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) on the A3factura web platform, in parameter 'name', in 'a3factura-app.wolterskluwer.es/#/incomes/representatives-management' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser.

Vendor: wolterskluwer
Product: a3factura
Published: Feb 26, 2026
Source: NVD
CVE-2025-64999 MEDIUM - 5.4

Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.

Vendor: Checkmk GmbH
Product: Checkmk
Published: Feb 26, 2026
Source: NVD
CVE-2026-28132 MEDIUM - 5.3

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through <= 1.4.4.

Vendor: villatheme
Product: WooCommerce Photo Reviews
Published: Feb 26, 2026
Source: NVD
CVE-2026-28131 MEDIUM - 6.5

Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through <= 1.14.4.

Vendor: WPVibes
Product: Elementor Addon Elements
Published: Feb 26, 2026
Source: NVD
CVE-2026-28083 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UX-themes Flatsome flatsome allows Stored XSS.This issue affects Flatsome: from n/a through <= 3.20.1.

Vendor: UX-themes
Product: Flatsome
Published: Feb 26, 2026
Source: NVD
CVE-2026-2356 MEDIUM - 5.3

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'memb...

Published: Feb 26, 2026
Source: NVD
CVE-2026-27974 MEDIUM - 4.8

Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification...

Vendor: advplyr
Product: audiobookshelf-app
Published: Feb 26, 2026
Source: NVD
CVE-2026-27963 MEDIUM - 4.8

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification ...

Vendor: advplyr
Product: audiobookshelf
Published: Feb 26, 2026
Source: NVD
CVE-2026-25963 MEDIUM - 6.5

Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports certificate...

Vendor: fleetdm
Product: fleet
Published: Feb 26, 2026
Source: NVD
CVE-2026-24004 MEDIUM - 5.3

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet managemen...

Vendor: fleetdm
Product: fleet
Published: Feb 26, 2026
Source: NVD
CVE-2026-23999 MEDIUM - 5.5

Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if th...

Vendor: fleetdm
Product: fleet
Published: Feb 26, 2026
Source: NVD
CVE-2026-2506 MEDIUM - 6.1

The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the plugin storing attacker-controlled 'customer_name' data and rendering it in the admin customer list without output escaping. This makes it po...

Published: Feb 26, 2026
Source: NVD
CVE-2026-2499 MEDIUM - 4.4

The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and abov...

Published: Feb 26, 2026
Source: NVD
CVE-2026-2498 MEDIUM - 4.4

The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

Published: Feb 26, 2026
Source: NVD
CVE-2026-2489 MEDIUM - 4.4

The TP2WP Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Watched domains' textarea on the attachment importer settings page in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping when domains are sa...

Published: Feb 26, 2026
Source: NVD