Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,712
Quick preset (or use dates below)
Clear Filters
Showing 11,481 - 11,500 of 14,604 CVEs
CVE-2025-12172 MEDIUM - 4.3

The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the mailchimp_sf_change_list_if_necessary() function. This makes it possible for unauthenticated att...

Vendor: mailchimp
Product: Mailchimp List Subscribe Form
Published: Feb 19, 2026
Source: NVD
CVE-2025-12117 MEDIUM - 6.4

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to injec...

Vendor: thinkupthemes
Product: Renden
Published: Feb 19, 2026
Source: NVD
CVE-2025-12116 MEDIUM - 6.4

The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject...

Vendor: thinkupthemes
Product: Drift
Published: Feb 19, 2026
Source: NVD
CVE-2025-12081 MEDIUM - 4.3

The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. This makes it possible for authenticated attackers, with subscriber...

Vendor: navzme
Product: ACF Photo Gallery Field
Published: Feb 19, 2026
Source: NVD
CVE-2025-12027 MEDIUM - 4.3

The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. This makes it possible...

Vendor: horearadu
Product: Mesmerize Companion
Published: Feb 19, 2026
Source: NVD
CVE-2025-11725 MEDIUM - 6.5

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the multiple functions in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to modify plugin's configuration setting...

Vendor: arubadev
Product: Aruba HiSpeed Cache
Published: Feb 19, 2026
Source: NVD
CVE-2025-11706 MEDIUM - 6.1

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

Vendor: arubadev
Product: Aruba HiSpeed Cache
Published: Feb 19, 2026
Source: NVD
CVE-2026-2683 MEDIUM - 4.3

A vulnerability was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). The affected element is an unknown function of the file /Using/Subject/downLoad.html. Performing a manipulation of the argument path results in path traversal. The attack may be initiated remotely. The explo...

Published: Feb 18, 2026
Source: NVD
CVE-2026-2682 MEDIUM - 6.3

A vulnerability has been found in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). Impacted is an unknown function of the file /mine/PublicReport/prinReport.html?token=java. Such manipulation of the argument comid leads to sql injection. The attack can be launched remotely. The ...

Published: Feb 18, 2026
Source: NVD
CVE-2026-2676 MEDIUM - 6.3

A weakness has been identified in GoogTech sms-ssm up to e8534c766fd13f5f94c01dab475d75f286918a8d. Affected by this issue is the function preHandle of the file LoginInterceptor.java of the component API Interface. Executing a manipulation can lead to improper authorization. The attack may be perform...

Published: Feb 18, 2026
Source: NVD
CVE-2026-26281 MEDIUM - 4.4

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of...

Vendor: InvoicePlane
Product: InvoicePlane
Published: Feb 18, 2026
Source: NVD
CVE-2026-26270 MEDIUM - 5.4

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript int...

Vendor: InvoicePlane
Product: InvoicePlane
Published: Feb 18, 2026
Source: NVD
CVE-2026-25596 MEDIUM - 4.8

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any a...

Vendor: InvoicePlane
Product: InvoicePlane
Published: Feb 18, 2026
Source: NVD
CVE-2026-25595 MEDIUM - 4.8

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any admin...

Vendor: InvoicePlane
Product: InvoicePlane
Published: Feb 18, 2026
Source: NVD
CVE-2026-25594 MEDIUM - 4.8

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the pr...

Vendor: InvoicePlane
Product: InvoicePlane
Published: Feb 18, 2026
Source: NVD
CVE-2026-24745 MEDIUM - 5.7

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Althoug...

Vendor: InvoicePlane
Product: InvoicePlane
Published: Feb 18, 2026
Source: NVD
CVE-2026-27009 MEDIUM - 5.8

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27008 MEDIUM - 6.7

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only `skills.install` flow, this could write files outsid...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27007 MEDIUM - 3.3

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenCla...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27004 MEDIUM - 5.5

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue ...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub