Total CVEs

142,250

Critical Severity

3,947

High Severity

14,209

Last 7 Days

1,911
Quick preset (or use dates below)
Clear Filters
Showing 11,661 - 11,680 of 14,209 CVEs
CVE-2026-2544 HIGH - 7.3

A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function child_process.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond i...

Published: Feb 16, 2026
Source: NVD
CVE-2026-2542 HIGH - 7.0

A weakness has been identified in Total VPN 0.5.29.0 on Windows. Affected by this vulnerability is an unknown functionality of the file C:\Program Files\Total VPN\win-service.exe. Executing a manipulation can lead to unquoted search path. It is possible to launch the attack on the local host. This a...

Published: Feb 16, 2026
Source: NVD
CVE-2026-2538 HIGH - 7.0

A security flaw has been discovered in Flos Freeware Notepad2 4.2.22/4.2.23/4.2.24/4.2.25. Affected is an unknown function in the library Msimg32.dll. Performing a manipulation results in uncontrolled search path. Attacking locally is a requirement. The attack's complexity is rated as high. The...

Published: Feb 16, 2026
Source: NVD
CVE-2026-0929 HIGH - 7.5

The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site.

Published: Feb 16, 2026
Source: NVD
CVE-2026-2533 HIGH - 7.3

A flaw has been found in Tosei Self-service Washing Machine 4.02. Impacted is an unknown function of the file /cgi-bin/tosei_datasend.php. Executing a manipulation of the argument adr_txt_1 can lead to command injection. It is possible to launch the attack remotely. The exploit has been published an...

Published: Feb 16, 2026
Source: NVD
CVE-2026-26368 HIGH - 8.8

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without s...

Vendor: JUNG
Product: eNet SMART HOME server
Published: Feb 15, 2026
Source: NVD
CVE-2026-2516 HIGH - 7.0

A vulnerability was identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2.0/3.0.0.4 on 32-bit. This affects an unknown part in the library SHFOLDER.dll. Such manipulation leads to uncontrolled search path. The attack needs to be performed locally. Attacks of this nature are highly complex. It is...

Published: Feb 15, 2026
Source: NVD
CVE-2025-32062 HIGH - 8.8

The specific flaw exists within the Bluetooth stack developed by Alps Alpine of the Infotainment ECU manufactured by Bosch. The issue results from the lack of proper boundary validation of user-supplied data, which can result in a stack-based buffer overflow when receiving a specific packet on the e...

Vendor: Bosch
Product: Infotainment system ECU
Published: Feb 15, 2026
Source: NVD
CVE-2025-32061 HIGH - 8.8

The specific flaw exists within the Bluetooth stack developed by Alps Alpine of the Infotainment ECU manufactured by Bosch. The issue results from the lack of proper boundary validation of user-supplied data, which can result in a stack-based buffer overflow when receiving a specific packet on the e...

Vendor: Bosch
Product: Infotainment system ECU
Published: Feb 15, 2026
Source: NVD
CVE-2025-32059 HIGH - 8.8

The specific flaw exists within the Bluetooth stack developed by Alps Alpine of the Infotainment ECU manufactured by Bosch. The issue results from the lack of proper boundary validation of user-supplied data, which can result in a stack-based buffer overflow when receiving a specific packet on the e...

Vendor: Bosch
Product: Infotainment system ECU
Published: Feb 15, 2026
Source: NVD
CVE-2026-1750 HIGH - 8.8

The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated atta...

Published: Feb 15, 2026
Source: NVD
CVE-2026-1843 HIGH - 7.2

The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in ...

Published: Feb 14, 2026
Source: NVD
CVE-2026-2024 HIGH - 7.5

The PhotoStack Gallery plugin for WordPress is vulnerable to SQL Injection via the 'postid' parameter in all versions up to, and including, 0.4.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1988 HIGH - 7.5

The Flexi Product Slider and Grid for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.5 via the `flexipsg_carousel` shortcode. This is due to the `theme` parameter being directly concatenated into a file path without proper sanitizatio...

Published: Feb 14, 2026
Source: NVD
CVE-2026-0753 HIGH - 7.2

The Super Simple Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sscf_name' parameter in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to i...

Published: Feb 14, 2026
Source: NVD
CVE-2026-0745 HIGH - 7.2

The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'download_language()' function. This makes it possible for authenticated attackers, with Administrator-level access a...

Published: Feb 14, 2026
Source: NVD
CVE-2026-2469 HIGH - 7.6

Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ...

Vendor: composer
Product: directorytree/imapengine
Published: Feb 14, 2026
Source: NVD
CVE-2026-2144 HIGH - 8.1

The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads direct...

Published: Feb 14, 2026
Source: NVD
CVE-2026-0692 HIGH - 7.5

The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.0. This is due to the plugin relying on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate IPN requests, which trusts user-contro...

Published: Feb 14, 2026
Source: NVD
CVE-2026-24853 HIGH - 8.1

Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Host: 127.0.0.1:8080 header. This vulnerability...

Vendor: caido
Product: caido
Published: Feb 13, 2026
Source: NVD