Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,704
Quick preset (or use dates below)
Clear Filters
Showing 11,721 - 11,740 of 14,604 CVEs
CVE-2019-25373 MEDIUM - 6.4

OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. Attackers can send POST requests to firewall_rules_edit.php with script payloads in the category field to execute ...

Vendor: Opnsense
Product: OPNsense
Published: Feb 15, 2026
Source: NVD
CVE-2019-25372 MEDIUM - 6.1

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to diag_traceroute.php to execute arb...

Vendor: Opnsense
Product: OPNsense
Published: Feb 15, 2026
Source: NVD
CVE-2019-25371 MEDIUM - 6.1

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted POST requests to the diag_ping.php endpoint with script payloads in ...

Vendor: Opnsense
Product: OPNsense
Published: Feb 15, 2026
Source: NVD
CVE-2019-25370 MEDIUM - 6.1

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. Attackers can send POST requests to interfaces_vlan_edit.php with script payloads in the tag, descr, or vlanif parameters t...

Vendor: Opnsense
Product: OPNsense
Published: Feb 15, 2026
Source: NVD
CVE-2019-25369 MEDIUM - 6.4

OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. Attackers can submit POST requests with script payloads that are stored and executed in the context of...

Vendor: Opnsense
Product: OPNsense
Published: Feb 15, 2026
Source: NVD
CVE-2019-25368 MEDIUM - 5.4

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_pa...

Vendor: Opnsense
Product: OPNsense
Published: Feb 15, 2026
Source: NVD
CVE-2019-25367 MEDIUM - 5.4

ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. Attackers can inject scripts via parameters in /_db/_system/_admin/aardvark/index.html to execute JavaScript...

Vendor: Arangodb
Product: ArangoDB Community Edition
Published: Feb 15, 2026
Source: NVD
CVE-2026-2517 MEDIUM - 5.3

A security flaw has been discovered in Open5GS up to 2.7.6. This vulnerability affects the function ogs_gtp2_parse_tft in the library lib/gtp/v2/types.c of the component SMF. Performing a manipulation of the argument pf[0].content.length results in denial of service. The attack is possible to be car...

Vendor: open5gs
Product: open5gs
Published: Feb 15, 2026
Source: NVD
CVE-2025-32063 MEDIUM - 6.8

There is a misconfiguration vulnerability inside the Infotainment ECU manufactured by BOSCH. The vulnerability happens during the startup phase of a specific systemd service, and as a result, the following developer features will be activated: the disabled firewall and the launched SSH server. Fi...

Vendor: Bosch
Product: Infotainment system ECU
Published: Feb 15, 2026
Source: NVD
CVE-2025-32060 MEDIUM - 6.7

The system suffers from the absence of a kernel module signature verification. If an attacker can execute commands on behalf of root user (due to additional vulnerabilities), then he/she is also able to load custom kernel modules to the kernel space and execute code in the kernel context. Such a fla...

Vendor: Bosch
Product: Infotainment system ECU
Published: Feb 15, 2026
Source: NVD
CVE-2026-1793 MEDIUM - 6.5

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the 'render_svg' function. This makes it possible for authenticated attackers, with c...

Published: Feb 15, 2026
Source: NVD
CVE-2026-2312 MEDIUM - 4.3

The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for auth...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1512 MEDIUM - 6.4

The Essential Addons for Elementor โ€“ Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Info Box widget in all versions up to, and including, 6.5.9 due to insufficient input sanitization and output escaping on user suppli...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1258 MEDIUM - 4.9

The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on th...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1254 MEDIUM - 4.3

The Modula Image Gallery โ€“ Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1249 MEDIUM - 5.0

The MP3 Audio Player โ€“ Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and...

Published: Feb 14, 2026
Source: NVD
CVE-2026-0550 MEDIUM - 6.4

The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycred_load_coupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Published: Feb 14, 2026
Source: NVD
CVE-2026-2022 MEDIUM - 4.3

The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level ...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1987 MEDIUM - 5.4

The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1985 MEDIUM - 6.4

The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing `javascript:` URL...

Published: Feb 14, 2026
Source: NVD