Total CVEs

142,250

Critical Severity

3,947

High Severity

14,209

Last 7 Days

1,910
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 11,841 - 11,860 of 14,291 CVEs
CVE-2026-1754 MEDIUM - 6.1

The personal-authors-category plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1164 MEDIUM - 6.1

The Easy Voice Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜message’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level acces...

Published: Feb 14, 2026
Source: NVD
CVE-2025-14608 MEDIUM - 5.3

The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it ...

Vendor: infosatech
Product: WP Last Modified Info
Published: Feb 14, 2026
Source: NVD
CVE-2025-14067 MEDIUM - 5.3

The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sens...

Vendor: hassantafreshi
Product: Easy Form Builder by WhiteStudio β€” Drag & Drop Form Builder
Published: Feb 14, 2026
Source: NVD
CVE-2025-13973 MEDIUM - 5.3

The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.t...

Vendor: kasuga16
Product: StickEasy Protected Contact Form
Published: Feb 14, 2026
Source: NVD
CVE-2025-13681 MEDIUM - 4.9

The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, wit...

Vendor: thebaldfatguy
Product: BFG Tools – Extension Zipper
Published: Feb 14, 2026
Source: NVD
CVE-2026-26269 MEDIUM - 5.4

Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys...

Vendor: vim
Product: vim
Published: Feb 13, 2026
Source: NVD
CVE-2026-25964 MEDIUM - 4.9

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerabi...

Vendor: TandoorRecipes
Product: recipes
Published: Feb 13, 2026
Source: NVD
CVE-2026-21870 MEDIUM - 5.5

BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer...

Vendor: bacnet-stack
Product: bacnet-stack
Published: Feb 13, 2026
Source: NVD
CVE-2025-66676 MEDIUM - 6.2

An issue in IObit Unlocker v1.3.0.11 allows attackers to cause a Denial of Service (DoS) via a crafted request.

Published: Feb 13, 2026
Source: NVD
CVE-2026-2026 MEDIUM - 6.1

A vulnerability has been identified where weak file permissions in the Nessus Agent directory on Windows hosts could allow unauthorized access, potentially permitting Denial of Service (DoS) attacks.

Published: Feb 13, 2026
Source: NVD

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without pro...

Vendor: lukilabs
Product: beautiful-mermaid
Published: Feb 13, 2026
Source: NVD
CVE-2025-70095 MEDIUM - 6.5

A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.

Vendor: opensourcepos
Product: open_source_point_of_sale
Published: Feb 13, 2026
Source: NVD
CVE-2025-70094 MEDIUM - 6.5

A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter.

Vendor: opensourcepos
Product: open_source_point_of_sale
Published: Feb 13, 2026
Source: NVD
CVE-2025-70091 MEDIUM - 6.5

A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter.

Vendor: opensourcepos
Product: open_source_point_of_sale
Published: Feb 13, 2026
Source: NVD
CVE-2026-25531 MEDIUM - 4.3

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into proj...

Vendor: kanboard
Product: kanboard
Published: Feb 13, 2026
Source: NVD
CVE-2026-2443 MEDIUM - 5.3

A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memor...

Published: Feb 13, 2026
Source: NVD
CVE-2026-22892 MEDIUM - 4.3

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not ...

Vendor: Mattermost
Product: Mattermost
Published: Feb 13, 2026
Source: NVD
CVE-2025-15520 MEDIUM - 4.3

The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above.

Vendor: Unknown
Product: RegistrationMagic
Published: Feb 13, 2026
Source: NVD

Summary A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handler. The `error_description` query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in th...

Vendor: npm
Product: agents
Published: Feb 13, 2026
Source: NVD