Total CVEs

142,398

Critical Severity

3,966

High Severity

14,271

Last 7 Days

1,816
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 12,881 - 12,900 of 14,330 CVEs
CVE-2026-1053 MEDIUM - 4.4

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administra...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1389 MEDIUM - 5.3

The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1054 MEDIUM - 5.3

The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary...

Published: Jan 28, 2026
Source: NVD
CVE-2026-0818 MEDIUM - 4.3

When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If th...

Vendor: mozilla
Product: thunderbird
Published: Jan 28, 2026
Source: NVD
CVE-2026-1466 MEDIUM - 6.1

Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for ima...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1310 MEDIUM - 5.3

The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authe...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1295 MEDIUM - 6.4

The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possi...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1244 MEDIUM - 6.4

The Forms Bridge – Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoop_campaign' shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output...

Published: Jan 28, 2026
Source: NVD
CVE-2026-0825 MEDIUM - 5.3

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitiv...

Published: Jan 28, 2026
Source: NVD
CVE-2025-9082 MEDIUM - 6.4

The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. This makes it possible for authenticated ...

Published: Jan 28, 2026
Source: NVD
CVE-2025-14039 MEDIUM - 6.4

The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes...

Vendor: presstigers
Product: Simple Folio
Published: Jan 28, 2026
Source: NVD
CVE-2025-12709 MEDIUM - 6.4

The Interactions – Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

Vendor: bfintal
Product: Interactions – Create Interactive Experiences in the Block Editor
Published: Jan 28, 2026
Source: NVD
CVE-2026-1298 MEDIUM - 5.3

The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authentic...

Published: Jan 28, 2026
Source: NVD
CVE-2026-1083 MEDIUM - 4.4

The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' a...

Published: Jan 28, 2026
Source: NVD
CVE-2025-8072 MEDIUM - 6.4

The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contrib...

Published: Jan 28, 2026
Source: NVD
CVE-2025-13471 MEDIUM - 5.3

The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off)

Vendor: Unknown
Product: User Activity Log
Published: Jan 28, 2026
Source: NVD
CVE-2026-1514 MEDIUM - 6.5

Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents.

Published: Jan 28, 2026
Source: NVD
CVE-2026-24852 MEDIUM - 6.1

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, a heap buffer over-read when the strlen() function attempts to read a non-null-terminated buffer potentially leaking heap memory cont...

Vendor: InternationalColorConsortium
Product: iccDEV
Published: Jan 28, 2026
Source: NVD
CVE-2026-24850 MEDIUM - 5.3

The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplic...

Vendor: RustCrypto
Product: signatures
Published: Jan 28, 2026
Source: NVD
CVE-2026-24839 MEDIUM - 4.7

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into perfo...

Vendor: Dokploy
Product: dokploy
Published: Jan 28, 2026
Source: NVD