Total CVEs

142,432

Critical Severity

3,972

High Severity

14,286

Last 7 Days

1,839
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 13,001 - 13,020 of 14,345 CVEs
CVE-2026-1419 MEDIUM - 4.7

A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched remotely. The exploit has be...

Vendor: dlink
Product: dcs-700l_firmware
Published: Jan 26, 2026
Source: NVD
CVE-2026-1418 MEDIUM - 5.3

A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit h...

Vendor: gpac
Product: gpac
Published: Jan 26, 2026
Source: NVD
CVE-2026-1414 MEDIUM - 6.3

A vulnerability was determined in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This impacts the function getInformation of the file /equipment/get_Information of the component HTTP POST Request Handler. Executing a manipulation of the argument fortEquipmentIp can lead t...

Vendor: sangfor
Product: operation_and_maintenance_security_management_system
Published: Jan 26, 2026
Source: NVD
CVE-2026-1413 MEDIUM - 6.3

A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ip_and_port/port_validate of the component HTTP POST Request Handler. Performing a manipulation of the argument port results in command inj...

Vendor: sangfor
Product: operation_and_maintenance_security_management_system
Published: Jan 26, 2026
Source: NVD
CVE-2026-1411 MEDIUM - 6.1

A flaw has been found in Beetel 777VR1 up to 01.00.09/01.00.09_55. The affected element is an unknown function of the component UART Interface. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The complexity of an attack is rather high. ...

Vendor: beetel
Product: 777vr1_firmware
Published: Jan 26, 2026
Source: NVD
CVE-2026-1410 MEDIUM - 6.4

A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. This attack is characterized by high complexity. The exploitabi...

Vendor: beetel
Product: 777vr1_firmware
Published: Jan 26, 2026
Source: NVD
CVE-2020-36932 MEDIUM - 6.4

SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded.

Vendor: Seacms
Product: Seacms
Published: Jan 25, 2026
Source: NVD
CVE-2020-36931 MEDIUM - 6.4

Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat name to capture administrator cookies when the admin processes user requests.

Vendor: Click2Magic
Product: Click2Magic
Published: Jan 25, 2026
Source: NVD
CVE-2025-6461 MEDIUM - 4.3

The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possib...

Published: Jan 25, 2026
Source: NVD
CVE-2026-0593 MEDIUM - 5.3

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscri...

Published: Jan 24, 2026
Source: NVD
CVE-2026-0862 MEDIUM - 6.1

The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the β€˜options’ parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject a...

Published: Jan 24, 2026
Source: NVD
CVE-2025-13920 MEDIUM - 5.3

The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user rol...

Vendor: wpdirectorykit
Product: WP Directory Kit
Published: Jan 24, 2026
Source: NVD
CVE-2026-1302 MEDIUM - 4.4

The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and ...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1300 MEDIUM - 4.4

The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1266 MEDIUM - 4.4

The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and a...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1208 MEDIUM - 4.3

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings v...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1191 MEDIUM - 4.4

The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible ...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1189 MEDIUM - 6.4

The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attri...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1127 MEDIUM - 6.1

The Timeline Event History plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `id` parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web sc...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1098 MEDIUM - 6.4

The CM CSS Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' shortcode attribute in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

Published: Jan 24, 2026
Source: NVD