Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,847
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,481 - 13,500 of 14,373 CVEs
CVE-2026-1045 MEDIUM - 4.4

The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and a...

Published: Jan 20, 2026
Source: NVD
CVE-2026-1042 MEDIUM - 4.4

The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attack...

Published: Jan 20, 2026
Source: NVD
CVE-2025-12573 MEDIUM - 6.5

The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data.

Vendor: Unknown
Product: Bookingor
Published: Jan 20, 2026
Source: NVD
CVE-2026-0904 MEDIUM - 5.4

Incorrect security UI in Digital Credentials in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)

Published: Jan 20, 2026
Source: NVD
CVE-2026-0903 MEDIUM - 5.4

Inappropriate implementation in Downloads in Google Chrome on Windows prior to 144.0.7559.59 allowed a remote attacker to bypass dangerous file type protections via a malicious file. (Chromium security severity: Medium)

Published: Jan 20, 2026
Source: NVD
CVE-2026-0901 MEDIUM - 5.4

Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)

Published: Jan 20, 2026
Source: NVD
CVE-2025-14348 MEDIUM - 5.3

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to ide...

Vendor: wedevs
Product: weMail โ€“ Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation
Published: Jan 20, 2026
Source: NVD
CVE-2025-14798 MEDIUM - 5.3

The LearnPress โ€“ WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and las...

Vendor: thimpress
Product: LearnPress โ€“ WordPress LMS Plugin for Create and Sell Online Courses
Published: Jan 20, 2026
Source: NVD
CVE-2025-14351 MEDIUM - 5.3

The Custom Fonts โ€“ Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthent...

Vendor: brainstormforce
Product: Custom Fonts โ€“ Host Your Fonts Locally
Published: Jan 20, 2026
Source: NVD
CVE-2026-1051 MEDIUM - 4.3

The Newsletter โ€“ Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated ...

Published: Jan 20, 2026
Source: NVD
CVE-2025-14978 MEDIUM - 5.3

The PeachPay โ€” Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1....

Vendor: peachpay
Product: PeachPay โ€” Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)
Published: Jan 20, 2026
Source: NVD
CVE-2026-1203 MEDIUM - 5.6

A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The attack may be perf...

Published: Jan 20, 2026
Source: NVD
CVE-2026-1195 MEDIUM - 5.0

A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered to ...

Published: Jan 20, 2026
Source: NVD
CVE-2026-1194 MEDIUM - 5.3

A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was co...

Published: Jan 20, 2026
Source: NVD
CVE-2025-15466 MEDIUM - 5.4

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-leve...

Vendor: wpchill
Product: Image Photo Gallery Final Tiles Grid
Published: Jan 20, 2026
Source: NVD
CVE-2026-1193 MEDIUM - 6.3

A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and ...

Published: Jan 19, 2026
Source: NVD
CVE-2026-23848 MEDIUM - 6.5

MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating t...

Vendor: franklioxygen
Product: MyTube
Published: Jan 19, 2026
Source: NVD
CVE-2026-1175 MEDIUM - 5.3

A vulnerability was identified in birkir prime up to 0.4.0.beta.0. This impacts an unknown function of the file /graphql of the component GraphQL Directive Handler. Such manipulation leads to information exposure through error message. The attack may be performed from remote. The exploit is publicly...

Published: Jan 19, 2026
Source: NVD
CVE-2026-1174 MEDIUM - 5.3

A vulnerability was determined in birkir prime up to 0.4.0.beta.0. This affects an unknown function of the file /graphql of the component GraphQL Alias Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. The exploit has been publicly disclosed a...

Published: Jan 19, 2026
Source: NVD
CVE-2026-1173 MEDIUM - 5.3

A vulnerability was found in birkir prime up to 0.4.0.beta.0. The impacted element is an unknown function of the file /graphql of the component GraphQL Array Based Query Batch Handler. The manipulation results in denial of service. The attack can be executed remotely. The exploit has been made publi...

Published: Jan 19, 2026
Source: NVD