Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,840
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,541 - 13,560 of 14,373 CVEs
CVE-2026-1063 MEDIUM - 4.7

A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to laun...

Published: Jan 17, 2026
Source: NVD
CVE-2026-1062 MEDIUM - 6.3

A flaw has been found in xiweicheng TMS up to 2.28.0. This affects the function Summary of the file src/main/java/com/lhjz/portal/util/HtmlUtil.java. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publish...

Published: Jan 17, 2026
Source: NVD
CVE-2026-1061 MEDIUM - 6.3

A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The ...

Published: Jan 17, 2026
Source: NVD
CVE-2025-15532 MEDIUM - 5.3

A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. The manipulation results in resource consumption. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. T...

Vendor: n/a
Product: Open5GS
Published: Jan 17, 2026
Source: NVD
CVE-2025-15531 MEDIUM - 5.3

A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. The manipulation leads to reachable assertion. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The is...

Vendor: n/a
Product: Open5GS
Published: Jan 17, 2026
Source: NVD
CVE-2025-15530 MEDIUM - 5.3

A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. Executing a manipulation can lead to reachable assertion. The attack can be executed remotely. The exploit has been pub...

Vendor: n/a
Product: Open5GS
Published: Jan 17, 2026
Source: NVD
CVE-2026-0725 MEDIUM - 4.4

The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, ...

Published: Jan 17, 2026
Source: NVD
CVE-2025-8615 MEDIUM - 6.4

The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authe...

Published: Jan 17, 2026
Source: NVD
CVE-2025-14078 MEDIUM - 5.3

The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true...

Vendor: shoheitanaka
Product: PAYGENT for WooCommerce
Published: Jan 17, 2026
Source: NVD
CVE-2025-12129 MEDIUM - 5.3

The CubeWP โ€“ All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. ...

Vendor: cubewp1211
Product: CubeWP Framework
Published: Jan 17, 2026
Source: NVD
CVE-2026-0833 MEDIUM - 6.4

The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authentica...

Published: Jan 17, 2026
Source: NVD
CVE-2026-0808 MEDIUM - 5.3

The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attacke...

Published: Jan 17, 2026
Source: NVD
CVE-2026-0691 MEDIUM - 4.4

The CM E-Mail Blacklist โ€“ Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This ma...

Published: Jan 17, 2026
Source: NVD
CVE-2025-12984 MEDIUM - 4.9

The Advanced Ads โ€“ย Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. ...

Vendor: monetizemore
Product: Advanced Ads โ€“ย Ad Manager & AdSense
Published: Jan 17, 2026
Source: NVD
CVE-2025-14029 MEDIUM - 5.3

The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via...

Vendor: jackdewey
Product: Community Events
Published: Jan 17, 2026
Source: NVD
CVE-2025-12825 MEDIUM - 5.3

The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve for...

Vendor: zealopensource
Product: User Registration Using Contact Form 7
Published: Jan 17, 2026
Source: NVD
CVE-2025-12168 MEDIUM - 4.3

The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with...

Vendor: memsource
Product: Phrase TMS Integration for WordPress
Published: Jan 17, 2026
Source: NVD
CVE-2026-0820 MEDIUM - 5.3

The RepairBuddy โ€“ Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for a...

Published: Jan 17, 2026
Source: NVD
CVE-2025-14463 MEDIUM - 5.3

The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication...

Vendor: naa986
Product: Payment Button for PayPal
Published: Jan 17, 2026
Source: NVD
CVE-2025-13725 MEDIUM - 6.5

The Gutenberg Thim Blocks โ€“ Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes i...

Vendor: thimpress
Product: Thim Blocks
Published: Jan 17, 2026
Source: NVD