Total CVEs

142,588

Critical Severity

4,002

High Severity

14,355

Last 7 Days

1,899
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,581 - 13,600 of 14,399 CVEs
CVE-2025-14029 MEDIUM - 5.3

The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via...

Vendor: jackdewey
Product: Community Events
Published: Jan 17, 2026
Source: NVD
CVE-2025-12825 MEDIUM - 5.3

The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve for...

Vendor: zealopensource
Product: User Registration Using Contact Form 7
Published: Jan 17, 2026
Source: NVD
CVE-2025-12168 MEDIUM - 4.3

The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with...

Vendor: memsource
Product: Phrase TMS Integration for WordPress
Published: Jan 17, 2026
Source: NVD
CVE-2026-0820 MEDIUM - 5.3

The RepairBuddy โ€“ Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for a...

Published: Jan 17, 2026
Source: NVD
CVE-2025-14463 MEDIUM - 5.3

The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication...

Vendor: naa986
Product: Payment Button for PayPal
Published: Jan 17, 2026
Source: NVD
CVE-2025-13725 MEDIUM - 6.5

The Gutenberg Thim Blocks โ€“ Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes i...

Vendor: thimpress
Product: Thim Blocks
Published: Jan 17, 2026
Source: NVD
CVE-2025-14632 MEDIUM - 4.4

The Filr โ€“ Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, wi...

Vendor: wpchill
Product: Filr โ€“ Secure document library
Published: Jan 17, 2026
Source: NVD
CVE-2025-14450 MEDIUM - 6.5

The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated att...

Vendor: wpswings
Product: Wallet System for WooCommerce โ€“ Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments
Published: Jan 17, 2026
Source: NVD
CVE-2025-14075 MEDIUM - 5.3

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying o...

Vendor: thimpress
Product: WP Hotel Booking
Published: Jan 17, 2026
Source: NVD
CVE-2025-12718 MEDIUM - 5.8

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthen...

Vendor: saadiqbal
Product: Quick Contact Form
Published: Jan 17, 2026
Source: NVD
CVE-2025-12002 MEDIUM - 5.9

The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes...

Vendor: Awesome Motive
Product: YouTube Feed Pro
Published: Jan 17, 2026
Source: NVD
CVE-2026-21223 MEDIUM - 5.1

Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (nonโ€‘administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged upd...

Published: Jan 16, 2026
Source: NVD
CVE-2025-56451 MEDIUM - 6.1

Cross site scripting vulnerability in seeyon Zhiyuan A8+ Collaborative Management Software 7.0 via the topValue parameter to the seeyon/main.do endpoint.

Vendor: n/a
Product: n/a
Published: Jan 16, 2026
Source: NVD
CVE-2025-15529 MEDIUM - 5.3

A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public...

Vendor: n/a
Product: Open5GS
Published: Jan 16, 2026
Source: NVD
CVE-2025-15528 MEDIUM - 5.3

A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be...

Vendor: n/a
Product: Open5GS
Published: Jan 16, 2026
Source: NVD
CVE-2026-23643 MEDIUM - 5.4

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.

Vendor: cakephp
Product: cakephp
Published: Jan 16, 2026
Source: NVD
CVE-2026-23731 MEDIUM - 4.3

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: Jan 16, 2026
Source: NVD
CVE-2026-23724 MEDIUM - 4.3

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the โ€œ...

Vendor: LabRedesCefetRJ
Product: WeGIA
Published: Jan 16, 2026
Source: NVD
CVE-2025-69581 MEDIUM - 5.5

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to vi...

Vendor: n/a
Product: n/a
Published: Jan 16, 2026
Source: NVD
CVE-2021-47844 MEDIUM - 6.1

Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse i...

Vendor: Xmind
Product: Xmind
Published: Jan 16, 2026
Source: NVD