Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,868
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,641 - 13,660 of 13,803 CVEs
CVE-2025-15472 HIGH - 7.2

A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURL  of the file uapply.cgi of the component httpd . This manipulation of the argument DeviceURL causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used....

Vendor: trendnet
Product: tew-811dru_firmware
Published: Jan 07, 2026
Source: NVD
CVE-2025-15158 HIGH - 8.8

The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, t...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14835 HIGH - 7.1

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbit...

Published: Jan 07, 2026
Source: NVD
CVE-2025-14804 HIGH - 7.7

The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server

Published: Jan 07, 2026
Source: NVD
CVE-2025-14070 HIGH - 7.5

The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Contributor-level access and ab...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13801 HIGH - 7.5

The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.8.8 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Published: Jan 07, 2026
Source: NVD
CVE-2025-13493 HIGH - 7.5

The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_m...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13371 HIGH - 8.6

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then emb...

Published: Jan 07, 2026
Source: NVD
CVE-2025-11877 HIGH - 7.5

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenti...

Published: Jan 07, 2026
Source: NVD
CVE-2025-31642 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0.

Published: Jan 07, 2026
Source: NVD
CVE-2025-30631 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Fun...

Published: Jan 06, 2026
Source: NVD
CVE-2025-29004 HIGH - 8.8

Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through...

Published: Jan 06, 2026
Source: NVD
CVE-2026-21494 HIGH - 7.1

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It re...

Vendor: color
Product: iccdev
Published: Jan 06, 2026
Source: NVD
CVE-2026-21491 HIGH - 7.1

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It re...

Vendor: color
Product: iccdev
Published: Jan 06, 2026
Source: NVD
CVE-2026-21490 HIGH - 7.1

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It re...

Vendor: color
Product: iccdev
Published: Jan 06, 2026
Source: NVD
CVE-2026-0641 HIGH - 8.8

A security vulnerability has been detected in TOTOLINK WA300 5.2cu.7112_B20190227. This vulnerability affects the function sub_401510 of the file cstecgi.cgi. The manipulation of the argument UPLOAD_FILENAME leads to command injection. The attack may be initiated remotely. The exploit has been discl...

Vendor: totolink
Product: wa300_firmware
Published: Jan 06, 2026
Source: NVD
CVE-2025-32304 HIGH - 8.1

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0.

Published: Jan 06, 2026
Source: NVD
CVE-2025-15382 HIGH - 8.1

A heap buffer over-read vulnerability exists in the wolfSSH_CleanPath() function in wolfSSH. An authenticated remote attacker can trigger the issue via crafted SCP path input containing '/./' sequences, resulting in a heap over read by 1 byte.

Vendor: wolfssh
Product: wolfssh
Published: Jan 06, 2026
Source: NVD
CVE-2025-69356 HIGH - 7.5

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): fro...

Published: Jan 06, 2026
Source: NVD
CVE-2025-69342 HIGH - 7.5

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Calafate calafate allows PHP Local File Inclusion.This issue affects Calafate: from n/a through <= 1.7.7.

Published: Jan 06, 2026
Source: NVD