Total CVEs

143,744

Critical Severity

4,091

High Severity

14,757

Last 7 Days

1,573
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 14,461 - 14,480 of 14,876 CVEs
CVE-2025-13628 MEDIUM - 4.3

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3...

Published: Jan 09, 2026
Source: NVD
CVE-2026-20975 MEDIUM - 5.5

Improper handling of insufficient permission in Samsung Cloud prior to version 5.6.11 allows local attackers to access specific files in arbitrary path.

Vendor: samsung
Product: cloud
Published: Jan 09, 2026
Source: NVD
CVE-2026-20973 MEDIUM - 5.3

Out-of-bounds read in libimagecodec.quram.so prior to SMR Jan-2026 Release 1 allows remote attacker to access out-of-bounds memory.

Published: Jan 09, 2026
Source: NVD
CVE-2026-20969 MEDIUM - 5.5

Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability.

Vendor: samsung
Product: android
Published: Jan 09, 2026
Source: NVD
CVE-2026-20968 MEDIUM - 6.7

Use after free in DualDAR prior to SMR Jan-2026 Release 1 allows local privileged attackers to execute arbitrary code.

Vendor: samsung
Product: android
Published: Jan 09, 2026
Source: NVD
CVE-2026-0563 MEDIUM - 6.4

The WP Google Street View (with 360Β° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsv_map' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This make...

Published: Jan 09, 2026
Source: NVD
CVE-2025-15019 MEDIUM - 6.4

The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping....

Published: Jan 09, 2026
Source: NVD
CVE-2025-14980 MEDIUM - 6.5

The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API ...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14893 MEDIUM - 6.4

The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access ...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14782 MEDIUM - 5.3

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is auth...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14720 MEDIUM - 5.3

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunde...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14718 MEDIUM - 5.4

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attacke...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14574 MEDIUM - 5.3

The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API key...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14803 MEDIUM - 6.8

The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.

Published: Jan 09, 2026
Source: NVD
CVE-2025-13749 MEDIUM - 4.3

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it po...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14886 MEDIUM - 5.3

The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as...

Published: Jan 09, 2026
Source: NVD
CVE-2025-66315 MEDIUM - 4.3

There is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. Due to improper directory permission settings, an attacker can execute write permissions in a specific directory.

Published: Jan 09, 2026
Source: NVD
CVE-2026-0731 MEDIUM - 5.3

A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclose...

Published: Jan 08, 2026
Source: NVD
CVE-2026-0730 MEDIUM - 4.8

A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting....

Vendor: phpgurukul
Product: staff_leave_management_system
Published: Jan 08, 2026
Source: NVD
CVE-2026-22588 MEDIUM - 6.5

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying a...

Published: Jan 08, 2026
Source: NVD