Total CVEs

143,746

Critical Severity

4,091

High Severity

14,758

Last 7 Days

1,546
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 14,741 - 14,760 of 14,877 CVEs
CVE-2025-14441 MEDIUM - 5.3

The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user ...

Published: Jan 06, 2026
Source: NVD
CVE-2025-14438 MEDIUM - 6.4

The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web r...

Published: Jan 06, 2026
Source: NVD
CVE-2025-14120 MEDIUM - 6.4

The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject a...

Published: Jan 06, 2026
Source: NVD
CVE-2026-0604 MEDIUM - 6.5

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for aut...

Published: Jan 06, 2026
Source: NVD
CVE-2025-14153 MEDIUM - 6.5

The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the ex...

Published: Jan 06, 2026
Source: NVD
CVE-2025-14034 MEDIUM - 5.3

The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including,...

Published: Jan 06, 2026
Source: NVD
CVE-2025-13746 MEDIUM - 6.4

The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

Published: Jan 06, 2026
Source: NVD
CVE-2025-13652 MEDIUM - 6.5

The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the β€˜orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

Published: Jan 06, 2026
Source: NVD
CVE-2025-13409 MEDIUM - 4.9

The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. ...

Published: Jan 06, 2026
Source: NVD
CVE-2025-11723 MEDIUM - 6.5

The Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticat...

Published: Jan 06, 2026
Source: NVD
CVE-2025-11370 MEDIUM - 5.3

The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the Rul...

Published: Jan 06, 2026
Source: NVD
CVE-2026-21674 MEDIUM - 5.5

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1.

Vendor: color
Product: iccdev
Published: Jan 06, 2026
Source: NVD
CVE-2025-20807 MEDIUM - 6.7

In dpe, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114841; Issue ID: MSV-4451.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-20806 MEDIUM - 6.7

In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114835; Issue ID: MSV-4479.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-20805 MEDIUM - 6.7

In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114696; Issue ID: MSV-4480.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-20804 MEDIUM - 6.7

In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10198951; Issue ID: MSV-4503.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-20803 MEDIUM - 6.7

In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10199779; Issue ID: MSV-4504.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-20802 MEDIUM - 6.7

In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10238968; Issue ID: MSV-4914.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-20787 MEDIUM - 6.7

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149879; Issue ID: MSV-4658.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD
CVE-2025-20786 MEDIUM - 6.7

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149882; Issue ID: MSV-4673.

Vendor: google
Product: android
Published: Jan 06, 2026
Source: NVD