Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,722
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,881 - 15,900 of 38,432 CVEs
CVE-2026-6457 MEDIUM - 6.5

The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mashup_null_fields' parameter in all versions up to, and including, 1.13.19 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL qu...

Published: May 02, 2026
Source: NVD
CVE-2026-6449 MEDIUM - 5.3

The Booking for Appointments and Events Calendar โ€“ Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking ha...

Published: May 02, 2026
Source: NVD
CVE-2026-6229 HIGH - 7.2

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadshee...

Published: May 02, 2026
Source: NVD
CVE-2026-4650 MEDIUM - 5.3

The FundPress โ€“ WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate_action_status() AJAX handler, which is registered to be accessible to unauthenticated users v...

Published: May 02, 2026
Source: NVD
CVE-2026-2052 HIGH - 8.8

The Widget Options โ€“ Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic...

Published: May 02, 2026
Source: NVD
CVE-2026-7605 MEDIUM - 6.3

A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downloadImageData of the file CommonController.java of the component uploadImgByHttpE...

Published: May 02, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: fix pass-by-value structs causing MSAN warnings vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their argument structs by value, causing MSAN to report uninit-value warnings. While only vidtv_ts_null_wr...

Vendor: Linux
Product: Linux
Published: May 02, 2026
Source: NVD
CVE-2026-7647 HIGH - 8.1

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callba...

Published: May 02, 2026
Source: NVD
CVE-2026-7049 HIGH - 7.2

The PixelYourSite Pro โ€“ Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating fro...

Published: May 02, 2026
Source: NVD
CVE-2026-6916 MEDIUM - 6.4

The Jeg Kit for Elementor โ€“ Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sg_content_number_prefix' parameter in all versions up to, and including, 3.1.0 due to insufficient input sanitization...

Published: May 02, 2026
Source: NVD
CVE-2026-6812 MEDIUM - 4.4

The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating...

Published: May 02, 2026
Source: NVD
CVE-2026-6447 MEDIUM - 4.4

The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

Published: May 02, 2026
Source: NVD
CVE-2026-5113 HIGH - 7.2

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escap...

Published: May 02, 2026
Source: NVD
CVE-2026-5112 HIGH - 7.2

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validate()...

Published: May 02, 2026
Source: NVD
CVE-2026-5111 HIGH - 7.2

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields, where repeater subfields bypass state validati...

Published: May 02, 2026
Source: NVD
CVE-2026-5110 HIGH - 7.2

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nes...

Published: May 02, 2026
Source: NVD
CVE-2026-5109 HIGH - 7.2

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted valu...

Published: May 02, 2026
Source: NVD
CVE-2026-7641 HIGH - 8.8

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary sit...

Published: May 02, 2026
Source: NVD
CVE-2026-7604 MEDIUM - 6.3

A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is possib...

Published: May 02, 2026
Source: NVD
CVE-2026-7603 MEDIUM - 6.3

A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the att...

Published: May 02, 2026
Source: NVD