Total CVEs

142,432

Critical Severity

3,972

High Severity

14,286

Last 7 Days

1,838
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 15,921 - 15,940 of 38,837 CVEs
CVE-2023-54349 MEDIUM - 6.1

AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers can enter script tags in the search box to execute arbitrary JavaScript that fires when search...

Vendor: Spondonit
Product: AmazCart CMS
Published: May 05, 2026
Source: NVD
CVE-2023-54348 HIGH - 8.8

ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the ...

Vendor: Rajodiya
Product: ERPGo SaaS
Published: May 05, 2026
Source: NVD
CVE-2023-54347 HIGH - 7.5

OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and pa...

Vendor: Open-Emr
Product: OpenEMR
Published: May 05, 2026
Source: NVD
CVE-2023-54346 HIGH - 7.5

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then con...

Vendor: Backupbliss
Product: WordPress Plugin Backup Migration
Published: May 05, 2026
Source: NVD
CVE-2023-54345 HIGH - 8.8

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi...

Vendor: Erpnext
Product: Frappe Framework (ERPNext)
Published: May 05, 2026
Source: NVD
CVE-2023-54344 CRITICAL - 9.8

Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands wrapped in fork...

Vendor: equinox
Product: [OSGi
Published: May 05, 2026
Source: NVD
CVE-2023-54342 CRITICAL - 9.8

Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the fork command functionality. Attackers can establish a telnet connection to the OSGi console, perform...

Vendor: equinox
Product: [OSGi
Published: May 05, 2026
Source: NVD
CVE-2026-6322 HIGH - 7.5

fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator,...

Vendor: npm
Product: fast-uri
Published: May 05, 2026
Source: NVD
CVE-2025-42611 MEDIUM - 6.5

RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others. The vulnerability lies in shared certificate validation logic which uses ...

Vendor: Mikrotik
Product: RouterOS
Published: May 05, 2026
Source: NVD
CVE-2026-43870 HIGH - 7.3

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue af...

Vendor: Apache Software Foundation
Product: Apache Thrift
Published: May 05, 2026
Source: NVD
CVE-2026-43868 MEDIUM - 5.3

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache Thrift
Published: May 05, 2026
Source: NVD
CVE-2026-3601 MEDIUM - 4.3

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-lev...

Published: May 05, 2026
Source: NVD
CVE-2026-3359 HIGH - 7.5

The Form Maker by 10Web โ€“ Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient prepara...

Published: May 05, 2026
Source: NVD
CVE-2026-43869 HIGH - 7.3

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Vendor: Apache Software Foundation
Product: Apache Thrift
Published: May 05, 2026
Source: NVD

An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" (diagnostic) mode is enabled, the application inadvertently records administrative credentials in plain text within the log files. An attacker with administrative access to the PaperCut Hive...

Published: May 05, 2026
Source: NVD
CVE-2026-6418 MEDIUM - 4.9

An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with ad...

Vendor: papercut
Product: papercut_mf
Published: May 05, 2026
Source: NVD
CVE-2026-6180 HIGH - 8.1

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification f...

Vendor: papercut
Product: papercut_mf
Published: May 05, 2026
Source: NVD
CVE-2026-5192 HIGH - 7.5

The Forminator Forms โ€“ Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents...

Published: May 05, 2026
Source: NVD
CVE-2026-40797 CRITICAL - 9.3

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection. This issue affects WebinarIgnition: from n/a through 4.08.253.

Vendor: Saleswonder LLC
Product: WebinarIgnition
Published: May 05, 2026
Source: NVD
CVE-2026-3454 MEDIUM - 6.5

The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that th...

Published: May 05, 2026
Source: NVD