Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,922
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 16,041 - 16,060 of 38,923 CVEs
CVE-2026-2948 MEDIUM - 6.4

The Gutenverse โ€“ Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() function. This makes it possible for authenticated attackers, with contributor-level access and abov...

Published: May 05, 2026
Source: NVD
CVE-2026-6704 MEDIUM - 6.1

The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbi...

Published: May 05, 2026
Source: NVD
CVE-2026-6702 MEDIUM - 6.1

The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated atta...

Published: May 05, 2026
Source: NVD
CVE-2026-6701 MEDIUM - 4.3

The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts ...

Published: May 05, 2026
Source: NVD
CVE-2026-6700 MEDIUM - 4.3

The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrat...

Published: May 05, 2026
Source: NVD
CVE-2026-6696 MEDIUM - 6.1

The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'first_name', 'last_name', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to ...

Published: May 05, 2026
Source: NVD
CVE-2026-6255 MEDIUM - 6.4

The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'num' attribute of the 'owls_wrapper' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. ...

Published: May 05, 2026
Source: NVD
CVE-2026-5505 MEDIUM - 6.4

The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

Published: May 05, 2026
Source: NVD
CVE-2026-5247 MEDIUM - 5.5

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attri...

Published: May 05, 2026
Source: NVD
CVE-2026-5100 HIGH - 7.5

The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it pos...

Published: May 05, 2026
Source: NVD
CVE-2026-4730 MEDIUM - 6.4

The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output e...

Published: May 05, 2026
Source: NVD
CVE-2026-4409 MEDIUM - 6.5

The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global...

Published: May 05, 2026
Source: NVD
CVE-2026-2868 MEDIUM - 6.4

The Gutenverse โ€“ Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it pos...

Published: May 05, 2026
Source: NVD
CVE-2026-1921 MEDIUM - 4.9

The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating t...

Published: May 05, 2026
Source: NVD
CVE-2025-13618 CRITICAL - 9.8

The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated...

Vendor: dreamstechnologies
Product: Mentoring
Published: May 05, 2026
Source: NVD
CVE-2026-5722 CRITICAL - 9.8

The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible fo...

Published: May 05, 2026
Source: NVD
CVE-2026-44029 MEDIUM - 5.3

An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);

Vendor: NixOS
Product: Nix
Published: May 05, 2026
Source: NVD
CVE-2026-44028 HIGH - 7.5

An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite m...

Vendor: NixOS, Lix Project
Product: Nix, Lix
Published: May 05, 2026
Source: NVD
CVE-2026-42264 HIGH - 7.4

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making the...

Vendor: npm
Product: axios
Published: May 05, 2026
Source: GitHub
CVE-2026-7788 HIGH - 7.3

A security flaw has been discovered in Axle-Bucamp MCP-Docusaurus up to 404bc028e15ec304c9a045528560f4b5f27a17e0. The affected element is the function update_document/continue_document/delete_document/get_content of the file app/routes/document.py. Performing a manipulation of the argument DOCS_DIR/...

Published: May 05, 2026
Source: NVD