Total CVEs

142,265

Critical Severity

3,947

High Severity

14,217

Last 7 Days

1,925
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 16,121 - 16,140 of 38,670 CVEs
CVE-2026-6229 HIGH - 7.2

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including 'docs.google.com/spreadshee...

Published: May 02, 2026
Source: NVD
CVE-2026-4650 MEDIUM - 5.3

The FundPress โ€“ WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate_action_status() AJAX handler, which is registered to be accessible to unauthenticated users v...

Published: May 02, 2026
Source: NVD
CVE-2026-2052 HIGH - 8.8

The Widget Options โ€“ Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic...

Published: May 02, 2026
Source: NVD
CVE-2026-7605 MEDIUM - 6.3

A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downloadImageData of the file CommonController.java of the component uploadImgByHttpE...

Published: May 02, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: fix pass-by-value structs causing MSAN warnings vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their argument structs by value, causing MSAN to report uninit-value warnings. While only vidtv_ts_null_wr...

Vendor: Linux
Product: Linux
Published: May 02, 2026
Source: NVD
CVE-2026-7647 HIGH - 8.1

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callba...

Published: May 02, 2026
Source: NVD
CVE-2026-7049 HIGH - 7.2

The PixelYourSite Pro โ€“ Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating fro...

Published: May 02, 2026
Source: NVD
CVE-2026-6916 MEDIUM - 6.4

The Jeg Kit for Elementor โ€“ Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sg_content_number_prefix' parameter in all versions up to, and including, 3.1.0 due to insufficient input sanitization...

Published: May 02, 2026
Source: NVD
CVE-2026-6812 MEDIUM - 4.4

The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating...

Published: May 02, 2026
Source: NVD
CVE-2026-6447 MEDIUM - 4.4

The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

Published: May 02, 2026
Source: NVD
CVE-2026-5113 HIGH - 7.2

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escap...

Published: May 02, 2026
Source: NVD
CVE-2026-5112 HIGH - 7.2

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validate()...

Published: May 02, 2026
Source: NVD
CVE-2026-5111 HIGH - 7.2

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields, where repeater subfields bypass state validati...

Published: May 02, 2026
Source: NVD
CVE-2026-5110 HIGH - 7.2

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nes...

Published: May 02, 2026
Source: NVD
CVE-2026-5109 HIGH - 7.2

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted valu...

Published: May 02, 2026
Source: NVD
CVE-2026-7641 HIGH - 8.8

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary sit...

Published: May 02, 2026
Source: NVD
CVE-2026-7604 MEDIUM - 6.3

A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is possib...

Published: May 02, 2026
Source: NVD
CVE-2026-7603 MEDIUM - 6.3

A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the att...

Published: May 02, 2026
Source: NVD
CVE-2026-7458 CRITICAL - 9.8

The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the "user_verification_form_wrap_process_otpLogin" function. Thi...

Published: May 02, 2026
Source: NVD
CVE-2026-6963 HIGH - 8.8

The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update...

Published: May 02, 2026
Source: NVD