Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,527
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 17,061 - 17,080 of 40,198 CVEs
CVE-2026-7457 MEDIUM - 6.4

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint โ€” where raw POST parameters (first_name, last_name, phone, notes) bypass sanitizat...

Published: May 06, 2026
Source: NVD
CVE-2026-7448 HIGH - 7.2

The LatePoint โ€“ Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'first_name' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possibl...

Published: May 06, 2026
Source: NVD
CVE-2026-7332 HIGH - 7.2

The LatePoint โ€“ Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes...

Published: May 06, 2026
Source: NVD
CVE-2026-6672 MEDIUM - 6.4

The Affiliate Program Suite โ€” SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'slicewp...

Published: May 06, 2026
Source: NVD
CVE-2026-6344 MEDIUM - 4.9

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without ve...

Published: May 06, 2026
Source: NVD
CVE-2026-35254 MEDIUM - 6.1

Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracl...

Vendor: Oracle Corporation
Product: Oracle OCI CLI of Oracle Open Source Projects
Published: May 06, 2026
Source: NVD
CVE-2026-35253 MEDIUM - 4.7

Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerabili...

Vendor: Oracle Corporation
Product: Oracle Macaron Tool of Oracle Open Source Projects
Published: May 06, 2026
Source: NVD

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript woul...

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD

A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session.

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the...

Vendor: Zabbix
Product: Zabbix
Published: May 06, 2026
Source: NVD
CVE-2026-2306 MEDIUM - 4.3

The Ninja Tables โ€“ Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subs...

Published: May 06, 2026
Source: NVD
CVE-2026-5753 MEDIUM - 6.5

The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabi...

Published: May 06, 2026
Source: NVD
CVE-2026-3208 MEDIUM - 5.3

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to...

Published: May 06, 2026
Source: NVD
CVE-2026-7573 MEDIUM - 5.0

An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org para...

Published: May 06, 2026
Source: NVD
CVE-2026-7572 MEDIUM - 4.4

An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx V...

Published: May 06, 2026
Source: NVD
CVE-2025-71256 HIGH - 7.5

In nr modem, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71255 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71254 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71253 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD
CVE-2025-71252 HIGH - 7.5

In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.

Vendor: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300
Published: May 06, 2026
Source: NVD