Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,509
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 17,621 - 17,640 of 40,198 CVEs
CVE-2026-2554 HIGH - 8.1

The WCFM โ€“ Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'cu...

Published: May 02, 2026
Source: NVD
CVE-2026-0703 MEDIUM - 6.4

The NextMove Lite โ€“ Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplie...

Published: May 02, 2026
Source: NVD
CVE-2026-7628 MEDIUM - 6.3

A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The exp...

Published: May 02, 2026
Source: NVD
CVE-2026-6817 MEDIUM - 5.8

The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject ...

Published: May 02, 2026
Source: NVD
CVE-2026-6525 MEDIUM - 5.5

IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.4

Vendor: wireshark
Product: wireshark
Published: May 02, 2026
Source: NVD
CVE-2026-6320 HIGH - 7.5

The Salon Booking System โ€“ Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachme...

Published: May 02, 2026
Source: NVD
CVE-2026-4790 MEDIUM - 5.4

The Premium Addons for Elementor โ€“ Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_svg' parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it...

Published: May 02, 2026
Source: NVD
CVE-2026-4100 HIGH - 7.1

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_web...

Published: May 02, 2026
Source: NVD
CVE-2026-4062 HIGH - 7.5

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'object_ids' and 'exclude_object_ids' parameters in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameters and lack of sufficient prepar...

Published: May 02, 2026
Source: NVD
CVE-2026-4061 HIGH - 7.5

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protect...

Published: May 02, 2026
Source: NVD
CVE-2026-4060 HIGH - 7.5

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The `esc_s...

Published: May 02, 2026
Source: NVD
CVE-2026-7627 MEDIUM - 6.3

A security vulnerability has been detected in 8nite metatrader-4-mcp 1.0.0. This vulnerability affects the function CallToolRequestSchema of the file src/index.ts of the component sync_ea_from_file. Such manipulation of the argument ea_name leads to path traversal. The attack can be launched remotel...

Published: May 02, 2026
Source: NVD
CVE-2026-7612 MEDIUM - 4.7

A vulnerability was determined in itsourcecode Courier Management System 1.0. Affected is an unknown function of the file /edit_user.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be...

Published: May 02, 2026
Source: NVD
CVE-2026-7611 LOW - 3.7

A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This impacts the function platform_do_upgrade_cameo_dev of the file cameo_dev.sh of the component Firmware Update Handler. Performing a manipulation results in insufficient verification of data authenticity. The attack is possible to be...

Vendor: trendnet
Product: tew-821dap_firmware
Published: May 02, 2026
Source: NVD
CVE-2026-7610 LOW - 3.7

A vulnerability has been found in TRENDnet TEW-821DAP 1.12B01. This affects an unknown function of the file /www/cgi/ssi of the component Firmware Update. Such manipulation leads to cleartext transmission of sensitive information. The attack can be executed remotely. This attack is characterized by ...

Vendor: trendnet
Product: tew-821dap_firmware
Published: May 02, 2026
Source: NVD
CVE-2026-7609 MEDIUM - 6.3

A flaw has been found in TRENDnet TEW-821DAP up to 1.12B01. The impacted element is the function tools_diagnostic of the file /tmp/diagnostic of the component Firmware Udpate. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been published...

Vendor: trendnet
Product: tew-821dap_firmware
Published: May 02, 2026
Source: NVD
CVE-2026-7491 HIGH - 8.1

School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data.

Published: May 02, 2026
Source: NVD
CVE-2026-7490 HIGH - 7.2

CTMS and CPAS developed by Sunnet has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Published: May 02, 2026
Source: NVD
CVE-2026-7489 HIGH - 8.8

CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Published: May 02, 2026
Source: NVD
CVE-2026-5077 MEDIUM - 5.4

The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it possible for authenticated ...

Published: May 02, 2026
Source: NVD