Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,525
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 1,781 - 1,800 of 40,198 CVEs
CVE-2026-41123 MEDIUM - 4.3

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper access control vulnerability in the RBAC. A low privileged attacker...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Jul 03, 2026
Source: NVD
CVE-2026-26355 MEDIUM - 6.5

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper neutralization of special Elements used in an OS command ('OS ...

Vendor: Dell
Product: PowerProtect Data Domain
Published: Jul 03, 2026
Source: NVD

Rejected reason: Red Hat Product Security has concluded that this CVE is not required. The reported issue has been classified as a regular bug and will be addressed through the standard bug-fixing process.

Published: Jul 03, 2026
Source: NVD
CVE-2026-13341 HIGH - 7.4

A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.

Vendor: KongHQ
Product: mcp-konnect
Published: Jul 03, 2026
Source: NVD
CVE-2026-10055 HIGH - 8.5

In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller. Because the destina...

Vendor: Eclipse Foundation
Product: Eclipse Theia
Published: Jul 03, 2026
Source: NVD
CVE-2026-10054 HIGH - 8.8

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted ...

Vendor: Eclipse Foundation
Product: Eclipse Theia
Published: Jul 03, 2026
Source: NVD
CVE-2026-5137 MEDIUM - 4.3

The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include...

Published: Jul 03, 2026
Source: NVD
CVE-2026-4322 MEDIUM - 6.1

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows Reflected XSS. This issue affects Destekz: through 02062026.Β NOTE: The vendor was contacted and it was learned that...

Published: Jul 03, 2026
Source: NVD
CVE-2026-4321 CRITICAL - 9.8

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows SQL Injection. This issue affects Destekz: through 02062026.Β NOTE: The vendor was contacted and it was learned that...

Published: Jul 03, 2026
Source: NVD
CVE-2026-9756 MEDIUM - 6.4

The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

Published: Jul 03, 2026
Source: NVD
CVE-2026-4804 MEDIUM - 6.4

The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with 's...

Published: Jul 03, 2026
Source: NVD
CVE-2026-47896 HIGH - 7.5

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library). This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 through 4.8.0-beta00017. Users are recommended to upgrade to version 4....

Vendor: Apache Software Foundation
Product: Apache Lucene.Net
Published: Jul 03, 2026
Source: NVD
CVE-2026-35159 MEDIUM - 5.3

Dell Client Platform BIOS contains an Authentication Bypass by Primary Weakness vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Information Disclosure.

Published: Jul 03, 2026
Source: NVD
CVE-2026-11900 MEDIUM - 4.3

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N}...

Vendor: spacetime
Product: Ad Inserter – Ad Manager & AdSense Ads
Published: Jul 03, 2026
Source: NVD
CVE-2026-11778 MEDIUM - 5.4

The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value befor...

Vendor: villatheme
Product: CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x
Published: Jul 03, 2026
Source: NVD
CVE-2026-11398 MEDIUM - 5.3

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unau...

Vendor: latepoint
Product: LatePoint – Calendar Booking Plugin for Appointments and Events
Published: Jul 03, 2026
Source: NVD
CVE-2026-9230 MEDIUM - 4.3

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authentic...

Published: Jul 03, 2026
Source: NVD
CVE-2026-9148 HIGH - 7.2

The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor() function, which interpolates the stored comment_a...

Published: Jul 03, 2026
Source: NVD

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions ...

Published: Jul 03, 2026
Source: NVD
CVE-2026-8351 MEDIUM - 6.4

The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'background_text_heading' setting in the rend...

Published: Jul 03, 2026
Source: NVD