Total CVEs

142,750

Critical Severity

4,026

High Severity

14,425

Last 7 Days

1,411
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 18,601 - 18,620 of 39,155 CVEs
CVE-2026-4119 CRITICAL - 9.1

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability chec...

Published: Apr 22, 2026
Source: NVD
CVE-2026-4118 MEDIUM - 4.3

The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page() function which handles saving, creating, and deleting plugin settings. The form rendered on the s...

Published: Apr 22, 2026
Source: NVD
CVE-2026-4117 MEDIUM - 5.3

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying t...

Published: Apr 22, 2026
Source: NVD
CVE-2026-4090 MEDIUM - 6.1

The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This makes it possible for unauthenticated attackers...

Published: Apr 22, 2026
Source: NVD
CVE-2026-4089 MEDIUM - 6.4

The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttt_twittee_twe...

Published: Apr 22, 2026
Source: NVD
CVE-2026-4088 MEDIUM - 6.4

The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppw_cta_box' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'cta_box_butt...

Published: Apr 22, 2026
Source: NVD
CVE-2026-4085 MEDIUM - 6.4

The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output...

Published: Apr 22, 2026
Source: NVD
CVE-2026-4082 MEDIUM - 6.4

The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [swiffy] shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes ('n', 'w', 'h...

Published: Apr 22, 2026
Source: NVD
CVE-2026-4076 MEDIUM - 6.4

The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied sh...

Published: Apr 22, 2026
Source: NVD
CVE-2026-4074 MEDIUM - 6.4

The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortco...

Published: Apr 22, 2026
Source: NVD
CVE-2026-3362 MEDIUM - 4.4

The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (...

Published: Apr 22, 2026
Source: NVD
CVE-2026-31433 HIGH - 8.8

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial OOB in get_file_all_info() for compound requests When a compound request consists of QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION) and the first command consumes nearly the entire max_trans_size, get_fil...

Vendor: Linux
Product: Linux
Published: Apr 22, 2026
Source: NVD
CVE-2026-31432 HIGH - 8.8

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allo...

Vendor: Linux
Product: Linux
Published: Apr 22, 2026
Source: NVD
CVE-2026-31431 HIGH - 7.8

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination...

Vendor: Linux
Product: Linux
Published: Apr 22, 2026
Source: NVD
CVE-2026-2719 MEDIUM - 4.4

The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Admi...

Published: Apr 22, 2026
Source: NVD
CVE-2026-2717 MEDIUM - 5.5

The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for...

Published: Apr 22, 2026
Source: NVD
CVE-2026-2714 MEDIUM - 4.4

The Institute Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Enquiry Form Title' setting in all versions up to, and including, 5.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Published: Apr 22, 2026
Source: NVD
CVE-2026-1845 MEDIUM - 5.5

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions an...

Published: Apr 22, 2026
Source: NVD
CVE-2026-1379 MEDIUM - 4.4

The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and ...

Published: Apr 22, 2026
Source: NVD
CVE-2026-6842 LOW - 2.5

A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or in...

Published: Apr 22, 2026
Source: NVD