Total CVEs

143,126

Critical Severity

4,045

High Severity

14,563

Last 7 Days

1,276
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 1 - 20 of 3,918 CVEs
CVE-2026-5955 CRITICAL - 9.8

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Inrove Software and Internet Services BiEticaret allows SQL Injection. This issue affects BiEticaret: before v3.3.57.

Published: Jul 09, 2026
Source: NVD
CVE-2026-2342 CRITICAL - 9.3

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OceanicSoft Informatics Systems Ltd. ValeApp allows Stored XSS. This issue affects ValeApp: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respon...

Published: Jul 09, 2026
Source: NVD
CVE-2026-15158 CRITICAL - 9.8

The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the save_attachments function. This is due to the Custom Fonts extension registering a wp_check_filetype_and_ext filter that approves any filename containing .woff2 or ....

Vendor: creativethemeshq
Product: Blocksy Companion
Published: Jul 09, 2026
Source: NVD
CVE-2026-14245 CRITICAL - 9.8

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the `um_reset_password_process_hook()` function performing no server-side ver...

Vendor: cyberlord92
Product: miniOrange OTP Login, Verification and SMS Notifications
Published: Jul 09, 2026
Source: NVD
CVE-2026-47646 CRITICAL - 9.3

Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network.

Published: Jul 09, 2026
Source: NVD
CVE-2026-15113 CRITICAL - 9.6

Use after free in Autofill in Google Chrome on Android prior to 150.0.7871.115 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Vendor: Google
Product: Chrome
Published: Jul 08, 2026
Source: NVD
CVE-2026-53649 CRITICAL - 9.6

Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE

Vendor: go
Product: github.com/BishopFox/joro
Published: Jul 08, 2026
Source: GitHub
CVE-2026-52831 CRITICAL - 10.0

Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE

Vendor: go
Product: github.com/nuclio/nuclio
Published: Jul 08, 2026
Source: GitHub
CVE-2026-9074 CRITICAL - 9.1

IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.

Published: Jul 08, 2026
Source: NVD
CVE-2026-59702 CRITICAL - 9.3

repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly validate http://, https://, and file:// URLs before passing them to git clone, enabling attackers to a...

Vendor: repomix
Product: repomix
Published: Jul 08, 2026
Source: NVD
CVE-2026-15062 CRITICAL - 9.6

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database co...

Vendor: Snowflake
Product: Snowpark Python SDK
Published: Jul 08, 2026
Source: NVD
CVE-2026-58480 CRITICAL - 9.8

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exp...

Vendor: Creative Themes
Product: Blocksy Companion
Published: Jul 08, 2026
Source: NVD
CVE-2026-54061 CRITICAL - 9.1

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port `:9080` without authentication or authorization. As a result, an unauthenticated network client can open `StreamExtSnapshot` and sen...

Vendor: dgraph-io
Product: dgraph
Published: Jul 08, 2026
Source: NVD
CVE-2026-8307 CRITICAL - 9.8

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Webbeyaz Web Design Mediküm Web allows SQL Injection. This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported...

Published: Jul 08, 2026
Source: NVD
CVE-2026-41042 CRITICAL - 9.1

Unauthenticated callers can supply a malicious H2 JDBC URL through the testConnection API, which executes arbitrary Java code on the server via H2's INIT parameter. Vulnerability in Apache Gravitino. This issue affects Apache Gravitino: before 1.2.1. Users are recommended to upgrade to versio...

Vendor: Apache Software Foundation
Product: Apache Gravitino
Published: Jul 08, 2026
Source: NVD
CVE-2026-9695 CRITICAL - 9.8

An Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 could allow an attacker to gain privileged access to the server.

Published: Jul 08, 2026
Source: NVD
CVE-2026-12153 CRITICAL - 9.8

The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activate a...

Vendor: rabilal
Product: WP Learn Manager
Published: Jul 08, 2026
Source: NVD
CVE-2026-9701 CRITICAL - 9.8

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key...

Published: Jul 08, 2026
Source: NVD
CVE-2026-14487 CRITICAL - 9.1

The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, ...

Vendor: tombgtn
Product: Simple Coherent Form
Published: Jul 08, 2026
Source: NVD
CVE-2026-56843 CRITICAL - 9.9

Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results i...

Vendor: Webpros
Product: Plesk
Published: Jul 08, 2026
Source: NVD