1051 matches found
CVE-2026-58148
The CVE-2026-58148 entry concerns the Joomla ChronoForms extension, with an unauthenticated stored XSS vulnerability affecting ChronoForms prior to version 8.0.53. The issue is confirmed in the CVE listing, which identifies the vulnerable component as ChronoForms for Joomla and describes an unaut...
CVE-2026-13402 Royal Elementor Addons < 1.7.1063 - Unauthenticated Private Mega Menu Template Disclosure
The Royal Addons for Elementor WordPress plugin before 1.7.1063 does not check the post status of menu items or the templates they reference in one of its REST endpoints, allowing unauthenticated users to retrieve the rendered HTML content of private or draft Elementor templates linked from...
Formidable Forms < 2.05.02 - Cross-Site Scripting
Formidable Form Builder for WordPress versions before 2.05.03 contains a stored cross-site scripting caused by insufficient input sanitization and output escaping in form parameters like 'afterhtml', letting unauthenticated attackers inject and execute arbitrary scripts in victims' browsers id:...
CVE-2026-63088
In StoatChat, CVE-2026-63088 affects stoatchat before 0.14.0 with an SSRF flaw. The vulnerability stems from incomplete address validation in url_is_blacklisted, which only inspects the first resolved address while the HTTP client iterates all cached addresses, enabling unauthenticated, network-a...
CVE-2026-12395 WP Job Portal < 2.5.5 - Subscriber+ SQL Injection via Applied Resumes 'ta' Parameter
The WP Job Portal WordPress plugin before 2.5.5 does not properly sanitize and escape a parameter before using it in a SQL query, allowing authenticated users with a subscriber-level self-registerable account to perform SQL injection attacks...
CVE-2026-33684
WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The setapisignUp method in the...
CVE-2026-10830
Affected software: AllCoach WordPress plugin
Linux Distros Unpatched Vulnerability : CVE-2026-14076
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTM...
CVE-2026-13895
Inappropriate implementation in Autofill in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-13821
CVE-2026-13821 concerns a Use-After-Free in the Canvas component of Google Chrome before 150.0.7871.47, enabling a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Affected: Google Chrome (Canvas). Root cause: use-after-free in Canvas handling as described in mu...
perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows arbitrary file access
A flaw was found in perl-Archive-Tar. Versions before 3.08 for Perl are vulnerable to a path traversal issue. An attacker can craft a malicious tar archive containing symlinks with targets outside the intended extraction directory. This vulnerability allows the attacker to read or write to...
CVE-2026-57473
A vulnerability exists in the netclient and factory services of Reolink Home Hub versions prior to v3.3.0.45626031911 due to the possibility of brute-force cracking the credentials. This issue could allow attackers on the same local network to intercept traffic between the Hub and associated...
CVE-2026-57876
An unauthenticated out-of-bounds write vulnerability exists in onvif.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when processing HTTP request body data. A remote attacker may exploit this vulnerability by sending a...
EUVD-2026-39584
Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access to the device. Chromium security severity: High...
CVE-2026-46734
Dell Display and Peripheral Manager DDPM Mac, versions prior to 2.3, contain an Improper Certificate Validation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Protection mechanism bypass...
Google Chrome < 149.0.7827.200 Multiple Vulnerabilities
The version of Google Chrome installed on the remote macOS host is prior to 149.0.7827.200. It is, therefore, affected by multiple vulnerabilities as referenced in the 202606stable-channel-update-for-desktop01245939337 advisory. - Use after free in AdFilter in Google Chrome on Android prior to...
CVE-2026-56272
Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database...
CVE-2026-9709
The CVE-2026-9709 entry describes a vulnerability in the Premium Cornerstone page builder bundled with the X Theme (WordPress plugin) prior to version 7.8.9. The root cause is missing capability checks on one REST API route, allowing any authenticated user to disclose metadata of other users, inc...
Astra Linux – Vulnerability in Chromium
Using “after free” in WebRTC in Google Chrome before version 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page. Chromium security severity: High...
CVE-2026-55237 AutoGPT SignUp Page has DOM-Based XSS and Open Redirect
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting XSS vulnerability in AutoGPT's signup page. The application improperly trusts a URL parameter next, which is...