363779 matches found
CVE-2025-69111
Unauthenticated PHP Object Injection in Reisen = 1.4.1 versions...
CVE-2025-69123
Unauthenticated Local File Inclusion in Snow Club = 1.1 versions...
CVE-2025-69120
Unauthenticated Local File Inclusion in Dazzle = 1.0.0 versions...
CVE-2025-60236
Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection. This issue affects Creatify: from n/a through 1.5...
CVE-2025-69106
Unauthenticated Local File Inclusion in Imba = 1.5.0 versions...
CVE-2025-60231
Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection. This issue affects The Hospital: from n/a through 1.8.1...
CVE-2025-66391
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account...
CVE-2025-68524
Unauthenticated Cross Site Scripting XSS in Avante 3.0.5 versions...
CVE-2025-60230
Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection. This issue affects The Barber Shop: from n/a through 1.9...
CVE-2025-60229
Deserialization of Untrusted Data vulnerability in Themeton Lagom allows Object Injection. This issue affects Lagom: from n/a through 2.0...
CVE-2025-59554
Unauthenticated SQL Injection in Advanced Ads – Tracking 3.0.7 versions...
CVE-2025-15657
Unauthenticated Insecure Direct Object References IDOR in School Management = 93.1.0 versions...
CVE-2026-9690
Unauthenticated Arbitrary File Download in WP Media folder Addon = 4.0.1 versions...
CVE-2026-8607
The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping...
CVE-2026-9570
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user...
CVE-2026-8317
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...
CVE-2026-8494
The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-8383
The LearnPress WordPress plugin before 4.3.7 does not gate the edit context on one of its REST endpoint behind the editusers capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted...
CVE-2026-8089
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated...
CVE-2026-7850
The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks...
CVE-2026-55706
sppppapinput in sys/net/ifspppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths...
CVE-2026-5667
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners for Japan and outside Japan; Wireless LAN Adapters for Room Air Conditioners for Japan and outside Japan; Wireless LAN Adapters for Packaged Air Conditioners for Japan and outside Japan; Refrigerators for...
CVE-2026-54811
Unauthenticated SQL Injection in WP eMember v10.9.4 versions...
CVE-2026-54805
Subscriber Privilege Escalation in Falang multilanguage = 1.4.2 versions...
CVE-2026-54807
Unauthenticated Privilege Escalation in Registration Form for WooCommerce = 1.0.9 versions...
CVE-2026-54804
Subscriber Broken Authentication in Melhor Envio = 2.16.3 versions...
CVE-2026-54802
Unauthenticated Broken Authentication in SMS Alert Order Notifications = 3.9.3 versions...
CVE-2026-54803
Subscriber Privilege Escalation in SMS Alert Order Notifications = 3.9.4 versions...
CVE-2026-54806
Unauthenticated PHP Object Injection in WP Activity Log = 5.6.3.1 versions...
CVE-2026-54192
Unauthenticated Cross Site Scripting XSS in Popup box = 6.2.9 versions...
CVE-2026-54188
Unauthenticated Cross Site Scripting XSS in JetEngine = 3.8.10 versions...
CVE-2026-54195
Unauthenticated Cross Site Scripting XSS in JetFormBuilder = 3.6.0.1 versions...
CVE-2026-54194
Contributor PHP Object Injection in Fusion Builder = 3.15.4 versions...
CVE-2026-54196
Subscriber Privilege Escalation in JetFormBuilder = 3.6.1 versions...
CVE-2026-54189
Unauthenticated Cross Site Scripting XSS in JetEngine = 3.8.10 versions...
CVE-2026-54187
Unauthenticated SQL Injection in JetEngine = 3.8.10.1 versions...
CVE-2026-54186
Unauthenticated SQL Injection in JobSearch = 3.2.9 versions...
CVE-2026-54185
Subscriber SQL Injection in Cornerstone 7.8.8 versions...
CVE-2026-52705
Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms = 1.4.5 versions...
CVE-2026-53876
RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator...
CVE-2026-54184
Unauthenticated Insecure Direct Object References IDOR in Clean Login = 1.15 versions...
CVE-2026-52706
Unauthenticated PHP Object Injection in JetEngine = 3.8.10 versions...
CVE-2026-52698
Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget = 4.2.3 versions...
CVE-2026-52696
Unauthenticated Sensitive Data Exposure in JetBlog = 2.4.8 versions...
CVE-2026-50203
A path traversal in the SFTP provider SFTPHook.retrievedirectory / SFTPOperatoroperation=get let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is a...
CVE-2026-49107
Unauthenticated PHP Object Injection in Thrive Apprentice 10.8.10.2 versions...
CVE-2026-49084
Unauthenticated SQL Injection in JetEngine 3.8.9.1 versions...
CVE-2026-49081
Unauthenticated Broken Access Control in User Registration Stripe = 1.3.12 versions...
CVE-2026-49767
Unauthenticated Broken Authentication in wpForo Forum = 3.1.0 versions...
CVE-2026-49113
Subscriber Arbitrary Code Execution in Cornerstone 7.8.8 versions...