163619 matches found
CVE-2026-39492 WordPress WP Maps plugin <= 4.9.1 - SQL Injection vulnerability
Unauthenticated SQL Injection in WP Maps = 4.9.1 versions...
CVE-2026-39491 WordPress JupiterX Core plugin <= 4.14.1 - Cross Site Scripting (XSS) vulnerability
Subscriber Cross Site Scripting XSS in JupiterX Core = 4.14.1 versions...
CVE-2026-39489 WordPress Download Monitor plugin <= 5.1.9 - Non-Arbitrary File Download vulnerability
Author Arbitrary File Download in Download Monitor = 5.1.9 versions...
CVE-2026-39481 WordPress Modula Image Gallery plugin <= 2.14.18 - PHP Object Injection vulnerability
Author PHP Object Injection in Modula Image Gallery = 2.14.18 versions...
CVE-2026-39480 WordPress Backup Migration plugin <= 2.1.1 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in Backup Migration = 2.1.1 versions...
CVE-2026-39474 WordPress Post Duplicator plugin <= 3.0.10 - PHP Object Injection vulnerability
Contributor PHP Object Injection in Post Duplicator = 3.0.10 versions...
CVE-2026-39478 WordPress Anti-Malware Security and Brute-Force Firewall plugin <= 4.23.87 - PHP Object Injection vulnerability
Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall = 4.23.87 versions...
CVE-2026-39472 WordPress WooCommerce PDF Invoices & Packing Slips plugin < 5.9.0 - PHP Object Injection vulnerability
Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips 5.9.0 versions...
CVE-2026-39471 WordPress ShortPixel Image Optimizer plugin <= 6.4.3 - PHP Object Injection vulnerability
Author PHP Object Injection in ShortPixel Image Optimizer = 6.4.3 versions...
CVE-2026-39470 WordPress WooCommerce Cart Abandonment Recovery plugin < 2.1.0 - Privilege Escalation vulnerability
Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery 2.1.0 versions...
CVE-2026-39468 WordPress Meta Box – WordPress Custom Fields Framework plugin <= 5.11.1 - Arbitrary File Deletion vulnerability
Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework = 5.11.1 versions...
CVE-2026-39465 WordPress Responsive Slider by MetaSlider plugin <= 3.106.0 - Remote Code Execution (RCE) vulnerability
Editor Remote Code Execution RCE in Responsive Slider by MetaSlider = 3.106.0 versions...
CVE-2026-39463 WordPress ManageWP Worker plugin <= 4.9.31 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in ManageWP Worker = 4.9.31 versions...
CVE-2026-39451 WordPress WP Google Review Slider plugin <= 18.0 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in WP Google Review Slider = 18.0 versions...
CVE-2026-39450 WordPress FunnelKit Automations plugin <= 3.7.3 - Broken Authentication vulnerability
Subscriber Broken Authentication in FunnelKit Automations = 3.7.3 versions...
CVE-2026-39449 WordPress Contact Form to Any API plugin <= 3.0.3 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in Contact Form to Any API = 3.0.3 versions...
CVE-2026-39447 WordPress Simply Schedule Appointments plugin <= 1.6.10.6 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in Simply Schedule Appointments = 1.6.10.6 versions...
CVE-2026-39435 WordPress CformsII plugin <= 15.1.3 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in CformsII = 15.1.3 versions...
CVE-2026-39441 WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability
Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free = 5.3 versions...
CVE-2026-39434 WordPress CTX Feed plugin <= 6.6.26 - PHP Object Injection vulnerability
Shop manager PHP Object Injection in CTX Feed = 6.6.26 versions...
CVE-2026-34902 WordPress WooCommerce Product Table Lite plugin <= 4.6.3 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in WooCommerce Product Table Lite = 4.6.3 versions...
CVE-2026-34901 WordPress iControlWP plugin <= 5.5.3 - Privilege Escalation vulnerability
Unauthenticated Privilege Escalation in iControlWP = 5.5.3 versions...
CVE-2026-34900 WordPress GiveWP plugin <= 4.14.2 - Reflected Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in GiveWP = 4.14.2 versions...
CVE-2026-34898 WordPress Event Tickets Manager for WooCommerce plugin <= 1.5.3 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce = 1.5.3 versions...
CVE-2026-34892 WordPress Rank Math SEO plugin <= 1.0.271 - Broken Access Control vulnerability
Subscriber Broken Access Control in Rank Math SEO = 1.0.271 versions...
CVE-2026-34891 WordPress IDPay Payment Gateway for Woocommerce plugin <= 2.2.5 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce = 2.2.5 versions...
CVE-2026-34886 WordPress Simple Membership plugin <= 4.7.1 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Simple Membership = 4.7.1 versions...
CVE-2026-27407 WordPress AI Engine plugin <= 3.4.9 - Privilege Escalation vulnerability
Editor Privilege Escalation in AI Engine = 3.4.9 versions...
CVE-2026-27333 WordPress Paid Videochat Turnkey Site plugin <= 7.3.23 - Deserialization of untrusted data vulnerability
Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site = 7.3.23 versions...
CVE-2026-27089 WordPress WpTravelly plugin <= 2.1.7 - Bypass Vulnerability vulnerability
Unauthenticated Bypass Vulnerability in WpTravelly = 2.1.7 versions...
CVE-2026-27053 WordPress Broadcast Live Video plugin < 7.1.3 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Broadcast Live Video 7.1.3 versions...
CVE-2026-25440 WordPress Essential Addons for Elementor plugin < 6.6.0 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Essential Addons for Elementor 6.6.0 versions...
CVE-2026-25425 WordPress User Registration plugin <= 5.1.2 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in User Registration = 5.1.2 versions...
CVE-2026-24637 WordPress PowerPress Podcasting plugin <= 11.15.10 - SQL Injection vulnerability
Contributor SQL Injection in PowerPress Podcasting = 11.15.10 versions...
CVE-2026-9691 WordPress Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.1 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms = 1.1.1 versions...
CVE-2026-23970 WordPress Redirection for Contact Form 7 plugin <= 3.2.8 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in Redirection for Contact Form 7 = 3.2.8 versions...
CVE-2025-69332 WordPress Bookify plugin <= 1.1.1 - Broken Access Control vulnerability
Subscriber Broken Access Control in Bookify = 1.1.1 versions...
CVE-2025-68851 WordPress Okay Toolkit plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in Okay Toolkit = 2.3 versions...
CVE-2025-68872 WordPress Eli's WordCents adSense Widget with Analytics plugin <= 1.3.03.27 - Reflected Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in Elis WordCents adSense Widget with Analytics = 1.3.03.27 versions...
CVE-2025-68840 WordPress iRobots.txt SEO plugin <= 1.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in iRobots.txt SEO = 1.1.2 versions...
CVE-2025-68049 WordPress bunny.net plugin <= 2.3.6 - Broken Access Control vulnerability
Subscriber Broken Access Control in bunny.net = 2.3.6 versions...
CVE-2025-60175 WordPress PopAd Plugin <= 1.0.4 - Server Side Request Forgery (SSRF) Vulnerability
Administrator Server Side Request Forgery SSRF in PopAd = 1.0.4 versions...
CVE-2025-59133 WordPress Projectopia plugin <= 5.1.25.2 - Insecure Direct Object References (IDOR) vulnerability
Custom role Insecure Direct Object References IDOR in Projectopia = 5.1.25.2 versions...
CVE-2026-48709 OliveTin: ValidateArgumentType API Endpoint Missing Authentication Allows Action and Argument Enumeration
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not cal...
CVE-2026-48708 OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance tpl package-level variable in service/internal/tpl/templates.go across all goroutines. Every action execution calls...
CVE-2026-48124 Cursor Desktop sandbox escape via Claude hook configuration
Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run...
CVE-2026-47261 Wasmtime: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction
Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 pathopen interfaces by...
CVE-2026-47825 Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x fix 3.1.13. Spring Cloud Gateway 4.1.x fix 4.1.13. Spri...
CVE-2026-48518 MultiJuicer: Login CSRF allows attacker to force victims into their team
MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint POST /multi-juicer/api/teams/team/join accepted requests with any Content-Type, including text/plain. Because tha...
CVE-2026-52718 Gstreamer1-plugins-bad-free: gstreamer: denial of service via av1 tile_list_obu parser byte/bit confusion
A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gstav1parserparsetilelistobu function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a special...