Lucene search
K

368929 matches found

CVE
CVE
added 5 days ago21 views

CVE-2026-33592

The CVE-2026-33592 issue affects open62541 (versions 1.4.0–1.4.16, 1.5.0–1.5.4, and master). An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service because the FindServersRequest serverUris field is not validated for length/array size. An adversary can ...

7.5CVSS5.8AI score0.00388EPSS
Exploits0References3
CVE
CVE
added 5 days ago13 views

CVE-2026-11781

The CVE-2026-11781 entry affects the Adminify WordPress plugin prior to version 4.2.10. The vulnerability arises because the plugin does not perform per-user read-capability checks on results returned by an administration search feature. As a result, users with a low-privilege role (Contributor) ...

2.7CVSS5.7AI score0.00189EPSS
Exploits0References1
CVE
CVE
added 5 days ago11 views

CVE-2026-11578

The CVE concerns the Fluent Forms WordPress plugin prior to 6.2.5, where deletion of form submission entries is not properly restricted to forms a restricted Manager is authorized to manage. This misconfiguration allows a Manager limited to specific forms to permanently delete submission entries ...

2.7CVSS5.8AI score0.00168EPSS
Exploits0References1
CVE
CVE
added 5 days ago16 views

CVE-2026-11965

The CVE-2026-11965 entry affects the WordPress plugin User Registration & Membership prior to version 5.2.0. The underlying issue is that the plugin does not enforce payment completion before activating a paid membership subscription, enabling unauthenticated users (after self-registering via the...

6.5CVSS5.8AI score0.00164EPSS
Exploits0References1
CVE
CVE
added 5 days ago15 views

CVE-2026-10077

The affected product is the YOOtheme WordPress theme (prior to 5.0.35). The issue arises in the bundled front-end framework that can treat certain HTML attributes, allowed by wp_kses_post(), as markup, enabling Stored XSS when a user with the Author role views a post. The root cause is improper h...

6.8CVSS5.8AI score0.00235EPSS
Exploits0References1
CVE
CVE
added 5 days ago16 views

CVE-2026-13704

Summary: CVE-2026-13704 affects the GiveWP – Donation Plugin and Fundraising Platform for WordPress. The vulnerability is a Stored Cross‑Site Scripting issue exploitable via the parameter sequoia[introduction][image] and exists in all versions up to and including 4.16.1 due to insufficient input ...

6.4CVSS5.9AI score0.00235EPSS
Exploits0References9
CVE
CVE
added 5 days ago15 views

CVE-2026-10089

CVE-2026-10089 concerns the WordPress plugin Insert Pages (versions up to 3.11.4). It describes a Stored XSS where the meta field key (not the value) is interpolated into rendered HTML without escaping when rendering a page via the [insert page] shortcode. The underlying cause is insufficient esc...

6.4CVSS5.9AI score0.00217EPSS
Exploits0References8
CVE
CVE
added 5 days ago14 views

CVE-2026-5348

The CVE concerns the WordPress plugin Academy LMS (WordPress LMS Plugin for Complete eLearning Solution) up to version 3.8.1. The root cause is the REST API endpoint /topics being registered with a permission callback of __return_true, which permits unauthenticated access to course curriculum dat...

5.3CVSS5.8AI score0.00262EPSS
Exploits0References8
CVE
CVE
added 5 days ago13 views

CVE-2026-11592

The CVE-2026-11592 entry concerns the WordPress plugin Email Subscribers & Newsletters (formerly “Email Marketing, Post Notifications & Newsletter”). It describes an authorization bypass vulnerability affecting all versions up to and including 5.9.27. The root cause is that the plugin fails to ve...

4.3CVSS5.9AI score0.00272EPSS
Exploits0References12
CVE
CVE
added 5 days ago14 views

CVE-2026-13357

The Houzez Property Feed WordPress plugin (up to version 2.5.46) is vulnerable to SQL Injection via the 'orderby' parameter. The issue stems from user-controlled $_GET['orderby'] and $_GET['order'] being filtered only with sanitize_text_field() and concatenated into the SQL format string before $...

4.9CVSS5.8AI score0.00288EPSS
Exploits0References6
CVE
CVE
added 5 days ago17 views

CVE-2026-5821

The CVE-2026-5821 entry details a vulnerability in the WordPress Image Optimizer plugin (versions up to 1.7.4). The root cause is insufficient path validation in Image_Backup::remove(), where backup file paths stored in the image_optimizer_metadata post meta are used directly for deletion without...

8.1CVSS5.9AI score0.00354EPSS
Exploits0References8
CVE
CVE
added 5 days ago17 views

CVE-2026-14249

The CVE refers to the WordPress plugin “Request a Quote” (versions up to and including 2.5.5). The vulnerability is a Code Injection via the emd_delete_file AJAX action. The handler derives a PHP function name from attacker-controlled $_POST['path'] and invokes it dynamically through a variable-f...

7.5CVSS6AI score0.00333EPSS
Exploits0References6
CVE
CVE
added 5 days ago12 views

CVE-2026-11600

The CVE-2026-11600 entry concerns Envo’s Templates & Widgets for Elementor and WooCommerce (WordPress). Affected: Tabs and Off Canvas widgets up to version 1.4.26. Root cause: the Tabs widget render() passes a user-controlled template/post ID to Elementor’s get_builder_content_for_display() witho...

4.3CVSS5.7AI score0.00223EPSS
Exploits0References8
CVE
CVE
added 5 days ago15 views

CVE-2026-57278

GeoWebPlayer (Web Plugin/WS Player) vulnerable to a stack-based buffer overflow in the connectInfo handler, specifically in the ip field (conn_info.ip_or_host) with unbounded JSON input. TALOS confirms multiple CVEs in the same connectInfo codepath, including potential arbitrary code execution in...

8.3CVSS5.9AI score0.0028EPSS
Exploits0References2
CVE
CVE
added 5 days ago13 views

CVE-2026-57277

CVE-2026-57277 affects GeoWebPlayer (Web Plugin/WS Player) GeoVision GeoWebPlayer Websocket Server connectInfo handler. The vulnerability is a stack-based buffer overflow in the key field (buffer key_blob[17]), caused by copying attacker-controlled JSON fields into fixed-size buffers without prop...

8.3CVSS5.9AI score0.0028EPSS
Exploits0References2
CVE
CVE
added 5 days ago14 views

CVE-2026-57276

GeoWebPlayer’s Websocket Server connectInfo handler contains stack-based buffer overflow vulnerabilities in several fields (e.g., username/password/password_enc with key present; ip, key_blob) leading to potential arbitrary code execution. Affected product: GeoWebPlayer (GeoVision GV-VMS/GV-Cloud...

8.3CVSS5.9AI score0.00286EPSS
Exploits0References2
CVE
CVE
added 5 days ago11 views

CVE-2026-57275

Geovision GeoWebPlayer Websocket Server connectInfo handler is vulnerable to stack-based buffer overflows in multiple fields when handling JSON input (username, password, username_enc, password_enc, key, ip). Affected product: GeoWebPlayer (GeoVision software family), with version context cited b...

8.3CVSS5.9AI score0.00286EPSS
Exploits0References2
CVE
CVE
added 5 days ago12 views

CVE-2026-57274

GeoWebPlayer’s CVE-2026-57274 is a buffer overflow in the connectInfo password handling of the Websocket Server (no key present) affecting GeoWebPlayer 1.1.1.0. A crafted websocket message can overflow the 64-byte password buffer, potentially enabling arbitrary code execution. Vendor patch releas...

8.3CVSS5.9AI score0.00286EPSS
Exploits0References2
CVE
CVE
added 5 days ago11 views

CVE-2026-57273

GeoWebPlayer Websocket Server connectInfo handler in GeoVision software contains multiple stack-based buffer overflows in user-supplied JSON fields. Specifically, overflows occur in: username and password when key is absent (64-byte buffers), and username_enc, password_enc, key_blob, ip fields wh...

8.3CVSS5.9AI score0.00286EPSS
Exploits0References2
CVE
CVE
added 5 days ago12 views

CVE-2026-57272

GeoWebPlayer/Websocket Server in GeoVision software (GV-VMS, GV-Cloud, etc.) uses an index parameter that is not validated, allowing out-of-bounds reads when handling localhost commands. This is the stated root cause and leads to the reported vulnerability (CVE-2026-57272). Impact is noted as hig...

8.3CVSS5.8AI score0.00247EPSS
Exploits0References2
Rows per page
Query Builder