| CVE-2025-13392 |
critical |
9.8 |
9.8 |
|
|
|
10d ago |
Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote atta… |
| CVE-2025-22741 |
high |
7.1 |
7.1 |
|
|
|
10d ago |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS.
This issue affects Felan Framework: from n/a thr… |
| CVE-2025-13167 |
medium |
5.4 |
5.4 |
|
|
synology |
10d ago |
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users … |
| CVE-2025-10466 |
medium |
5.9 |
5.9 |
|
|
synology |
10d ago |
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with admi… |
| CVE-2024-47271 |
medium |
4.9 |
4.9 |
|
|
synology |
10d ago |
Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privi… |
| CVE-2024-47269 |
medium |
4.9 |
4.9 |
|
|
synology |
10d ago |
Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with adm… |
| CVE-2024-47268 |
medium |
4.9 |
4.9 |
|
|
synology |
10d ago |
Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtai… |
| CVE-2024-11399 |
medium |
6.8 |
6.8 |
|
|
synology |
10d ago |
Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks… |
| CVE-2023-52945 |
high |
7.8 |
7.8 |
|
|
synology |
10d ago |
Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors. |
| CVE-2026-49002 |
critical |
9.1 |
9.1 |
|
|
|
10d ago |
Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and mo… |
| CVE-2026-40852 |
high |
7.2 |
7.2 |
|
|
|
10d ago |
A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it … |
| CVE-2026-40851 |
high |
8.4 |
8.4 |
|
|
|
10d ago |
A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This can result in a total loss of confidentiality, integrity … |
| CVE-2026-40850 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountData function due to improper neutralization of special elements in a SQL SELECT command… |
| CVE-2026-40849 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the user_alarmprofile view due to improper neutralization of special elements in a SQL SELECT command. … |
| CVE-2026-40848 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a SQL SELECT command. This can resul… |
| CVE-2026-40847 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a SQL SELECT command. This ca… |
| CVE-2026-40846 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can re… |
| CVE-2026-40845 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT comma… |
| CVE-2026-40844 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can… |
| CVE-2026-40843 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a SQL SELECT command. This can … |
| CVE-2026-40842 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getWidgetTags function due to improper neutralization of special elements in a SQL SELECT command. … |
| CVE-2026-40841 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command.… |
| CVE-2026-40840 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT co… |
| CVE-2026-40839 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getComponentScalings function due to improper neutralization of special elements in a SQL SELECT co… |
| CVE-2026-40838 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a SQL SELECT comma… |
| CVE-2026-40837 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT comm… |
| CVE-2026-40836 |
high |
7.1 |
7.1 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a SQL DELETE command allowing… |
| CVE-2026-40835 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the saveObjectFromData function due to improper neutralization of special elements in a SQL SELECT comm… |
| CVE-2026-40834 |
high |
7.1 |
7.1 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash_layout.php files saveDashboardLayout function due to improper neutralization of special elemen… |
| CVE-2026-40833 |
high |
7.1 |
7.1 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash.php files saveDashboardLayout function due to improper neutralization of special elements in a… |
| CVE-2026-40832 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command… |
| CVE-2026-40831 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the Easy View due to improper neutralization of special elements in a SQL SELECT command. This can resu… |
| CVE-2026-40830 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a… |
| CVE-2026-40829 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the view.html.php files UpdateParam function due to improper neutralization of special elements in a SQ… |
| CVE-2026-40828 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE comma… |
| CVE-2026-40827 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command … |
| CVE-2026-40826 |
medium |
4.9 |
4.9 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. Th… |
| CVE-2026-40825 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UP… |
| CVE-2026-40824 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPD… |
| CVE-2026-40823 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL UPDATE command … |
| CVE-2026-40822 |
medium |
4.9 |
4.9 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL SELECT command.… |
| CVE-2026-40821 |
medium |
4.9 |
4.9 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command.… |
| CVE-2026-40819 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the sync_data24 task due to improper neutralization of special elements in a SQL SELECT command. This … |
| CVE-2026-40818 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24confi_getDevice function due to improper neutralization of special elements in a SQL SELECT c… |
| CVE-2026-40817 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL SELECT comma… |
| CVE-2026-40816 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24alarm.php files _mb24confi_getTagAlarm function due to improper neutralization of special elem… |
| CVE-2026-40815 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24api_getUserAccount function due to improper neutralization of special elements in a SQL SELEC… |
| CVE-2026-40814 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dataapi.php files _mb24confi_getTagAlarm function due to improper neutralization of special elemen… |
| CVE-2026-8042 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to in… |
| CVE-2026-8942 |
medium |
4.3 |
4.3 |
|
|
|
10d ago |
The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metama… |
| CVE-2026-8906 |
medium |
6.1 |
6.1 |
|
|
|
10d ago |
The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This ma… |
| CVE-2026-3375 |
high |
7.2 |
7.2 |
|
|
|
10d ago |
The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints in all version… |
| CVE-2026-3001 |
medium |
6.1 |
6.1 |
|
|
|
10d ago |
The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output… |
| CVE-2026-40813 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQ… |
| CVE-2026-40812 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL S… |
| CVE-2026-40811 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. Thi… |
| CVE-2026-40810 |
high |
7.5 |
7.5 |
|
|
|
10d ago |
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the userinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This… |
| CVE-2026-49001 |
medium |
5.3 |
5.3 |
|
|
|
10d ago |
Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampe… |
| CVE-2025-41669 |
high |
8.8 |
8.8 |
|
|
|
10d ago |
The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, … |
| CVE-2025-41670 |
high |
7.8 |
7.8 |
|
|
|
10d ago |
A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the … |
| CVE-2026-41704 |
medium |
5.0 |
5.0 |
|
|
|
10d ago |
AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338… |
| CVE-2026-3895 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to… |
| CVE-2026-8143 |
high |
7.2 |
7.2 |
|
|
|
10d ago |
The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters in all versions up to, and including,… |
| CVE-2026-6169 |
high |
7.2 |
7.2 |
|
|
|
10d ago |
The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runStri… |
| CVE-2026-2030 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcode attributes in all versio… |
| CVE-2026-7618 |
medium |
4.9 |
4.9 |
|
|
|
10d ago |
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to in… |
| CVE-2026-3896 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing auth… |
| CVE-2026-3897 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missi… |
| CVE-2026-8832 |
high |
8.8 |
8.8 |
|
|
|
10d ago |
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due… |
| CVE-2026-3279 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions… |
| CVE-2026-41009 |
medium |
5.8 |
5.8 |
|
|
|
10d ago |
When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_… |
| CVE-2026-6268 |
high |
7.1 |
7.1 |
|
|
|
10d ago |
The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, al… |
| CVE-2026-8884 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sa… |
| CVE-2026-8867 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'postcategorygallery' shortcode in versions up to, and including, 1.0.0. This is due to in… |
| CVE-2026-8994 |
high |
8.1 |
8.1 |
|
|
|
10d ago |
The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function — registered as a `wp_ajax_nopriv` acti… |
| CVE-2026-8899 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnails' shortcode in all versions up to, and including, 1.0. This is due to insufficient input saniti… |
| CVE-2026-8040 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insuffi… |
| CVE-2026-8886 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitizatio… |
| CVE-2026-8708 |
medium |
4.3 |
4.3 |
|
|
|
10d ago |
The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options… |
| CVE-2026-8847 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on th… |
| CVE-2026-8844 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitiza… |
| CVE-2026-8707 |
medium |
6.1 |
6.1 |
|
|
|
10d ago |
The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and outp… |
| CVE-2026-9014 |
medium |
5.3 |
5.3 |
|
|
|
10d ago |
The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The func… |
| CVE-2026-7614 |
medium |
4.3 |
4.3 |
|
|
|
10d ago |
The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH… |
| CVE-2026-8760 |
critical |
9.8 |
9.8 |
|
|
|
10d ago |
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout c… |
| CVE-2026-8875 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Easy Prism Syntax Highlighter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'code' (and 'c') shortcode in versions up to, and including, 1.0.2. This is due to… |
| CVE-2026-8894 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The iWR Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `iwrtooltip` shortcode in versions up to, and including, 1.0. This is due to insufficient input sani… |
| CVE-2026-8845 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input san… |
| CVE-2026-8873 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and… |
| CVE-2026-8787 |
high |
8.8 |
8.8 |
|
|
|
10d ago |
The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the `firebase_auth()` function authentica… |
| CVE-2026-8846 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and o… |
| CVE-2026-8891 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitizat… |
| CVE-2026-8871 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic_link' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input s… |
| CVE-2026-8048 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 d… |
| CVE-2026-8872 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insuffici… |
| CVE-2026-8903 |
medium |
4.3 |
4.3 |
|
|
|
10d ago |
The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce… |
| CVE-2026-8869 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input … |
| CVE-2026-8911 |
medium |
6.1 |
6.1 |
|
|
|
10d ago |
The WP AutoBuzz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on a function. This … |
| CVE-2026-8898 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitizati… |
| CVE-2026-8866 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input… |
