VIR Vulnerability Intelligence Relay

Search

Found 53,570 results in 2192ms · Match type: Filtered list

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-8040 medium 6.4 6.4 8d ago The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insuffi…
CVE-2026-8886 medium 6.4 6.4 8d ago The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitizatio…
CVE-2026-8708 medium 4.3 4.3 8d ago The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options…
CVE-2026-8847 medium 6.4 6.4 8d ago The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on th…
CVE-2026-8844 medium 6.4 6.4 8d ago The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitiza…
CVE-2026-8707 medium 6.1 6.1 8d ago The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and outp…
CVE-2026-9014 medium 5.3 5.3 8d ago The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The func…
CVE-2026-7614 medium 4.3 4.3 8d ago The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH…
CVE-2026-8760 critical 9.8 9.8 8d ago The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout c…
CVE-2026-8875 medium 6.4 6.4 8d ago The Easy Prism Syntax Highlighter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'code' (and 'c') shortcode in versions up to, and including, 1.0.2. This is due to…
CVE-2026-8894 medium 6.4 6.4 8d ago The iWR Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `iwrtooltip` shortcode in versions up to, and including, 1.0. This is due to insufficient input sani…
CVE-2026-8845 medium 6.4 6.4 8d ago The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input san…
CVE-2026-8873 medium 6.4 6.4 8d ago The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and…
CVE-2026-8846 medium 6.4 6.4 8d ago The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and o…
CVE-2026-8891 medium 6.4 6.4 8d ago The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitizat…
CVE-2026-8871 medium 6.4 6.4 8d ago The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic_link' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input s…
CVE-2026-8048 medium 6.4 6.4 8d ago The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 d…
CVE-2026-8872 medium 6.4 6.4 8d ago The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insuffici…
CVE-2026-8903 medium 4.3 4.3 8d ago The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce…
CVE-2026-8869 medium 6.4 6.4 8d ago The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input …
CVE-2026-8911 medium 6.1 6.1 8d ago The WP AutoBuzz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on a function. This …
CVE-2026-8898 medium 6.4 6.4 8d ago The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitizati…
CVE-2026-8866 medium 6.4 6.4 8d ago The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input…
CVE-2026-8943 medium 4.3 4.3 8d ago The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gosta…
CVE-2026-8941 medium 4.3 4.3 8d ago The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdl_off_opt…
CVE-2026-8701 medium 6.4 6.4 8d ago The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the `title-ticker-slide`, `title-ticker-fade`, and `title-ticker-typing` shortcodes. Th…
CVE-2026-8887 medium 6.4 6.4 8d ago The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization…
CVE-2026-8897 medium 6.4 6.4 8d ago The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and…
CVE-2026-8870 medium 6.4 6.4 8d ago The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insuff…
CVE-2026-8702 medium 6.4 6.4 8d ago The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in…
CVE-2026-8938 medium 4.3 4.3 8d ago The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_…
CVE-2026-8939 medium 4.3 4.3 8d ago The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_sim…
CVE-2026-8842 medium 6.4 6.4 8d ago The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sani…
CVE-2026-8703 medium 6.4 6.4 8d ago The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and ou…
CVE-2026-8868 medium 6.4 6.4 8d ago The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient inpu…
CVE-2026-8698 medium 6.4 6.4 8d ago The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as_get_coin_shortcode(…
CVE-2026-8837 medium 6.4 6.4 8d ago The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insuffi…
CVE-2026-8877 medium 6.4 6.4 8d ago The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rem_video' shortcode in versions up to, and including, 0.1. This is due to insufficient input …
CVE-2026-6287 medium 5.4 5.4 8d ago The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks…
CVE-2026-9236 medium 4.3 4.3 8d ago The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due…
CVE-2025-14481 medium 4.3 4.3 8d ago The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search R…
CVE-2026-8450 critical 9.1 9.1 FIX debian debian sles 8d ago HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cm…
CVE-2026-2255 medium 4.3 4.3 8d ago Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Al…
CVE-2026-2254 medium 6.3 6.3 8d ago Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notficatio…
CVE-2026-9022 medium 6.4 6.4 8d ago The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitizatio…
CVE-2025-15649 medium 5.5 5.5 FIX slesdebian debianwindows windows 8d ago IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification da…
CVE-2026-48999 medium 5.7 5.7 8d ago Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically lo…
CVE-2026-6565 medium 6.4 6.4 8d ago The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endp…
CVE-2026-7493 medium 5.3 5.3 8d ago The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a…
CVE-2026-44979 medium 5.5 9d ago @hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects
CVE-2026-9609 medium 4.7 4.7 9d ago A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remot…
CVE-2026-44646 medium 5.5 9d ago LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
CVE-2026-9607 medium 6.3 6.3 9d ago A vulnerability was found in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /parcel_list.php. Performing a manipulation of the argument s results …
CVE-2026-44645 medium 5.5 9d ago LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
CVE-2026-44644 medium 5.5 9d ago LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
CVE-2026-44632 critical 9.5 9d ago Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`
CVE-2026-44596 medium 6.5 EXP 9d ago Yamcs has No Rate Limiting on Authentication Endpoint
CVE-2026-44595 medium 6.5 EXP 9d ago Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints
CVE-2026-44587 medium 5.5 9d ago CarrierWave has a denylisted_content_type bypass via
CVE-2026-8961 medium 6.5 6.5 FIX rheldebian debian sles mozilla 9d ago Important: thunderbird security update
CVE-2026-8959 critical 9.6 9.6 FIX rheldebian debian sles mozilla 9d ago Important: thunderbird security update
CVE-2026-8956 critical 9.8 9.8 FIX rheldebian debian sles mozilla 9d ago Important: thunderbird security update
CVE-2026-8953 critical 9.6 9.6 FIX rheldebian debian sles mozilla 9d ago Important: thunderbird security update
CVE-2026-8950 critical 9.3 9.3 FIX rheldebian debian sles mozilla 9d ago Important: thunderbird security update
CVE-2026-8401 critical 9.8 9.8 FIX rheldebian debian sles mozilla 9d ago Important: thunderbird security update
CVE-2026-8391 medium 5.3 5.3 FIX rheldebian debianalmalinux almalinux mozilla 9d ago Important: thunderbird security update
CVE-2026-8388 medium 6.5 6.5 FIX rheldebian debianalmalinux almalinux mozilla 9d ago Important: thunderbird security update
CVE-2026-38931 medium 5.4 5.4 9d ago A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.
CVE-2026-38930 medium 6.5 6.5 9d ago OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the …
CVE-2026-38808 medium 5.3 5.3 9d ago SQL Injection vulnerability in uzy-ssm-mall v1.1.0 allows a remote attacker to obtain sensitive information via the ProductMapper.xml and /OrderUtil.java components
CVE-2026-30498 medium 6.3 6.3 9d ago A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the delete.php endpoint of Jason2605 AdminPanel 4.0.
CVE-2025-70116 medium 4.3 4.3 debian debian 9d ago A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media…
CVE-2025-68712 medium 5.5 5.5 9d ago SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mec…
CVE-2025-67903 medium 5.3 5.3 9d ago Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass.
CVE-2026-8606 medium 5.9 5.9 github 9d ago A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security…
CVE-2026-44210 medium 5.5 9d ago Kata Containers have VM Escape via virtiofsd Argument Injection through Default-Enabled Pod Annotations
CVE-2026-44176 medium 5.5 9d ago Kirby CMS's `pages.access` permission is not checked during rendering of page drafts
CVE-2026-42568 medium 6.5 EXP 9d ago Yamcs Vulnerable to LDAP Injection in LdapAuthModule
CVE-2026-46740 medium 5.3 5.3 9d ago Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted…
CVE-2026-41207 medium 5.5 9d ago netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures
CVE-2026-8647 medium 4.8 4.8 9d ago Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when…
CVE-2026-44985 critical 9.6 9.6 amirraminfar 9d ago Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepti…
CVE-2026-44966 critical 9.8 9.8 shepherdwind 9d ago Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the…
CVE-2026-9604 medium 4.3 4.3 9d ago A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improp…
CVE-2026-9603 medium 6.5 6.5 9d ago A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument I…
CVE-2026-48710 medium 6.5 6.5 FIX slesdebian debian encode 9d ago Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorit…
CVE-2026-44213 medium 6.5 6.5 9d ago The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sendi…
CVE-2025-43451 medium 5.5 5.5 FIX macos macos 9d ago A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.
CVE-2025-46307 medium 5.5 5.5 FIX macos macos 9d ago A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.
CVE-2025-46280 medium 5.5 5.5 FIX macos macos 9d ago An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Tahoe 26. An app may be able to cause unexpected system termination.
CVE-2025-43289 medium 5.5 5.5 FIX macos macos 9d ago A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A malicious app may be able to access sensitive user data.
CVE-2025-43290 medium 5.5 5.5 FIX macos macos 9d ago A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to modify protected parts of the file …
CVE-2026-44788 medium 6.5 6.5 sharpcompress_project 9d ago SharpCompress is a fully managed C# library to deal with many compression types and formats. In 0.47.4 and earlier, a path traversal vulnerability in IArchive.WriteToDirectory() allows a malicious ar…
CVE-2026-42015 medium 5.3 5.3 FIX debian debian sles rhel 9d ago RHSA-2026:20612: gnutls security update (Important)
CVE-2026-44903 medium 5.5 FIX slesdebian debian 9d ago Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-f…
CVE-2026-9642 critical 9.8 9.8 deltaww 9d ago Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2026-9583 medium 4.3 4.3 9d ago A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. E…
CVE-2026-9581 medium 6.3 6.3 9d ago A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can …
CVE-2026-44897 medium 6.1 6.1 slesdebian debianwindows windows mistune_project 9d ago Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening <hN> tag by string-concatenating the id attribute value directly into the HTM…
CVE-2026-44450 critical 9.9 9.9 9d ago Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the …