CVEs from 2026
Total
14,117
critical
critical 1,245
high
high 4,694
medium
medium 4,470
low
low 488
% Critical
8.8%
% with KEV
0.4%
% with exploit
0.8%
Top vendors
Top products
- chrome 522
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 247
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-4114 | medium | 6.6 | 6.6 | 2mo ago | Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN admin to bypass AMC TOTP authentication. | |||
| CVE-2026-3401 | medium | 6.6 | 6.6 | 3mo ago | A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of th… | |||
| CVE-2026-41858 | medium | 6.5 | 6.5 | 1h ago | Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a s… | |||
| CVE-2026-8653 | medium | 6.5 | 6.5 | 2h ago | The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to generic SQL Injection via the 'columns' parameter in all versions up to, and including, 4.8.20 due to insufficient escaping on the u… | |||
| CVE-2026-36604 | medium | 6.5 | 6.5 | 1d ago | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's intern… | |||
| CVE-2026-36605 | medium | 6.5 | 6.5 | 1d ago | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that require… | |||
| CVE-2026-44653 | medium | 6.5 | 6.5 | 1d ago | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted a… | |||
| CVE-2026-49144 | medium | 6.5 | 6.5 | 1d ago | browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server | |||
| CVE-2026-5074 | medium | 6.5 | 6.5 | 1d ago | The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir_0' parameter of the `get_private_content_data` AJAX action in all versions up to, and including, 7.3.1. This… | |||
| CVE-2026-35049 | medium | 6.5 | 6.5 | 1d ago | wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter tha… | |||
| CVE-2026-35718 | medium | 6.5 | 6.5 | 2d ago | A path traversal vulnerability in the /admin/downloadMedias.cgi endpoint of VIVOTEK INC FD8136-VVTK firmware 0300a allows authenticated attackers to read any file on the device via sending a crafted … | |||
| CVE-2026-8993 | medium | 6.5 | 6.5 | 2d ago | D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate fu… | |||
| CVE-2026-46718 | medium | 6.5 | 6.5 | 2d ago | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite. This issue affects Apache Calcite: from 1.5.0 before 1.42. Users are recommended … | |||
| CVE-2026-3198 | medium | 6.5 | 6.5 | 2d ago | MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlfl… | |||
| CVE-2026-3871 | medium | 6.5 | 6.5 | 2d ago | A buffer overflow vulnerability in the UPnP DeletePortMapping() command in Zyxel VMG4005-B50B firmware versions through 5.13(ABRL.5.4)C0 could allow an adjacent attacker to trigger a temporary denial… | |||
| CVE-2026-3870 | medium | 6.5 | 6.5 | 2d ago | A buffer overflow vulnerability in the UPnP AddPortMapping() command in Zyxel VMG4005-B50B firmware versions through 5.13(ABRL.5.4)C0 could allow an adjacent attacker to trigger a temporary denial-of… | |||
| CVE-2026-24753 | medium | 6.5 | 6.5 | 2d ago | Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resou… | |||
| CVE-2026-0080 | medium | 6.5 | 6.5 | 2d ago | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution priv… | |||
| CVE-2026-0052 | medium | 6.5 | 6.5 | 2d ago | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution priv… | |||
| CVE-2026-0051 | medium | 6.5 | 6.5 | 2d ago | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a system crash due to improper input validation. This could lead to remote denial of service with no additional e… | |||
| CVE-2026-0044 | medium | 6.5 | 6.5 | 2d ago | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause the system to crash due to an integer overflow. This could lead to remote denial of service with no additional ex… | |||
| CVE-2026-0041 | medium | 6.5 | 6.5 | 2d ago | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible UBSan failure due to an integer overflow. This could lead to remote denial of service with no additional execution privileges … | |||
| CVE-2026-0040 | medium | 6.5 | 6.5 | 2d ago | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution priv… | |||
| CVE-2026-0039 | medium | 6.5 | 6.5 | 2d ago | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to remote denial of service with no additional execut… | |||
| CVE-2026-45282 | medium | 6.5 | 6.5 | 2d ago | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of… | |||
| CVE-2026-45279 | medium | 6.5 | 6.5 | 2d ago | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config… | |||
| CVE-2026-45275 | medium | 6.5 | 6.5 | 2d ago | Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, a privilege escalation vulnerability exists in the Approval app that allows a user without sharing permissions to f… | |||
| CVE-2026-23638 | medium | 6.5 | 6.5 | 2d ago | Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper w… | |||
| CVE-2026-45267 | medium | 6.5 | 6.5 | 2d ago | Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been p… | |||
| CVE-2026-42679 | medium | 6.5 | 6.5 | 2d ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mamunur Rashid Classified Listing allows Path Traversal. This issue affects Classified Listing: from n… | |||
| CVE-2026-42676 | medium | 6.5 | 6.5 | 2d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred allows Stored XSS. This issue affects myCred: from n/a through 3.0.4. | |||
| CVE-2026-42671 | medium | 6.5 | 6.5 | 2d ago | Missing Authorization vulnerability in Paolo GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GeoDirectory: from n/a through 2.8.157. | |||
| CVE-2026-10272 | medium | 6.5 | 6.5 | 2d ago | A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such man… | |||
| CVE-2026-48726 | medium | 6.5 | 6.5 | 3d ago | A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` … | |||
| CVE-2026-42360 | medium | 6.5 | 6.5 | 3d ago | A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be by… | |||
| CVE-2026-42358 | medium | 6.5 | 6.5 | 3d ago | A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON valu… | |||
| CVE-2026-40861 | medium | 6.5 | 6.5 | 3d ago | A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack — e.g. `/etc/passwd` or `airflow.cfg… | |||
| CVE-2026-45192 | medium | 6.5 | 6.5 | 3d ago | A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connect… | |||
| CVE-2026-48208 | medium | 6.5 | 6.5 | 3d ago | An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to… | |||
| CVE-2026-10190 | medium | 6.5 | 6.5 | 4d ago | A vulnerability was found in Tenda W12 3.0.0.7(4763). This issue affects the function cgiSysWebTimeoutSet of the file /bin/httpd of the component Web Management Interface. The manipulation of the arg… | |||
| CVE-2026-49386 | medium | 6.5 | 6.5 | 5d ago | In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas | |||
| CVE-2026-49385 | medium | 6.5 | 6.5 | 5d ago | In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts | |||
| CVE-2026-49379 | medium | 6.5 | 6.5 | 5d ago | In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names | |||
| CVE-2026-49376 | medium | 6.5 | 6.5 | 5d ago | In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin | |||
| CVE-2026-47745 | medium | 6.5 | 6.5 | 5d ago | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete… | |||
| CVE-2026-47742 | medium | 6.5 | 6.5 | 5d ago | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() met… | |||
| CVE-2026-39229 | medium | 6.5 | 6.5 | 6d ago | Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective comp… | |||
| CVE-2026-35673 | medium | 6.5 | 6.5 | 6d ago | OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can byp… | |||
| CVE-2026-9493 | medium | 6.5 | 6.5 | 6d ago | Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query fun… | |||
| CVE-2026-9996 | medium | 6.5 | 6.5 | 6d ago | Out of bounds read in WebRTC in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromi… | |||
| CVE-2026-9981 | medium | 6.5 | 6.5 | 6d ago | Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chrom… | |||
| CVE-2026-9953 | medium | 6.5 | 6.5 | 6d ago | Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium secur… | |||
| CVE-2026-9917 | medium | 6.5 | 6.5 | 6d ago | Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chro… | |||
| CVE-2026-9912 | medium | 6.5 | 6.5 | 6d ago | Inappropriate implementation in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML pa… | |||
| CVE-2026-9908 | medium | 6.5 | 6.5 | 6d ago | Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium secur… | |||
| CVE-2026-9882 | medium | 6.5 | 6.5 | 6d ago | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Critical) | |||
| CVE-2026-10018 | medium | 6.5 | 6.5 | 6d ago | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium securit… | |||
| CVE-2026-10008 | medium | 6.5 | 6.5 | 6d ago | Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromi… | |||
| CVE-2026-10004 | medium | 6.5 | 6.5 | 6d ago | Insufficient validation of untrusted input in Passwords in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity:… | |||
| CVE-2026-33464 | medium | 6.5 | 6.5 | 6d ago | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially … | |||
| CVE-2026-49094 | medium | 6.5 | 6.5 | 6d ago | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containin… | |||
| CVE-2026-49095 | medium | 6.5 | 6.5 | 6d ago | Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent po… | |||
| CVE-2026-42399 | medium | 6.5 | 6.5 | 6d ago | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentiall… | |||
| CVE-2026-42400 | medium | 6.5 | 6.5 | 6d ago | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload… | |||
| CVE-2026-47673 | medium | 6.5 | 6.5 | 6d ago | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer sc… | |||
| CVE-2026-41141 | medium | 6.5 | 6.5 | 6d ago | EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning e… | |||
| CVE-2026-7048 | medium | 6.5 | 6.5 | 7d ago | The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.8.… | |||
| CVE-2026-3173 | medium | 6.5 | 6.5 | 7d ago | The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary … | |||
| CVE-2026-9796 | medium | 6.5 | 6.5 | 7d ago | A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This… | |||
| CVE-2026-9792 | medium | 6.5 | 6.5 | 7d ago | A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-… | |||
| CVE-2026-5737 | medium | 6.5 | 6.5 | 7d ago | The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/searc… | |||
| CVE-2026-47273 | medium | 6.5 | 6.5 | 7d ago | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and dev… | |||
| CVE-2026-1402 | medium | 6.5 | 6.5 | 7d ago | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authen… | |||
| CVE-2026-45081 | medium | 6.5 | 6.5 | 7d ago | Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This… | |||
| CVE-2026-48147 | medium | 6.5 | 6.5 | 7d ago | Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanc… | |||
| CVE-2026-45719 | medium | 6.5 | 6.5 | 7d ago | Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API | |||
| CVE-2026-44317 | medium | 6.5 | 6.5 | 8d ago | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose as… | |||
| CVE-2026-44324 | medium | 6.5 | 6.5 | 8d ago | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions han… | |||
| CVE-2026-44353 | medium | 6.5 | 6.5 | 8d ago | Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries an… | |||
| CVE-2026-49044 | medium | 6.5 | 6.5 | 8d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Kruit Advanced Custom Fields: Font Awesome Field allows Stored XSS. This issue affects Ad… | |||
| CVE-2026-47118 | medium | 6.5 | 6.5 | 8d ago | Agent Zero before version 1.15 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by supplying crafted paths to the image file serving endpoint, whi… | |||
| CVE-2026-9035 | medium | 6.5 | 6.5 | 8d ago | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affecte… | |||
| CVE-2026-8405 | medium | 6.5 | 6.5 | 8d ago | IBM Guardium Data Protection 12.2.1, and 12.2.2 's add-on feature of Guardium Data Protection named "Long Term Retention" (LTR) can expose sensitive credentials in debug mode. | |||
| CVE-2026-6936 | medium | 6.5 | 6.5 | 8d ago | IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit th… | |||
| CVE-2026-3676 | medium | 6.5 | 6.5 | 8d ago | IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of se… | |||
| CVE-2026-1933 | medium | 6.5 | 6.5 | 8d ago | A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem wri… | |||
| CVE-2026-2340 | medium | 6.5 | 6.5 | 8d ago | A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to i… | |||
| CVE-2026-42751 | medium | 6.5 | 6.5 | 8d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Manager booking-manager allows Stored XSS.This issue affects Booking Manager: f… | |||
| CVE-2026-42750 | medium | 6.5 | 6.5 | 8d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nexcess WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <… | |||
| CVE-2026-42744 | medium | 6.5 | 6.5 | 8d ago | Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Manipulating Hidden Fields.This issue affects Ads by WPQuads: from n/a … | |||
| CVE-2026-42732 | medium | 6.5 | 6.5 | 8d ago | Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: from n/a thr… | |||
| CVE-2026-42725 | medium | 6.5 | 6.5 | 8d ago | Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Contr… | |||
| CVE-2026-42726 | medium | 6.5 | 6.5 | 8d ago | Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects … | |||
| CVE-2026-48968 | medium | 6.5 | 6.5 | 8d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS. This issue affects Master Slider: from n/a through 3.… | |||
| CVE-2026-48877 | medium | 6.5 | 6.5 | 8d ago | Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0. | |||
| CVE-2026-40849 | medium | 6.5 | 6.5 | 8d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the user_alarmprofile view due to improper neutralization of special elements in a SQL SELECT command. … | |||
| CVE-2026-40848 | medium | 6.5 | 6.5 | 8d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a SQL SELECT command. This can resul… | |||
| CVE-2026-40847 | medium | 6.5 | 6.5 | 8d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a SQL SELECT command. This ca… | |||
| CVE-2026-40846 | medium | 6.5 | 6.5 | 8d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can re… | |||
| CVE-2026-40845 | medium | 6.5 | 6.5 | 8d ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT comma… |