CVEs from 2026
Total
13,875
critical
critical 1,106
high
high 3,902
medium
medium 3,948
low
low 413
% Critical
8.0%
% with KEV
0.4%
% with exploit
0.4%
Top products
- firepower_threat_defense 298
- chrome 298
- firepower_threat_defense_software 295
- gcp 221
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-48147 | medium | 6.5 | 6.5 | 14h ago | Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanc… | |
| CVE-2026-45719 | medium | 6.5 | 6.5 | 14h ago | Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API | |
| CVE-2026-44317 | medium | 6.5 | 6.5 | 15h ago | free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference | |
| CVE-2026-44324 | medium | 6.5 | 6.5 | 16h ago | free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request) | |
| CVE-2026-44318 | medium | 6.5 | 6.5 | 16h ago | free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions | |
| CVE-2026-44353 | medium | 6.5 | 6.5 | 16h ago | Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries an… | |
| CVE-2026-49044 | medium | 6.5 | 6.5 | 17h ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Kruit Advanced Custom Fields: Font Awesome Field allows Stored XSS. This issue affects Ad… | |
| CVE-2026-47118 | medium | 6.5 | 6.5 | 17h ago | Agent Zero before version 1.15 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by supplying crafted paths to the image file serving endpoint, whi… | |
| CVE-2026-9035 | medium | 6.5 | 6.5 | 18h ago | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affecte… | |
| CVE-2026-8405 | medium | 6.5 | 6.5 | 18h ago | IBM Guardium Data Protection 12.2.1, and 12.2.2 's add-on feature of Guardium Data Protection named "Long Term Retention" (LTR) can expose sensitive credentials in debug mode. | |
| CVE-2026-6938 | medium | 6.5 | 6.5 | 18h ago | IBM Db2 12.1.0 through 12.1.4 is vulnerable to authorization bypass when uploading to a remote object storage path with a special query. | |
| CVE-2026-6936 | medium | 6.5 | 6.5 | 18h ago | IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit th… | |
| CVE-2026-6052 | medium | 6.5 | 6.5 | 18h ago | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to running out of memory when executing certain queries with MDC tables. | |
| CVE-2026-3676 | medium | 6.5 | 6.5 | 18h ago | IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of se… | |
| CVE-2026-2340 | medium | 6.5 | 6.5 | 19h ago | A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to i… | |
| CVE-2026-42751 | medium | 6.5 | 6.5 | 21h ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Manager booking-manager allows Stored XSS.This issue affects Booking Manager: f… | |
| CVE-2026-42750 | medium | 6.5 | 6.5 | 21h ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nexcess WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <… | |
| CVE-2026-42744 | medium | 6.5 | 6.5 | 21h ago | Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Manipulating Hidden Fields.This issue affects Ads by WPQuads: from n/a … | |
| CVE-2026-42732 | medium | 6.5 | 6.5 | 21h ago | Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: from n/a thr… | |
| CVE-2026-42725 | medium | 6.5 | 6.5 | 21h ago | Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Contr… | |
| CVE-2026-42726 | medium | 6.5 | 6.5 | 21h ago | Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects … | |
| CVE-2026-48968 | medium | 6.5 | 6.5 | 22h ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS. This issue affects Master Slider: from n/a through 3.… | |
| CVE-2026-48877 | medium | 6.5 | 6.5 | 22h ago | Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0. | |
| CVE-2026-40849 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the user_alarmprofile view due to improper neutralization of special elements in a SQL SELECT command. … | |
| CVE-2026-40848 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a SQL SELECT command. This can resul… | |
| CVE-2026-40847 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a SQL SELECT command. This ca… | |
| CVE-2026-40846 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can re… | |
| CVE-2026-40845 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT comma… | |
| CVE-2026-40844 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can… | |
| CVE-2026-40843 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a SQL SELECT command. This can … | |
| CVE-2026-40842 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getWidgetTags function due to improper neutralization of special elements in a SQL SELECT command. … | |
| CVE-2026-40841 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command.… | |
| CVE-2026-40840 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT co… | |
| CVE-2026-40839 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getComponentScalings function due to improper neutralization of special elements in a SQL SELECT co… | |
| CVE-2026-40838 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a SQL SELECT comma… | |
| CVE-2026-40837 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT comm… | |
| CVE-2026-40835 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the saveObjectFromData function due to improper neutralization of special elements in a SQL SELECT comm… | |
| CVE-2026-40832 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command… | |
| CVE-2026-40831 | medium | 6.5 | 6.5 | 23h ago | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the Easy View due to improper neutralization of special elements in a SQL SELECT command. This can resu… | |
| CVE-2026-3279 | medium | 6.5 | 6.5 | 1d ago | The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions… | |
| CVE-2026-9156 | medium | 6.5 | 6.5 | 1d ago | Tanium addressed a denial of service vulnerability in Tanium Server. | |
| CVE-2026-8388 | medium | 6.5 | 6.5 | 1d ago | Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11. | |
| CVE-2026-8961 | medium | 6.5 | 6.5 | 1d ago | Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | |
| CVE-2026-9603 | medium | 6.5 | 6.5 | 1d ago | A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument I… | |
| CVE-2026-48710 | medium | 6.5 | 6.5 | 1d ago | BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks | |
| CVE-2026-44213 | medium | 6.5 | 6.5 | 1d ago | OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured | |
| CVE-2026-47672 | medium | 6.5 | 6.5 | 1d ago | epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient's electronic he… | |
| CVE-2026-44836 | medium | 6.5 | 6.5 | 2d ago | view_component: Preview Route Can Dispatch Inherited Helper Methods | |
| CVE-2026-24197 | medium | 6.5 | 6.5 | 2d ago | NVIDIA Display Driver for Linux contains a vulnerability in the Multi-Instance GPU (MIG) partition management, where an insecure default initialization of memory subsystem routing resources could lea… | |
| CVE-2026-24182 | medium | 6.5 | 6.5 | 2d ago | NVIDIA Display Driver for Windows and Linux contains a vulnerability where an attacker could leak held driver locks. A successful exploit of this vulnerability might lead to denial of service. | |
| CVE-2026-48685 | medium | 6.5 | 6.5 | 2d ago | FastNetMon Community Edition through 1.2.9 has out-of-bounds memory access because it incorrectly parses BGP path attributes with the extended length flag set. In src/bgp_protocol.hpp, the parse_raw_… | |
| CVE-2026-48684 | medium | 6.5 | 6.5 | 2d ago | FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the NetFlow v9 options template parser. In process_netflow_v9_options_template() (src/netflow_plugin/netflow_v9_collector.… | |
| CVE-2026-48683 | medium | 6.5 | 6.5 | 2d ago | FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read vulnerability in the NetFlow v9 data flowset processor. In src/netflow_plugin/netflow_v9_collector.cpp, the Data template bra… | |
| CVE-2026-43934 | medium | 6.5 | 6.5 | 2d ago | e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by othe… | |
| CVE-2026-41401 | medium | 6.5 | 6.5 | 2d ago | libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. At… | |
| CVE-2026-46620 | medium | 6.5 | 6.5 | 2d ago | e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check… | |
| CVE-2026-27427 | medium | 6.5 | 6.5 | 2d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup allows Stored XSS. This issue affects Geo Mashup: from n/a through 1.13.18. | |
| CVE-2026-4795 | medium | 6.5 | 6.5 | 2d ago | A missing authorization vulnerability in Zyxel GS1200-5v3 firmware versions through 1.00(ACPS.2)C0, GS1200-8v3 firmware versions through 1.00(ACPT.2)C0, GS1200-5HPv3 firmware versions through 1.00(A… | |
| CVE-2026-45435 | medium | 6.5 | 6.5 | 2d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows DOM-Based XSS. This issue affects WP Activity Log: from n/a thr… | |
| CVE-2026-45217 | medium | 6.5 | 6.5 | 2d ago | Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemeHigh Stripe Payment Gateway for WooCommerce allows Password Recovery Exploitation. This issue affects Stripe Payment Ga… | |
| CVE-2026-42763 | medium | 6.5 | 6.5 | 2d ago | Missing Authorization vulnerability in SePay team SePay Gateway allows Retrieve Embedded Sensitive Data. This issue affects SePay Gateway: from n/a through 1.1.20. | |
| CVE-2026-24574 | medium | 6.5 | 6.5 | 2d ago | Cross-Site Request Forgery (CSRF) vulnerability in Recorp Export WP Page to Static HTML/CSS allows Cross Site Request Forgery. This issue affects Export WP Page to Static HTML/CSS: from n/a through … | |
| CVE-2026-48846 | medium | 6.5 | 6.5 | 2d ago | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information di… | |
| CVE-2026-48845 | medium | 6.5 | 6.5 | 3d ago | In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information discl… | |
| CVE-2026-47076 | medium | 6.5 | 6.5 | 3d ago | SSRF allowlist bypass via percent-encoded host in hackney | |
| CVE-2026-4915 | medium | 6.5 | 6.5 | 3d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an … | |
| CVE-2026-41863 | medium | 6.5 | 6.5 | 3d ago | Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the int… | |
| CVE-2026-9351 | medium | 6.5 | 6.5 | 4d ago | A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.16. This vulnerability affects the function _is_blocked_device of the file tools/file_tools.py of the component read_file… | |
| CVE-2026-9354 | medium | 6.5 | 6.5 | 4d ago | A vulnerability was detected in NousResearch hermes-agent up to 2026.4.16. The affected element is an unknown function of the component Slack Agent/Mattermost Agent. The manipulation of the argument … | |
| CVE-2026-41069 | medium | 6.5 | 6.5 | 5d ago | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS.… | |
| CVE-2026-39969 | medium | 6.5 | 6.5 | 6d ago | TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub… | |
| CVE-2026-39966 | medium | 6.5 | 6.5 | 6d ago | TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API endpoint returns full bot definitions to any authenticated user who references a target bot ID in a Typebot Link block… | |
| CVE-2026-36227 | medium | 6.5 | 6.5 | 6d ago | Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the UserName parameter | |
| CVE-2026-28444 | medium | 6.5 | 6.5 | 6d ago | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verify… | |
| CVE-2026-25680 | medium | 6.5 | 6.5 | 6d ago | Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html | |
| CVE-2026-5755 | medium | 6.5 | 6.5 | 6d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, whic… | |
| CVE-2026-5072 | medium | 6.5 | 6.5 | 6d ago | A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to se… | |
| CVE-2026-39827 | medium | 6.5 | 6.5 | 6d ago | An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users.… | |
| CVE-2026-8435 | medium | 6.5 | 6.5 | 6d ago | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4… | |
| CVE-2026-8140 | medium | 6.5 | 6.5 | 6d ago | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>. The download() method in concrete/controllers/single_page/dash… | |
| CVE-2026-39593 | medium | 6.5 | 6.5 | 7d ago | Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.10. | |
| CVE-2026-45254 | medium | 6.5 | 6.5 | 7d ago | In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an… | |
| CVE-2026-42396 | medium | 6.5 | 6.5 | 7d ago | Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail | |
| CVE-2026-44054 | medium | 6.5 | 6.5 | 7d ago | Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect m… | |
| CVE-2026-2734 | medium | 6.5 | 6.5 | 7d ago | In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authenticati… | |
| CVE-2026-9149 | medium | 6.5 | 6.5 | 7d ago | A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. T… | |
| CVE-2026-9150 | medium | 6.5 | 6.5 | 7d ago | A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could … | |
| CVE-2026-40102 | medium | 6.5 | 6.5 | 7d ago | Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without vali… | |
| CVE-2026-9122 | medium | 6.5 | 6.5 | 7d ago | Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium … | |
| CVE-2026-20240 | medium | 6.5 | 6.5 | 8d ago | In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, … | |
| CVE-2026-20239 | medium | 6.5 | 6.5 | 8d ago | In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_… | |
| CVE-2026-20238 | medium | 6.5 | 6.5 | 8d ago | In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations… | |
| CVE-2026-44923 | medium | 6.5 | 6.5 | 8d ago | SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalate privileges. | |
| CVE-2026-21836 | medium | 6.5 | 6.5 | 8d ago | The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to retur… | |
| CVE-2026-27405 | medium | 6.5 | 6.5 | 8d ago | Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9. | |
| CVE-2026-24573 | medium | 6.5 | 6.5 | 8d ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Visualizer allows Stored XSS. This issue affects Visualizer: from n/a before 4.0.0. | |
| CVE-2026-8685 | medium | 6.5 | 6.5 | 8d ago | The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on… | |
| CVE-2026-6072 | medium | 6.5 | 6.5 | 8d ago | The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin prote… | |
| CVE-2026-34233 | medium | 6.5 | 6.5 | 8d ago | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenti… | |
| CVE-2026-32814 | medium | 6.5 | 6.5 | 8d ago | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to … |