CVEs from 2026
Total
13,634
critical
critical 1,192
high
high 4,364
medium
medium 4,266
low
low 466
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.8%
Top products
- chrome 503
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 172
- commerce 104
- commerce_b2b 89
- saml_sso_-_service_provider 77
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44550 | medium | 5.0 | 5.0 | 17d ago | Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts | |||
| CVE-2026-41051 | medium | 5.0 | 5.0 | 19d ago | csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories. | |||
| CVE-2026-41195 | medium | 5.0 | 5.0 | 20d ago | mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker… | |||
| CVE-2026-41610 | medium | 5.0 | 5.0 | 20d ago | <p>Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.</p> | |||
| CVE-2026-43979 | medium | 5.0 | 5.0 | 21d ago | Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.0, PDFService._markdown_to_html() constructs an HTML document by interpolating user-controlled value… | |||
| CVE-2026-45003 | medium | 5.0 | 5.0 | 21d ago | OpenClaw: Workspace dotenv files cannot override connector endpoint hosts | |||
| CVE-2026-45000 | medium | 5.0 | 5.0 | 21d ago | OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing… | |||
| CVE-2026-44992 | medium | 5.0 | 5.0 | 21d ago | OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests | |||
| CVE-2026-41648 | medium | 5.0 | 5.0 | 25d ago | Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This wa… | |||
| CVE-2026-8009 | medium | 5.0 | 5.0 | 26d ago | Inappropriate implementation in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML pa… | |||
| CVE-2026-7317 | medium | 5.0 | 5.0 | 27d ago | Grav has Insecure Deserialization in File Cache | |||
| CVE-2026-35527 | medium | 5.0 | 5.0 | 27d ago | Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request a… | |||
| CVE-2026-7778 | medium | 5.0 | 5.0 | 27d ago | An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, an… | |||
| CVE-2026-7724 | medium | 5.0 | 5.0 | 29d ago | Prefect SSRF Bypass via DNS Rebinding in validate_restricted_url | |||
| CVE-2026-7688 | medium | 5.0 | 5.0 | 29d ago | Dolibarr has an Injection issue | |||
| CVE-2026-22726 | medium | 5.0 | 5.0 | 1mo ago | Route Services can be leveraged to send app traffic to network destinations outside of an app's configured egress rules. As a result, a malicious developer with access to Cloudfoundry could configure… | |||
| CVE-2026-36764 | medium | 5.0 | 5.0 | 1mo ago | A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testConnection endpoint of SpringBlade v4.8.0 allows authenticated attackers to scan internal resources via a crafted GET request. | |||
| CVE-2026-42424 | medium | 5.0 | 5.0 | 1mo ago | OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration | |||
| CVE-2026-41367 | medium | 5.0 | 5.0 | 1mo ago | OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component action… | |||
| CVE-2026-7085 | medium | 5.0 | 5.0 | 1mo ago | A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp End… | |||
| CVE-2026-41338 | medium | 5.0 | 5.0 | 1mo ago | OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act pattern… | |||
| CVE-2026-35372 | medium | 5.0 | 5.0 | 1mo ago | A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation pre… | |||
| CVE-2026-6845 | medium | 5.0 | 5.0 | 1mo ago | A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially c… | |||
| CVE-2026-34319 | medium | 5.0 | 5.0 | 1mo ago | Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vuln… | |||
| CVE-2026-34317 | medium | 5.0 | 5.0 | 1mo ago | Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vuln… | |||
| CVE-2026-4583 | medium | 5.0 | 5.0 | 2mo ago | A vulnerability was detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this issue is some unknown functionality of the component Bluetooth Handler. Performing a manipulation result… | |||
| CVE-2026-4582 | medium | 5.0 | 5.0 | 2mo ago | A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation le… | |||
| CVE-2026-32442 | medium | 5.0 | 5.0 | 3mo ago | Missing Authorization vulnerability in E2Pdf e2pdf e2pdf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects e2pdf: from n/a through <= 1.28.15. | |||
| CVE-2026-10074 | medium | 4.9 | 4.9 | 3d ago | DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing privileged local attackers to exploit Relative Path Traversal to download arbitrary system files. | |||
| CVE-2026-10039 | medium | 4.9 | 4.9 | 3d ago | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on th… | |||
| CVE-2026-9801 | medium | 4.9 | 4.9 | 5d ago | A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromi… | |||
| CVE-2026-40826 | medium | 4.9 | 4.9 | 6d ago | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. Th… | |||
| CVE-2026-40822 | medium | 4.9 | 4.9 | 6d ago | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL SELECT command.… | |||
| CVE-2026-40821 | medium | 4.9 | 4.9 | 6d ago | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command.… | |||
| CVE-2026-7618 | medium | 4.9 | 4.9 | 6d ago | The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to in… | |||
| CVE-2026-41917 | medium | 4.9 | 4.9 | 6d ago | OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying… | |||
| CVE-2026-27346 | medium | 4.9 | 4.9 | 7d ago | Missing Authorization vulnerability in Kings Plugins B2BKing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects B2BKing: from n/a before 5.2.10. | |||
| CVE-2026-42797 | medium | 4.9 | 4.9 | 7d ago | Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which a… | |||
| CVE-2026-4811 | medium | 4.9 | 4.9 | 12d ago | The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all version… | |||
| CVE-2026-7472 | medium | 4.9 | 4.9 | 13d ago | The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.5.7. This is due to the use of esc_s… | |||
| CVE-2026-37978 | medium | 4.9 | 4.9 | 13d ago | A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) para… | |||
| CVE-2026-45731 | medium | 4.9 | 4.9 | 14d ago | WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line executi… | |||
| CVE-2026-7046 | medium | 4.9 | 4.9 | 17d ago | The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'table' parameter in all versions up to, and including, 9.1.12 due to … | |||
| CVE-2026-45054 | medium | 4.9 | 4.9 | 19d ago | CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-con… | |||
| CVE-2026-42780 | medium | 4.9 | 4.9 | 19d ago | A directory traversal vulnerability exists in BIG-IP SSL Orchestrator that allows an authenticated attacker with high privilege to overwrite, delete or corrupt arbitrary local files. Note: Software … | |||
| CVE-2026-42063 | medium | 4.9 | 4.9 | 19d ago | A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached… | |||
| CVE-2026-41954 | medium | 4.9 | 4.9 | 19d ago | Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator rol… | |||
| CVE-2026-44874 | medium | 4.9 | 4.9 | 20d ago | A vulnerability exists in the web-based management interface of an AOS-10 Gateway that could allow an authenticated remote attacker to access sensitive files on the underlying operating system. Succe… | |||
| CVE-2026-3604 | medium | 4.9 | 4.9 | 20d ago | The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and including, 2.8.1 due to insufficien… | |||
| CVE-2026-42600 | medium | 4.9 | 4.9 | 21d ago | MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint | |||
| CVE-2026-28967 | medium | 4.9 | 4.9 | 21d ago | A denial-of-service issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4. An attacker in a privileged network position may… | |||
| CVE-2026-42886 | medium | 4.9 | 4.9 | 21d ago | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/backups/upload endpoint decompresses the details entry from an uploaded .audiobookshelf ZIP file entirely … | |||
| CVE-2026-42876 | medium | 4.9 | 4.9 | 21d ago | ExternalSecrets vulnerable to privilege escalation with secret overwriting | |||
| CVE-2026-42295 | medium | 4.9 | 4.9 | 24d ago | Argo vulnerable to exposure of artifact repository credentials | |||
| CVE-2026-44298 | medium | 4.9 | 4.9 | 24d ago | Kimai has an arbitrary file read in its invoice PDF renderer (admin) | |||
| CVE-2026-6344 | medium | 4.9 | 4.9 | 26d ago | The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNo… | |||
| CVE-2026-6418 | medium | 4.9 | 4.9 | 28d ago | An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchr… | |||
| CVE-2026-1921 | medium | 4.9 | 4.9 | 28d ago | The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method norm… | |||
| CVE-2026-6948 | medium | 4.9 | 4.9 | 29d ago | Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel. This allows a compromised or rogue Velociraptor client to crash the server … | |||
| CVE-2026-37505 | medium | 4.9 | 4.9 | 1mo ago | SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort parameter from user input is passed directly to User::orderBy($sort, $sortType) wit… | |||
| CVE-2026-41657 | medium | 4.9 | 4.9 | 1mo ago | Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php | |||
| CVE-2026-0206 | medium | 4.9 | 4.9 | 1mo ago | A post-authentication Stack-based Buffer Overflow vulnerabilities in SonicOS allows a remote attacker to crash a firewall. | |||
| CVE-2026-41887 | medium | 4.9 | 4.9 | 1mo ago | Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) | |||
| CVE-2026-33611 | medium | 4.9 | 4.9 | 1mo ago | An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend. | |||
| CVE-2026-6416 | medium | 4.9 | 4.9 | 1mo ago | Tanium addressed an uncontrolled resource consumption vulnerability in Interact. | |||
| CVE-2026-31927 | medium | 4.9 | 4.9 | 2mo ago | Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with deb… | |||
| CVE-2026-34164 | medium | 4.9 | 4.9 | 2mo ago | Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService | |||
| CVE-2026-39961 | medium | 4.9 | 4.9 | 2mo ago | Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource | |||
| CVE-2026-39631 | medium | 4.9 | 4.9 | 2mo ago | Missing Authorization vulnerability in Ronik@UnlimitedWP WPSchoolPress wpschoolpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSchoolPress: from n/a… | |||
| CVE-2026-31850 | medium | 4.9 | 4.9 | 2mo ago | Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuratio… | |||
| CVE-2026-32828 | medium | 4.9 | 4.9 | 2mo ago | Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration in github.com/akuity/kargo | |||
| CVE-2026-29516 | medium | 4.9 | 4.9 | 3mo ago | Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an excessive file permissions vulnerability that allows authenticated attackers to read the /etc/shadow file by uploading … | |||
| CVE-2026-1884 | medium | 4.9 | 4.9 | 4mo ago | A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation cau… | |||
| CVE-2026-24356 | medium | 4.9 | 4.9 | 4mo ago | Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetGenie: from n/a through <= 4.3.0. | |||
| CVE-2026-22482 | medium | 4.9 | 4.9 | 4mo ago | Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery.This issue affects IMGspider: from n/a through <= 2.3.12. | |||
| CVE-2026-34127 | medium | 4.8 | 4.8 | 3d ago | A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration paramete… | |||
| CVE-2026-10058 | medium | 4.8 | 4.8 | 3d ago | ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed … | |||
| CVE-2026-10057 | medium | 4.8 | 4.8 | 3d ago | ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed … | |||
| CVE-2026-6324 | medium | 4.8 | 4.8 | 4d ago | A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This v… | |||
| CVE-2026-2288 | medium | 4.8 | 4.8 | 5d ago | The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_title' parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and o… | |||
| CVE-2026-2280 | medium | 4.8 | 4.8 | 5d ago | The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output esca… | |||
| CVE-2026-8647 | medium | 4.8 | 4.8 | 6d ago | Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when… | |||
| CVE-2026-44443 | medium | 4.8 | 4.8 | 6d ago | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP… | |||
| CVE-2026-8353 | medium | 4.8 | 4.8 | 10d ago | Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user … | |||
| CVE-2026-8197 | medium | 4.8 | 4.8 | 11d ago | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation he… | |||
| CVE-2026-41999 | medium | 4.8 | 4.8 | 11d ago | Incorrect Behaviour of Views with TCP PROXY Requests | |||
| CVE-2026-43617 | medium | 4.8 | 4.8 | 13d ago | Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass host… | |||
| CVE-2026-34246 | medium | 4.8 | 4.8 | 13d ago | CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In a… | |||
| CVE-2026-3495 | medium | 4.8 | 4.8 | 14d ago | Mattermost doesn't escape some variables that could contain malicious content during error page composition | |||
| CVE-2026-44568 | medium | 4.8 | 4.8 | 17d ago | Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order | |||
| CVE-2026-41281 | medium | 4.8 | 4.8 | 19d ago | Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify commun… | |||
| CVE-2026-39428 | medium | 4.8 | 4.8 | 19d ago | CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious … | |||
| CVE-2026-8367 | medium | 4.8 | 4.8 | 19d ago | aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be ab… | |||
| CVE-2026-42934 | medium | 4.8 | 4.8 | 19d ago | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives ar… | |||
| CVE-2026-40701 | medium | 4.8 | 4.8 | 19d ago | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or… | |||
| CVE-2026-42948 | medium | 4.8 | 4.8 | 19d ago | Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another adminis… | |||
| CVE-2026-34658 | medium | 4.8 | 4.8 | 20d ago | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-p… | |||
| CVE-2026-34655 | medium | 4.8 | 4.8 | 20d ago | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-p… | |||
| CVE-2026-6663 | medium | 4.8 | 4.8 | 20d ago | The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints… | |||
| CVE-2026-7814 | medium | 4.8 | 4.8 | 21d ago | pgAdmin 4: Stored cross-site scripting (XSS) vulnerability in Browser Tree and Explain Visualizer modules |