CVEs from 2026
Total
13,570
critical
critical 1,185
high
high 4,339
medium
medium 4,230
low
low 458
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.8%
Top products
- chrome 434
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-10039 | medium | 4.9 | 4.9 | 3d ago | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on th… | |||
| CVE-2026-9801 | medium | 4.9 | 4.9 | 4d ago | A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromi… | |||
| CVE-2026-40826 | medium | 4.9 | 4.9 | 5d ago | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. Th… | |||
| CVE-2026-40822 | medium | 4.9 | 4.9 | 5d ago | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL SELECT command.… | |||
| CVE-2026-40821 | medium | 4.9 | 4.9 | 5d ago | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command.… | |||
| CVE-2026-7618 | medium | 4.9 | 4.9 | 5d ago | The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to in… | |||
| CVE-2026-41917 | medium | 4.9 | 4.9 | 6d ago | OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying… | |||
| CVE-2026-27346 | medium | 4.9 | 4.9 | 7d ago | Missing Authorization vulnerability in Kings Plugins B2BKing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects B2BKing: from n/a before 5.2.10. | |||
| CVE-2026-42797 | medium | 4.9 | 4.9 | 7d ago | Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which a… | |||
| CVE-2026-4811 | medium | 4.9 | 4.9 | 12d ago | The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all version… | |||
| CVE-2026-7472 | medium | 4.9 | 4.9 | 13d ago | The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.5.7. This is due to the use of esc_s… | |||
| CVE-2026-37978 | medium | 4.9 | 4.9 | 13d ago | A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) para… | |||
| CVE-2026-7046 | medium | 4.9 | 4.9 | 17d ago | The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'table' parameter in all versions up to, and including, 9.1.12 due to … | |||
| CVE-2026-45054 | medium | 4.9 | 4.9 | 19d ago | CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-con… | |||
| CVE-2026-42780 | medium | 4.9 | 4.9 | 19d ago | A directory traversal vulnerability exists in BIG-IP SSL Orchestrator that allows an authenticated attacker with high privilege to overwrite, delete or corrupt arbitrary local files. Note: Software … | |||
| CVE-2026-42063 | medium | 4.9 | 4.9 | 19d ago | A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached… | |||
| CVE-2026-41954 | medium | 4.9 | 4.9 | 19d ago | Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator rol… | |||
| CVE-2026-44874 | medium | 4.9 | 4.9 | 20d ago | A vulnerability exists in the web-based management interface of an AOS-10 Gateway that could allow an authenticated remote attacker to access sensitive files on the underlying operating system. Succe… | |||
| CVE-2026-3604 | medium | 4.9 | 4.9 | 20d ago | The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and including, 2.8.1 due to insufficien… | |||
| CVE-2026-42600 | medium | 4.9 | 4.9 | 21d ago | MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint | |||
| CVE-2026-28967 | medium | 4.9 | 4.9 | 21d ago | A denial-of-service issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4. An attacker in a privileged network position may… | |||
| CVE-2026-42886 | medium | 4.9 | 4.9 | 21d ago | Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/backups/upload endpoint decompresses the details entry from an uploaded .audiobookshelf ZIP file entirely … | |||
| CVE-2026-42876 | medium | 4.9 | 4.9 | 21d ago | ExternalSecrets vulnerable to privilege escalation with secret overwriting | |||
| CVE-2026-42295 | medium | 4.9 | 4.9 | 24d ago | Argo vulnerable to exposure of artifact repository credentials | |||
| CVE-2026-44298 | medium | 4.9 | 4.9 | 24d ago | Kimai has an arbitrary file read in its invoice PDF renderer (admin) | |||
| CVE-2026-6344 | medium | 4.9 | 4.9 | 26d ago | The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNo… | |||
| CVE-2026-6418 | medium | 4.9 | 4.9 | 27d ago | An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchr… | |||
| CVE-2026-1921 | medium | 4.9 | 4.9 | 28d ago | The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method norm… | |||
| CVE-2026-6948 | medium | 4.9 | 4.9 | 29d ago | Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel. This allows a compromised or rogue Velociraptor client to crash the server … | |||
| CVE-2026-37505 | medium | 4.9 | 4.9 | 1mo ago | SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort parameter from user input is passed directly to User::orderBy($sort, $sortType) wit… | |||
| CVE-2026-41657 | medium | 4.9 | 4.9 | 1mo ago | Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php | |||
| CVE-2026-0206 | medium | 4.9 | 4.9 | 1mo ago | A post-authentication Stack-based Buffer Overflow vulnerabilities in SonicOS allows a remote attacker to crash a firewall. | |||
| CVE-2026-41887 | medium | 4.9 | 4.9 | 1mo ago | Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) | |||
| CVE-2026-33611 | medium | 4.9 | 4.9 | 1mo ago | An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend. | |||
| CVE-2026-6416 | medium | 4.9 | 4.9 | 1mo ago | Tanium addressed an uncontrolled resource consumption vulnerability in Interact. | |||
| CVE-2026-31927 | medium | 4.9 | 4.9 | 2mo ago | Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with deb… | |||
| CVE-2026-34164 | medium | 4.9 | 4.9 | 2mo ago | Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService | |||
| CVE-2026-39961 | medium | 4.9 | 4.9 | 2mo ago | Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource | |||
| CVE-2026-39631 | medium | 4.9 | 4.9 | 2mo ago | Missing Authorization vulnerability in Ronik@UnlimitedWP WPSchoolPress wpschoolpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSchoolPress: from n/a… | |||
| CVE-2026-31850 | medium | 4.9 | 4.9 | 2mo ago | Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuratio… | |||
| CVE-2026-32828 | medium | 4.9 | 4.9 | 2mo ago | Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration in github.com/akuity/kargo | |||
| CVE-2026-29516 | medium | 4.9 | 4.9 | 3mo ago | Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an excessive file permissions vulnerability that allows authenticated attackers to read the /etc/shadow file by uploading … | |||
| CVE-2026-1884 | medium | 4.9 | 4.9 | 4mo ago | A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation cau… | |||
| CVE-2026-24356 | medium | 4.9 | 4.9 | 4mo ago | Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetGenie: from n/a through <= 4.3.0. | |||
| CVE-2026-22482 | medium | 4.9 | 4.9 | 4mo ago | Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery.This issue affects IMGspider: from n/a through <= 2.3.12. | |||
| CVE-2026-10058 | medium | 4.8 | 4.8 | 3d ago | ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed … | |||
| CVE-2026-10057 | medium | 4.8 | 4.8 | 3d ago | ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed … | |||
| CVE-2026-6324 | medium | 4.8 | 4.8 | 3d ago | A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This v… | |||
| CVE-2026-2288 | medium | 4.8 | 4.8 | 5d ago | The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_title' parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and o… | |||
| CVE-2026-2280 | medium | 4.8 | 4.8 | 5d ago | The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output esca… | |||
| CVE-2026-8647 | medium | 4.8 | 4.8 | 6d ago | Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when… | |||
| CVE-2026-44443 | medium | 4.8 | 4.8 | 6d ago | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP… | |||
| CVE-2026-8353 | medium | 4.8 | 4.8 | 10d ago | Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user … | |||
| CVE-2026-8197 | medium | 4.8 | 4.8 | 11d ago | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation he… | |||
| CVE-2026-41999 | medium | 4.8 | 4.8 | 11d ago | Incorrect Behaviour of Views with TCP PROXY Requests | |||
| CVE-2026-43617 | medium | 4.8 | 4.8 | 13d ago | Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass host… | |||
| CVE-2026-34246 | medium | 4.8 | 4.8 | 13d ago | CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In a… | |||
| CVE-2026-3495 | medium | 4.8 | 4.8 | 14d ago | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit… | |||
| CVE-2026-44568 | medium | 4.8 | 4.8 | 17d ago | Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order | |||
| CVE-2026-41281 | medium | 4.8 | 4.8 | 19d ago | Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify commun… | |||
| CVE-2026-39428 | medium | 4.8 | 4.8 | 19d ago | CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious … | |||
| CVE-2026-8367 | medium | 4.8 | 4.8 | 19d ago | aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be ab… | |||
| CVE-2026-42934 | medium | 4.8 | 4.8 | 19d ago | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives ar… | |||
| CVE-2026-40701 | medium | 4.8 | 4.8 | 19d ago | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or… | |||
| CVE-2026-42948 | medium | 4.8 | 4.8 | 19d ago | Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another adminis… | |||
| CVE-2026-34658 | medium | 4.8 | 4.8 | 20d ago | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-p… | |||
| CVE-2026-34655 | medium | 4.8 | 4.8 | 20d ago | Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-p… | |||
| CVE-2026-6663 | medium | 4.8 | 4.8 | 20d ago | The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints… | |||
| CVE-2026-7814 | medium | 4.8 | 4.8 | 21d ago | pgAdmin 4: Stored cross-site scripting (XSS) vulnerability in Browser Tree and Explain Visualizer modules | |||
| CVE-2026-42150 | medium | 4.8 | 4.8 | 25d ago | wlc: print_html outputs API data without HTML escaping | |||
| CVE-2026-40243 | medium | 4.8 | 4.8 | 26d ago | Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow connections to an attacker's OVN database… | |||
| CVE-2026-42841 | medium | 4.8 | 4.8 | 27d ago | Grav CMS vulnerable to stored XSS via Markdown media attribute() action | |||
| CVE-2026-33006 | medium | 4.8 | 4.8 | 28d ago | A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes th… | |||
| CVE-2026-37503 | medium | 4.8 | 4.8 | 1mo ago | Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can injec… | |||
| CVE-2026-1858 | medium | 4.8 | 4.8 | 1mo ago | wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpos… | |||
| CVE-2026-41393 | medium | 4.8 | 4.8 | 1mo ago | OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration | |||
| CVE-2026-40557 | medium | 4.8 | 4.8 | 1mo ago | Apache Storm Prometheus Reporter vulnerable to Improper Certificate Validation via Global SSL Context Downgrade | |||
| CVE-2026-7027 | medium | 4.8 | 4.8 | 1mo ago | A vulnerability was identified in D-Link DSL-2740R EU_01.15. Impacted is an unknown function of the component Wireless Setup Section. Such manipulation of the argument Wireless Network Name leads to … | |||
| CVE-2026-7026 | medium | 4.8 | 4.8 | 1mo ago | A vulnerability was determined in D-Link DGS-3420 1.50.018. This issue affects some unknown processing of the component System Information Settings Page. This manipulation of the argument System Name… | |||
| CVE-2026-22751 | medium | 4.8 | 4.8 | 1mo ago | Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured | |||
| CVE-2026-40594 | medium | 4.8 | 4.8 | 1mo ago | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwa… | |||
| CVE-2026-28263 | medium | 4.8 | 4.8 | 2mo ago | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.1… | |||
| CVE-2026-40175 | medium | 4.8 | 4.8 | 2mo ago | Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain | |||
| CVE-2026-5106 | medium | 4.8 | 4.8 | 2mo ago | A flaw has been found in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_fst.php. Executing a manipulation of the argument sname can lead… | |||
| CVE-2026-4544 | medium | 4.8 | 4.8 | 2mo ago | A vulnerability was determined in Wavlink WL-WN578W2 221110. This affects an unknown function of the file /cgi-bin/login.cgi of the component POST Request Handler. Executing a manipulation of the arg… | |||
| CVE-2026-3862 | medium | 4.8 | 4.8 | 3mo ago | Cross-site Scripting (XSS) allows an attacker to submit specially crafted data to the application which is returned unaltered in the resulting web page. | |||
| CVE-2026-3716 | medium | 4.8 | 4.8 | 3mo ago | A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This vulnerability affects the function sub_401AD4 of the file /cgi-bin/adm.cgi. Executing a manipulation of the argument Hostname can l… | |||
| CVE-2026-3403 | medium | 4.8 | 4.8 | 3mo ago | A vulnerability was detected in PHPGurukul Student Record Management System 1.0. This issue affects some unknown processing of the file /edit-subject.php. Performing a manipulation of the argument Su… | |||
| CVE-2026-3402 | medium | 4.8 | 4.8 | 3mo ago | A security vulnerability has been detected in PHPGurukul Student Record Management System up to 1.0. This vulnerability affects unknown code of the file /edit-course.php. Such manipulation of the arg… | |||
| CVE-2026-3170 | medium | 4.8 | 4.8 | 3mo ago | A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected is an unknown function of the file /patient-search.php. The manipulation of th… | |||
| CVE-2026-26351 | medium | 4.8 | 4.8 | 3mo ago | GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php.… | |||
| CVE-2026-2939 | medium | 4.8 | 4.8 | 3mo ago | A vulnerability was found in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /add_student/ of the component Add Student Module. The manipulation re… | |||
| CVE-2026-2934 | medium | 4.8 | 4.8 | 3mo ago | A security vulnerability has been detected in YiFang CMS up to 2.0.5. This impacts the function update of the file app/db/admin/D_friendLinkGroup.php of the component Extended Management Module. The … | |||
| CVE-2026-2933 | medium | 4.8 | 4.8 | 3mo ago | A weakness has been identified in YiFang CMS up to 2.0.5. This affects the function update of the file app/db/admin/D_adManage.php of the component Extended Management Module. Executing a manipulatio… | |||
| CVE-2026-2932 | medium | 4.8 | 4.8 | 3mo ago | A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/D_adPosition.php of the component Extended Management Module. Perfo… | |||
| CVE-2026-2897 | medium | 4.8 | 4.8 | 3mo ago | funadmin: XSS through Value argument in Backend Interface component | |||
| CVE-2026-2222 | medium | 4.8 | 4.8 | 4mo ago | A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php… | |||
| CVE-2026-2214 | medium | 4.8 | 4.8 | 4mo ago | A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. This manipulation of the argument txtalbum causes cross … | |||
| CVE-2026-2200 | medium | 4.8 | 4.8 | 4mo ago | A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. Executing a manipulation can lead to cross sit… | |||
| CVE-2026-2156 | medium | 4.8 | 4.8 | 4mo ago | A weakness has been identified in code-projects Online Student Management System 1.0. The impacted element is an unknown function of the file /admin/announcement/index.php?view=add of the component A… |