CVEs from 2026
Total
13,930
critical
critical 1,208
high
high 4,527
medium
medium 4,381
low
low 483
% Critical
8.7%
% with KEV
0.4%
% with exploit
0.7%
Top products
- chrome 503
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 172
- commerce 104
- commerce_b2b 89
- saml_sso_-_service_provider 77
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-48973 | medium | 4.3 | 4.3 | 6d ago | Missing Authorization vulnerability in Benbodhi SVG Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SVG Support: from n/a through 2.5.14. | |||
| CVE-2026-1248 | medium | 4.3 | 4.3 | 6d ago | IBM Business Automation Workflow containers and traditional may leak information about its database structure in error messages. | |||
| CVE-2026-9674 | medium | 4.3 | 4.3 | 6d ago | A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. | |||
| CVE-2026-48926 | medium | 4.3 | 4.3 | 6d ago | Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of cred… | |||
| CVE-2026-48925 | medium | 4.3 | 4.3 | 6d ago | A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request. | |||
| CVE-2026-48924 | medium | 4.3 | 4.3 | 6d ago | Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | |||
| CVE-2026-48923 | medium | 4.3 | 4.3 | 6d ago | Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-spe… | |||
| CVE-2026-48971 | medium | 4.3 | 4.3 | 6d ago | Missing Authorization vulnerability in WebToffee Product Import Export for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Import Expo… | |||
| CVE-2026-8942 | medium | 4.3 | 4.3 | 6d ago | The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metama… | |||
| CVE-2026-8708 | medium | 4.3 | 4.3 | 6d ago | The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options… | |||
| CVE-2026-7614 | medium | 4.3 | 4.3 | 6d ago | The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH… | |||
| CVE-2026-8903 | medium | 4.3 | 4.3 | 6d ago | The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce… | |||
| CVE-2026-8943 | medium | 4.3 | 4.3 | 6d ago | The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gosta… | |||
| CVE-2026-8941 | medium | 4.3 | 4.3 | 6d ago | The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdl_off_opt… | |||
| CVE-2026-8938 | medium | 4.3 | 4.3 | 6d ago | The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_… | |||
| CVE-2026-8939 | medium | 4.3 | 4.3 | 6d ago | The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_sim… | |||
| CVE-2026-9236 | medium | 4.3 | 4.3 | 6d ago | The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due… | |||
| CVE-2026-2255 | medium | 4.3 | 4.3 | 6d ago | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Al… | |||
| CVE-2026-9604 | medium | 4.3 | 4.3 | 6d ago | A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improp… | |||
| CVE-2026-9583 | medium | 4.3 | 4.3 | 7d ago | A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. E… | |||
| CVE-2026-9582 | medium | 4.3 | 4.3 | 7d ago | A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site … | |||
| CVE-2026-24520 | medium | 4.3 | 4.3 | 7d ago | Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24. | |||
| CVE-2026-25444 | medium | 4.3 | 4.3 | 7d ago | Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9. | |||
| CVE-2026-44749 | medium | 4.3 | 4.3 | 7d ago | The SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leadi… | |||
| CVE-2026-47728 | medium | 4.3 | 4.3 | 7d ago | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An a… | |||
| CVE-2026-46431 | medium | 4.3 | 4.3 | 7d ago | Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: * | |||
| CVE-2026-46430 | medium | 4.3 | 4.3 | 7d ago | Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS | |||
| CVE-2026-44314 | medium | 4.3 | 4.3 | 7d ago | Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and th… | |||
| CVE-2026-9566 | medium | 4.3 | 4.3 | 7d ago | A vulnerability was identified in teableio teable up to 1.9.x. This impacts an unknown function of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx of the component Sign-up. The manipul… | |||
| CVE-2026-35220 | medium | 4.3 | 4.3 | 7d ago | Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | |||
| CVE-2026-48900 | medium | 4.3 | 4.3 | 7d ago | An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | |||
| CVE-2026-43936 | medium | 4.3 | 4.3 | 7d ago | e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "M… | |||
| CVE-2026-38587 | medium | 4.3 | 4.3 | 7d ago | An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-l… | |||
| CVE-2026-44502 | medium | 4.3 | 4.3 | 7d ago | Bunsink has an SSRF bypass in `validate_webhook_url` | |||
| CVE-2026-24638 | medium | 4.3 | 4.3 | 7d ago | Missing Authorization vulnerability in Webful Creations RepairBuddy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RepairBuddy: from n/a through 4.1121. | |||
| CVE-2026-9527 | medium | 4.3 | 4.3 | 7d ago | A vulnerability was determined in itsourcecode Electronic Judging System 1.0. This issue affects some unknown processing of the file /admin/judges.php. This manipulation of the argument fname causes … | |||
| CVE-2026-9520 | medium | 4.3 | 4.3 | 7d ago | A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the comp… | |||
| CVE-2026-9519 | medium | 4.3 | 4.3 | 7d ago | A security flaw has been discovered in stonith404 pingvin-share up to 1.13.0. This affects the function getServerSideProps of the file frontend/src/pages/auth/signIn.tsx of the component Sign-in Auto… | |||
| CVE-2026-9518 | medium | 4.3 | 4.3 | 7d ago | A vulnerability was identified in hemant6488 CodeIgniter-StudentManagementSystem. The impacted element is the function addStudent of the file view_students.php of the component Students Controller. T… | |||
| CVE-2026-36239 | medium | 4.3 | 4.3 | 7d ago | PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality | |||
| CVE-2026-24582 | medium | 4.3 | 4.3 | 7d ago | Missing Authorization vulnerability in WPPOOL FlexTable allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FlexTable: from n/a through 3.24.0. | |||
| CVE-2026-24554 | medium | 4.3 | 4.3 | 7d ago | Cross-Site Request Forgery (CSRF) vulnerability in Convers Lab WPSubscription allows Cross Site Request Forgery. This issue affects WPSubscription: from n/a through 1.9.1. | |||
| CVE-2026-24527 | medium | 4.3 | 4.3 | 7d ago | Missing Authorization vulnerability in Patterns in the cloud Autoship Cloud for WooCommerce Subscription Products allows Exploiting Incorrectly Configured Access Control Security Levels. This issue … | |||
| CVE-2026-24597 | medium | 4.3 | 4.3 | 8d ago | Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart allows Cross Site Request Forgery. This issue affects Organization chart: from n/a through 1.7.5. | |||
| CVE-2026-24545 | medium | 4.3 | 4.3 | 8d ago | Missing Authorization vulnerability in Nikki Blight QR Redirector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects QR Redirector: from n/a through 2.0.3. | |||
| CVE-2026-9486 | medium | 4.3 | 4.3 | 8d ago | A security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be exe… | |||
| CVE-2026-9467 | medium | 4.3 | 4.3 | 8d ago | A vulnerability was identified in debugmcp mcp-debugger up to 0.20.0. Impacted is the function handleGetSourceContext of the file src/server.ts. The manipulation leads to path traversal. The attack i… | |||
| CVE-2026-9448 | medium | 4.3 | 4.3 | 8d ago | A vulnerability was determined in code-projects Employee Management System 1.0. This affects an unknown function of the file /applyleave.php. Executing a manipulation of the argument ID can lead to c… | |||
| CVE-2026-9419 | medium | 4.3 | 4.3 | 8d ago | A vulnerability has been found in code-projects Employee Management System 1.0. Affected by this issue is some unknown functionality of the file /empproject.php. The manipulation of the argument ID l… | |||
| CVE-2026-9418 | medium | 4.3 | 4.3 | 8d ago | A flaw has been found in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /changepassemp.php. Executing a manipulation of the argum… | |||
| CVE-2026-9417 | medium | 4.3 | 4.3 | 8d ago | A vulnerability was detected in code-projects Employee Management System 1.0. Affected is an unknown function of the file /myprofileup.php. Performing a manipulation of the argument ID results in cro… | |||
| CVE-2026-9416 | medium | 4.3 | 4.3 | 8d ago | A security vulnerability has been detected in code-projects Employee Management System 1.0. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument ID leads to … | |||
| CVE-2026-9415 | medium | 4.3 | 4.3 | 8d ago | A weakness has been identified in code-projects Employee Management System 1.0. This affects an unknown function of the file /eloginwel.php. This manipulation of the argument ID causes cross site scr… | |||
| CVE-2026-9413 | medium | 4.3 | 4.3 | 8d ago | A vulnerability was identified in SourceCodester Indian Invoicing System 1.0. The affected element is an unknown function of the file /Invoicing/category.php. The manipulation of the argument msg lea… | |||
| CVE-2026-9410 | medium | 4.3 | 4.3 | 8d ago | A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workf… | |||
| CVE-2026-9409 | medium | 4.3 | 4.3 | 8d ago | A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipu… | |||
| CVE-2026-9358 | medium | 4.3 | 4.3 | 9d ago | A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead t… | |||
| CVE-2026-9303 | medium | 4.3 | 4.3 | 10d ago | A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Th… | |||
| CVE-2026-40864 | medium | 4.3 | 4.3 | 11d ago | JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with… | |||
| CVE-2026-9246 | medium | 4.3 | 4.3 | 11d ago | Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of s… | |||
| CVE-2026-9224 | medium | 4.3 | 4.3 | 11d ago | Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This is… | |||
| CVE-2026-9223 | medium | 4.3 | 4.3 | 11d ago | Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request. | |||
| CVE-2026-5171 | medium | 4.3 | 4.3 | 11d ago | Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activ… | |||
| CVE-2026-8347 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one… | |||
| CVE-2026-8340 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version… | |||
| CVE-2026-4646 | medium | 4.3 | 4.3 | 11d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to cr… | |||
| CVE-2026-3636 | medium | 4.3 | 4.3 | 11d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allow… | |||
| CVE-2026-8692 | medium | 4.3 | 4.3 | 11d ago | The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due … | |||
| CVE-2026-7636 | medium | 4.3 | 4.3 | 11d ago | The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. … | |||
| CVE-2026-7615 | medium | 4.3 | 4.3 | 11d ago | The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on the save_widge… | |||
| CVE-2026-7249 | medium | 4.3 | 4.3 | 11d ago | The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()`… | |||
| CVE-2026-4070 | medium | 4.3 | 4.3 | 11d ago | The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() fun… | |||
| CVE-2026-2518 | medium | 4.3 | 4.3 | 11d ago | The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' fun… | |||
| CVE-2026-8327 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo… | |||
| CVE-2026-8236 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns int… | |||
| CVE-2026-7886 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation … | |||
| CVE-2026-7882 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and procee… | |||
| CVE-2026-7881 | medium | 4.3 | 4.3 | 11d ago | Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express… | |||
| CVE-2026-4843 | medium | 4.3 | 4.3 | 12d ago | The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and … | |||
| CVE-2026-27349 | medium | 4.3 | 4.3 | 12d ago | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPFunnels Team Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a t… | |||
| CVE-2026-4055 | medium | 4.3 | 4.3 | 12d ago | Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in… | |||
| CVE-2026-1881 | medium | 4.3 | 4.3 | 12d ago | The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on… | |||
| CVE-2026-40094 | medium | 4.3 | 4.3 | 12d ago | nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and s… | |||
| CVE-2026-9116 | medium | 4.3 | 4.3 | 13d ago | Insufficient policy enforcement in ServiceWorker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: … | |||
| CVE-2026-9115 | medium | 4.3 | 4.3 | 13d ago | Insufficient policy enforcement in Service Worker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severi… | |||
| CVE-2026-9113 | medium | 4.3 | 4.3 | 13d ago | Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2026-9101 | medium | 4.3 | 4.3 | 13d ago | Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execu… | |||
| CVE-2026-27424 | medium | 4.3 | 4.3 | 13d ago | Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Photo Gallery F… | |||
| CVE-2026-6405 | medium | 4.3 | 4.3 | 13d ago | The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.… | |||
| CVE-2026-6566 | medium | 4.3 | 4.3 | 13d ago | The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insuffic… | |||
| CVE-2026-44392 | medium | 4.3 | 4.3 | 13d ago | Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be execute… | |||
| CVE-2026-5075 | medium | 4.3 | 4.3 | 13d ago | The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal o… | |||
| CVE-2026-8610 | medium | 4.3 | 4.3 | 13d ago | The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user… | |||
| CVE-2026-8424 | medium | 4.3 | 4.3 | 13d ago | The Remove Yellow BGBOX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'rybb_a… | |||
| CVE-2026-8423 | medium | 4.3 | 4.3 | 13d ago | The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on th… | |||
| CVE-2026-8419 | medium | 4.3 | 4.3 | 13d ago | The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This… | |||
| CVE-2026-8418 | medium | 4.3 | 4.3 | 13d ago | The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() funct… | |||
| CVE-2026-6452 | medium | 4.3 | 4.3 | 13d ago | The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigf… | |||
| CVE-2026-6401 | medium | 4.3 | 4.3 | 13d ago | The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update fo… | |||
| CVE-2026-6400 | medium | 4.3 | 4.3 | 13d ago | The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the opti… |