CVEs from 2026
Total
13,321
critical
critical 1,107
high
high 3,936
medium
medium 3,984
low
low 416
% Critical
8.3%
% with KEV
0.4%
% with exploit
0.5%
Top products
- chrome 299
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 221
- openclaw 166
- commerce 104
- commerce_b2b 89
- magento 74
Top packages
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-31849 | medium | 6.5 | 6.5 | 2mo ago | Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a … | |
| CVE-2026-31846 | medium | 6.5 | 6.5 | 2mo ago | Missing authentication in the /goform/ate endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows an adjacent unauthenticated attacker to retrieve sensitive device informa… | |
| CVE-2026-4572 | medium | 6.5 | 6.5 | 2mo ago | A weakness has been identified in SourceCodester Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /view_product.php of the component HTTP POST Request … | |
| CVE-2026-4571 | medium | 6.5 | 6.5 | 2mo ago | A security flaw has been discovered in SourceCodester Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_payments.php of the component HTTP P… | |
| CVE-2026-4569 | medium | 6.5 | 6.5 | 2mo ago | A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This impacts an unknown function of the file /view_category.php of the component HTTP POST Request Handler. This manip… | |
| CVE-2026-4568 | medium | 6.5 | 6.5 | 2mo ago | A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown function of the file /update_supplier.php of the component HTTP GET Request Handler. The manipulati… | |
| CVE-2026-32896 | medium | 6.5 | 6.5 | 2mo ago | OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) | |
| CVE-2026-32663 | medium | 6.5 | 6.5 | 2mo ago | The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predi… | |
| CVE-2026-27649 | medium | 6.5 | 6.5 | 2mo ago | The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predi… | |
| CVE-2026-32941 | medium | 6.5 | 6.5 | 2mo ago | Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports in github.com/bishopfox/sliver | |
| CVE-2026-32889 | medium | 6.5 | 6.5 | 2mo ago | Denial of service via non-terminating SYLT frame parsing loop in tinytag | |
| CVE-2026-32022 | medium | 6.5 | 6.5 | 2mo ago | OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass) | |
| CVE-2026-4426 | medium | 6.5 | 6.5 | 2mo ago | A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge exte… | |
| CVE-2026-27397 | medium | 6.5 | 6.5 | 2mo ago | Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This is… | |
| CVE-2026-0708 | medium | 6.5 | 6.5 | 2mo ago | A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can… | |
| CVE-2026-28522 | medium | 6.5 | 6.5 | 2mo ago | arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in the WiFiUDP component. An attacker on the same local area network can send a large volume of malicious UDP p… | |
| CVE-2026-32451 | medium | 6.5 | 6.5 | 3mo ago | Missing Authorization vulnerability in ThemeFusion Fusion Builder fusion-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fusion Builder: from n/a th… | |
| CVE-2026-32398 | medium | 6.5 | 6.5 | 3mo ago | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Subrata Mal TeraWallet – For WooCommerce woo-wallet allows Leveraging Race Conditions.This… | |
| CVE-2026-2673 | medium | 6.5 | 6.5 | 3mo ago | Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword.… | |
| CVE-2026-32237 | medium | 6.5 | 6.5 | 3mo ago | @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint | |
| CVE-2026-21670 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability allowing a low-privileged user to extract saved SSH credentials. | |
| CVE-2026-21668 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. | |
| CVE-2026-3954 | medium | 6.5 | 6.5 | 3mo ago | A weakness has been identified in OpenBMB XAgent 1.0.0. Affected by this vulnerability is the function workspace of the file XAgentServer/application/routers/workspace.py. This manipulation of the ar… | |
| CVE-2026-1471 | medium | 6.5 | 6.5 | 3mo ago | Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after resta… | |
| CVE-2026-30973 | medium | 6.5 | 6.5 | 3mo ago | @appium/support has a Zip Slip arbitrary file write in its ZIP extraction | |
| CVE-2026-3816 | medium | 6.5 | 6.5 | 3mo ago | A security vulnerability has been detected in OWASP DefectDojo up to 2.55.4. This vulnerability affects the function input_zip.read of the file parser.py of the component SonarQubeParser/MSDefenderPa… | |
| CVE-2026-3695 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability has been found in SourceCodester Modern Image Gallery App 1.0. Impacted is an unknown function of the file /delete.php. Such manipulation of the argument filename leads to path traver… | |
| CVE-2026-29781 | medium | 6.5 | 6.5 | 3mo ago | Sliver is Vulnerable to Authenticated Nil-Pointer Dereference through its Handlers in github.com/bishopfox/sliver | |
| CVE-2026-29771 | medium | 6.5 | 6.5 | 3mo ago | Netmaker Vulnerable to Denial of Service via Server Shutdown Endpoint in github.com/gravitl/netmaker | |
| CVE-2026-22723 | medium | 6.5 | 6.5 | 3mo ago | Cloudfoundry UAA has logic error in the token revocation endpoint implementation | |
| CVE-2026-27362 | medium | 6.5 | 6.5 | 3mo ago | Missing Authorization vulnerability in kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP … | |
| CVE-2026-23799 | medium | 6.5 | 6.5 | 3mo ago | Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5. | |
| CVE-2026-22459 | medium | 6.5 | 6.5 | 3mo ago | Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a… | |
| CVE-2026-20064 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability in of Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to cause the device to unexpectedly reload, causing a denial of service (DoS) co… | |
| CVE-2026-20023 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, adjace… | |
| CVE-2026-20022 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpe… | |
| CVE-2026-3408 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability was identified in Open Babel up to 3.1.1. This impacts the function OBAtom::GetExplicitValence of the file isrc/atom.cpp of the component CDXML File Handler. Such manipulation leads t… | |
| CVE-2026-3269 | medium | 6.5 | 6.5 | 3mo ago | PSI Probe: Broken access control can lead to DoS | |
| CVE-2026-3118 | medium | 6.5 | 6.5 | 3mo ago | A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user … | |
| CVE-2026-2984 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability was identified in SourceCodester Student Result Management System 1.0. This affects an unknown function of the file /admin/core/drop_user.php. Such manipulation of the argument ID lea… | |
| CVE-2026-2976 | medium | 6.5 | 6.5 | 3mo ago | A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function download_controller of the file /backend/app/api/v1/module_common/file/controller.py of the componen… | |
| CVE-2026-2945 | medium | 6.5 | 6.5 | 3mo ago | A weakness has been identified in JeecgBoot 3.9.0. Affected by this vulnerability is an unknown functionality of the file /sys/common/uploadImgByHttp. Executing a manipulation of the argument fileUrl… | |
| CVE-2026-2898 | medium | 6.5 | 6.5 | 3mo ago | funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function | |
| CVE-2026-2850 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addCustomer/updateCustomer/deleteCustomer of the file dataset\repos\warehouse\s… | |
| CVE-2026-22350 | medium | 6.5 | 6.5 | 3mo ago | Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Le… | |
| CVE-2026-2693 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability was determined in CoCoTeaNet CyreneAdmin up to 1.3.0. This vulnerability affects unknown code of the file /api/system/dashboard/getCount of the component System Info Endpoint. Executi… | |
| CVE-2026-2692 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability was found in CoCoTeaNet CyreneAdmin up to 1.3.0. This affects an unknown part of the file /api/system/user/getAvatar of the component Image Handler. Performing a manipulation of the a… | |
| CVE-2026-2669 | medium | 6.5 | 6.5 | 3mo ago | A vulnerability was determined in Rongzhitong Visual Integrated Command and Dispatch Platform up to 20260206. This impacts an unknown function of the file /dm/dispatch/user/delete of the component Us… | |
| CVE-2026-25729 | medium | 6.5 | 6.5 | 4mo ago | DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated use… | |
| CVE-2026-2009 | medium | 6.5 | 6.5 | 4mo ago | A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead … | |
| CVE-2026-24988 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Hogg The Events Calendar Shortcode & Block the-events-calendar-shortcode allows Stored XSS.… | |
| CVE-2026-24601 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Pay Writer penci-pay-writer allows Stored XSS.This issue affects Penci Pay Writ… | |
| CVE-2026-24600 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Review penci-review allows Stored XSS.This issue affects Penci Review: from n/a… | |
| CVE-2026-24591 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yasir129 Turn Yoast SEO FAQ Block to Accordion faq-schema-block-to-accordion allows Stored XSS.Th… | |
| CVE-2026-24576 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in COP UX Flat ux-flat allows Stored XSS.This issue affects UX Flat: from n/a through <= 5.4.0. | |
| CVE-2026-24558 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antoniobg ABG Rich Pins abg-rich-pins allows Stored XSS.This issue affects ABG Rich Pins: from n/… | |
| CVE-2026-24555 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS.This issue affects ArtPlacer Widget… | |
| CVE-2026-24550 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kaira Blockons blockons allows Stored XSS.This issue affects Blockons: from n/a through <= 1.2.19. | |
| CVE-2026-24526 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry & Cart Options for WooCommerce woocommerce-email-inquiry-cart-options … | |
| CVE-2026-24379 | medium | 6.5 | 6.5 | 4mo ago | Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP… | |
| CVE-2026-24361 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS.This issue affect… | |
| CVE-2026-24355 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality allows Stored XSS.This issue a… | |
| CVE-2026-22349 | medium | 6.5 | 6.5 | 4mo ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS.This issue affects Menu In Post: from n/… | |
| CVE-2026-1142 | medium | 6.5 | 6.5 | 4mo ago | A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be init… | |
| CVE-2026-0571 | medium | 6.5 | 6.5 | 5mo ago | A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehouse\src\main\java… | |
| CVE-2026-4334 | medium | 6.4 | 6.4 | 7h ago | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insuf… | |
| CVE-2026-6427 | medium | 6.4 | 6.4 | 8h ago | The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HT… | |
| CVE-2026-9644 | medium | 6.4 | 6.4 | 10h ago | The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart_widget' shortcode in all versions up to, and including, 1.2 due … | |
| CVE-2026-8042 | medium | 6.4 | 6.4 | 1d ago | The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to in… | |
| CVE-2026-3895 | medium | 6.4 | 6.4 | 1d ago | The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to… | |
| CVE-2026-2030 | medium | 6.4 | 6.4 | 1d ago | The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcode attributes in all versio… | |
| CVE-2026-3896 | medium | 6.4 | 6.4 | 1d ago | The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing auth… | |
| CVE-2026-3897 | medium | 6.4 | 6.4 | 1d ago | The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missi… | |
| CVE-2026-8884 | medium | 6.4 | 6.4 | 1d ago | The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sa… | |
| CVE-2026-8867 | medium | 6.4 | 6.4 | 1d ago | The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'postcategorygallery' shortcode in versions up to, and including, 1.0.0. This is due to in… | |
| CVE-2026-8899 | medium | 6.4 | 6.4 | 1d ago | The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnails' shortcode in all versions up to, and including, 1.0. This is due to insufficient input saniti… | |
| CVE-2026-8040 | medium | 6.4 | 6.4 | 1d ago | The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insuffi… | |
| CVE-2026-8886 | medium | 6.4 | 6.4 | 1d ago | The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitizatio… | |
| CVE-2026-8847 | medium | 6.4 | 6.4 | 1d ago | The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on th… | |
| CVE-2026-8844 | medium | 6.4 | 6.4 | 1d ago | The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitiza… | |
| CVE-2026-8875 | medium | 6.4 | 6.4 | 1d ago | The Easy Prism Syntax Highlighter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'code' (and 'c') shortcode in versions up to, and including, 1.0.2. This is due to… | |
| CVE-2026-8894 | medium | 6.4 | 6.4 | 1d ago | The iWR Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `iwrtooltip` shortcode in versions up to, and including, 1.0. This is due to insufficient input sani… | |
| CVE-2026-8845 | medium | 6.4 | 6.4 | 1d ago | The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input san… | |
| CVE-2026-8873 | medium | 6.4 | 6.4 | 1d ago | The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and… | |
| CVE-2026-8846 | medium | 6.4 | 6.4 | 1d ago | The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and o… | |
| CVE-2026-8891 | medium | 6.4 | 6.4 | 1d ago | The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitizat… | |
| CVE-2026-8871 | medium | 6.4 | 6.4 | 1d ago | The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic_link' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input s… | |
| CVE-2026-8048 | medium | 6.4 | 6.4 | 1d ago | The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 d… | |
| CVE-2026-8872 | medium | 6.4 | 6.4 | 1d ago | The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insuffici… | |
| CVE-2026-8869 | medium | 6.4 | 6.4 | 1d ago | The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input … | |
| CVE-2026-8898 | medium | 6.4 | 6.4 | 1d ago | The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitizati… | |
| CVE-2026-8866 | medium | 6.4 | 6.4 | 1d ago | The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input… | |
| CVE-2026-8701 | medium | 6.4 | 6.4 | 1d ago | The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the `title-ticker-slide`, `title-ticker-fade`, and `title-ticker-typing` shortcodes. Th… | |
| CVE-2026-8887 | medium | 6.4 | 6.4 | 1d ago | The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization… | |
| CVE-2026-8897 | medium | 6.4 | 6.4 | 1d ago | The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and… | |
| CVE-2026-8870 | medium | 6.4 | 6.4 | 1d ago | The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insuff… | |
| CVE-2026-8702 | medium | 6.4 | 6.4 | 1d ago | The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in… | |
| CVE-2026-8842 | medium | 6.4 | 6.4 | 1d ago | The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sani… | |
| CVE-2026-8703 | medium | 6.4 | 6.4 | 1d ago | The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and ou… | |
| CVE-2026-8868 | medium | 6.4 | 6.4 | 1d ago | The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient inpu… |