Export limit exceeded: 365174 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 365174 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365174 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57413 | 2 Bdthemes, Wordpress | 2 Instant Image Generator, Wordpress | 2026-07-13 | 6.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in bdthemes Instant Image Generator ai-image allows Server Side Request Forgery.This issue affects Instant Image Generator: from n/a through <= 2.1.4. | ||||
| CVE-2026-57706 | 2 Dokan, Wordpress | 2 Dokan, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan, Inc. Dokan dokan-lite allows Reflected XSS.This issue affects Dokan: from n/a through <= 5.0.6. | ||||
| CVE-2026-57708 | 2 Crmperks, Wordpress | 2 Contact Form Entries, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Contact Form Entries contact-form-entries allows Reflected XSS.This issue affects Contact Form Entries: from n/a through <= 1.5.2. | ||||
| CVE-2026-57712 | 2 Wordpress, Wpzoom | 2 Wordpress, Wpzoom Portfolio | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Portfolio wpzoom-portfolio allows Reflected XSS.This issue affects WPZOOM Portfolio: from n/a through <= 1.4.29. | ||||
| CVE-2026-40467 | 1 Gnu | 1 Gawk | 2026-07-13 | N/A |
| Use After Free vulnerability has been found in "io.c" program file of gawk (do_getline_redir() routine). This issue may lead to a crash. It affects gawk in versions 5.4.0 and below. | ||||
| CVE-2026-40468 | 1 Gnu | 1 Gawk | 2026-07-13 | N/A |
| Integer overflow vulnerability has been found in "builtin.c" program file of gawk. This issue may lead to memory exhaustion on the hosting operating system and could be used to overwrite gawk heap metadata and objects with attacker-controlled bytes. It affects gawk in versions 5.4.0 and below. | ||||
| CVE-2026-40469 | 1 Gnu | 1 Gawk | 2026-07-13 | N/A |
| Integer overflow vulnerability has been found in "builtin.c" program file of gawk (do_sub() routine). This issue could be used to overwrite gawk heap metadata and objects causing the program to crash. It affects 32-bit builds of gawk in versions 5.4.0 and below. | ||||
| CVE-2026-40553 | 1 Gnu | 1 Gawk | 2026-07-13 | N/A |
| Buffer overflow vulnerability has been found in "extension/readdir.c" program file of gawk (ftype() routine). This issue could be used to crash the program and potentially to achieve code execution, although the latter has not been confirmed to be feasible. It affects gawk in versions 5.4.0 and below. | ||||
| CVE-2026-12103 | 2 Subratamal, Wordpress | 2 Wallet For Woocommerce, Wordpress | 2026-07-13 | 4.3 Medium |
| The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate the login name, email address, and user ID of all WordPress accounts — including administrators — by submitting arbitrary search terms to the AJAX handler. The required 'search-user' nonce is localized into the wallet_param object on the standard WooCommerce My Account page, which is accessible to any authenticated user, making it trivially obtainable by a Subscriber. | ||||
| CVE-2026-59518 | 2 Wordpress, Wpwax | 2 Wordpress, Directorist | 2026-07-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This issue affects Directorist: from n/a through <= 8.8.2. | ||||
| CVE-2026-15547 | 1 Shibby | 1 Tomato | 2026-07-13 | 6.3 Medium |
| A weakness has been identified in Shibby Tomato up to 1.28.0000. This affects the function sub_2D048 of the component CIFS Mount Handler. Executing a manipulation of the argument cifs1/cifs2 can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This project is superseded by FreshTomato. | ||||
| CVE-2026-49876 | 1 Apache | 1 Gravitino | 2026-07-13 | 6.5 Medium |
| Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from 1.0.0 through 1.2.1. Users are recommended to upgrade to version 1.3.0, which fixes the issue. | ||||
| CVE-2026-13114 | 2026-07-13 | 7.2 High | ||
| The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content and User Biographical Info in all versions up to, and including, 1.4.112 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-13116 | 2 Wordpress, Wpovernight | 2 Wordpress, Pdf Invoices & Packing Slips For Woocommerce | 2026-07-13 | 4.3 Medium |
| The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to mint publicly accessible, session-free download links for arbitrary third-party orders, exposing customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes contained in those orders' invoices and packing slips. Exploitation requires the plugin's Document link access type setting to be configured to 'full'; with the default 'logged_in' value, generated URLs are signed with a per-session nonce rather than the order_key, making the shortcode path unexploitable for unauthorized access to third-party orders. | ||||
| CVE-2026-57814 | 2 Wordpress, Wpmu Dev - Your All-in-one Wordpress Platform | 2 Wordpress, Forminator | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows DOM-Based XSS.This issue affects Forminator: from n/a through <= 1.55.0.1. | ||||
| CVE-2026-59521 | 2026-07-13 | 7.2 High | ||
| Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC Real Testimonials testimonial-free allows Object Injection.This issue affects Real Testimonials: from n/a through <= 3.1.15. | ||||
| CVE-2026-61875 | 1 Openwrt | 1 Luci | 2026-07-13 | 8.8 High |
| luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders without output encoding, executing the payload when administrators view the UPnP or Status pages. | ||||
| CVE-2026-61968 | 2026-07-13 | 5.4 Medium | ||
| Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 3.1.2. | ||||
| CVE-2026-61983 | 2 Andymoyle, Wordpress | 2 Church Admin, Wordpress | 2026-07-13 | 5.3 Medium |
| Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through <= 5.0.30. | ||||
| CVE-2026-55175 | 1 Spinnaker | 1 Spinnaker | 2026-07-13 | 7.5 High |
| Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. This issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4. | ||||