Export limit exceeded: 86032 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (86032 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-27412 2 Stylemixthemes, Wordpress 2 Pearl - Corporate Business, Wordpress 2026-07-06 8.1 High
Unauthenticated Local File Inclusion in Pearl - Corporate Business <= 3.4.10 versions.
CVE-2026-27414 2 Fuelthemes, Wordpress 2 Werkstatt, Wordpress 2026-07-06 8.8 High
Contributor PHP Object Injection in Werkstatt <= 4.8.3 versions.
CVE-2026-27425 2 Themesuite, Wordpress 2 Automotive Listings, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Automotive Listings <= 18.6 versions.
CVE-2026-27430 2 Tranmautritam, Wordpress 2 Thefox, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in TheFox <= 3.9.76 versions.
CVE-2026-39448 2 Coderpress, Wordpress 2 Nowpayments For Woocommerce, Wordpress 2026-07-06 7.5 High
Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions.
CVE-2026-57350 2 Andy Fragen, Wordpress 2 Wp Debugging, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in WP Debugging <= 2.12.2 versions.
CVE-2026-57357 2 Search Atlas Group, Wordpress 2 Search Atlas Seo, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Search Atlas SEO <= 2.6.6 versions.
CVE-2026-57358 2 Sysbasics, Wordpress 2 Customize My Account For Woocommerce, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Customize My Account for WooCommerce <= 4.3.9 versions.
CVE-2026-57426 2 Chill Media Labs S.r.l., Wordpress 2 Modula - Pro, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Modula - PRO <= 2.10.8 versions.
CVE-2026-57672 2 Melograno Venture Studio, Wordpress 2 Wpdatatables, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in wpDataTables <= 6.5.1.1 versions.
CVE-2026-57673 2 Optimole, Wordpress 2 Optimole, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Optimole <= 4.2.7 versions.
CVE-2026-57686 2 Wordpress, Wpxpo 2 Wordpress, Wowaddons 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions.
CVE-2026-57688 2 Gurmehub, Wordpress 2 Pos Entegratör, Wordpress 2026-07-06 8.2 High
Unauthenticated Broken Access Control in POS Entegratör <= 3.7.103 versions.
CVE-2026-57748 2 Shopify Help Center, Wordpress 2 Shopify, Wordpress 2026-07-06 7.5 High
Contributor Local File Inclusion in Shopify <= 1.0.0 versions.
CVE-2026-57751 2 Heateor Support, Wordpress 2 Heateor Social Login, Wordpress 2026-07-06 8.1 High
Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions.
CVE-2026-57756 2 Wordpress, 友人a丶 2 Wordpress, Nicen-localize-image 2026-07-06 8.5 High
Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.
CVE-2026-57757 2 Ploudapp, Wordpress 2 Pcloud Wp Backup, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.
CVE-2026-57761 2 Blueastralthemes, Wordpress 2 Seowp, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.
CVE-2026-58652 1 Openwrt 2 Luci-app-travelmate, Travelmate 2026-07-06 7.5 High
luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.
CVE-2024-58352 1 Landray 1 Landray Office Automation 2026-07-06 7.5 High
Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid POST parameter of the wechatLoginHelper.do endpoint. Attackers can exploit the lack of input sanitization in the string-concatenated filter expression passed to the Hibernate findList() call to extract sensitive data such as administrator password hashes and, with sufficient database privileges, perform file-write operations enabling remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-03-11 (UTC).