Export limit exceeded: 365174 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365174 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9708 | 1 Mattermost | 1 Mattermost | 2026-07-13 | 4.9 Medium |
| Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683 | ||||
| CVE-2026-50135 | 1 Gohugo | 1 Hugo | 2026-07-13 | N/A |
| Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat (follows symlinks) instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored themes/ theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0. | ||||
| CVE-2026-28378 | 1 Grafana | 2 Grafana, Grafana Enterprise | 2026-07-13 | 3.1 Low |
| The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers. | ||||
| CVE-2026-56279 | 1 Cap-go | 1 Cap-go | 2026-07-13 | 7.5 High |
| Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users' organization membership, roles, management emails, and billing metadata. | ||||
| CVE-2026-56305 | 1 Cap-go | 1 Cap-go | 2026-07-13 | 8.3 High |
| Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate users and achieve full account takeover. | ||||
| CVE-2026-57711 | 2 Psm Plugins, Wordpress | 2 Supportcandy, Wordpress | 2026-07-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PSM Plugins SupportCandy supportcandy allows Stored XSS.This issue affects SupportCandy: from n/a through <= 3.4.8. | ||||
| CVE-2026-57726 | 2 Themeum, Wordpress | 2 Kirki, Wordpress | 2026-07-13 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Kirki kirki allows Blind SQL Injection.This issue affects Kirki: from n/a through <= 6.0.12. | ||||
| CVE-2026-4769 | 1 Wago | 9 0765-110x/0100-0000, 0765-120x/0100-0000, 0765-150x/0100-0000 and 6 more | 2026-07-13 | 9.8 Critical |
| Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise. | ||||
| CVE-2026-15545 | 1 Shibby | 1 Tomato | 2026-07-13 | 8.8 High |
| A vulnerability was identified in Shibby Tomato up to 1.28.0000. Affected by this vulnerability is the function main of the file www/apcupsd/tomatodata.cgi of the component apcupsd. Such manipulation leads to out-of-bounds write. The attack may be launched remotely. The exploit is publicly available and might be used. This project is superseded by FreshTomato. | ||||
| CVE-2026-3552 | 2 Surflabtech, Wordpress | 2 Surflink – Link Manager & Backup Restore, Wordpress | 2026-07-13 | 4.3 Medium |
| The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all versions up to 2.6.0. This is due to a missing capability check (current_user_can()) and missing nonce verification (check_ajax_referer()) in the ajax_import_410() function, while all other AJAX handlers in the same class (ajax_add_single_410, ajax_save_editted_410, ajax_delete_410, ajax_bulk_410_delete, ajax_empty_410, ajax_export_410) properly implement both authorization and nonce checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import arbitrary URLs into the 410 Gone database table via the surfl_import_410 AJAX action. Injected URLs will cause the site to return HTTP 410 Gone responses to all visitors accessing those paths, potentially causing denial of service for legitimate pages and SEO damage through search engine delisting. | ||||
| CVE-2026-3576 | 2 Wordpress, Xtreeme | 2 Wordpress, Planyo Online Reservation System | 2026-07-13 | 7.2 High |
| The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0. The ulap.php file acts as an AJAX proxy and is directly accessible without WordPress bootstrapping or any authentication. The send_http_post() function validates the host of the provided URL against an allowlist that includes 'localhost', but critically fails to validate the URL scheme/protocol. This makes it possible for unauthenticated attackers to supply a file:// URL (e.g., file://localhost/etc/passwd) which bypasses the host allowlist check because parse_url() returns 'localhost' as the host. The URL is then passed to curl_init() or fopen(), both of which support the file:// protocol, allowing the attacker to read arbitrary local files on the server and have their contents returned in the HTTP response. This can lead to disclosure of sensitive files such as /etc/passwd, wp-config.php (containing database credentials and authentication keys), and other server-side files. | ||||
| CVE-2025-13968 | 2 Starboardsuite, Wordpress | 2 Starboard Suite Reservation Calendars, Wordpress | 2026-07-13 | 6.4 Medium |
| The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-7559 | 2 Redefiningtheweb, Wordpress | 2 Affiliate Program & Referral Tracking For Woocommerce & Wordpress – Affilia, Wordpress | 2026-07-13 | 4.3 Medium |
| The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve or reject affiliate referrals, credit commissions to affiliate wallets, delete referral records, and modify custom banner plugin options, enabling financial fraud. The nonce required to pass the only authentication check is embedded in every frontend page load via rtwalwm_global_params.rtwalwm_nonce, making it trivially accessible to any authenticated user regardless of role. | ||||
| CVE-2026-6804 | 2 Wordpress, Wupsales | 2 Wordpress, Ai Copilot – Content Generator | 2026-07-13 | 5.3 Medium |
| The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to publish draft WordPress posts, exposing unpublished content, or unpublish live content, causing service disruption, by supplying arbitrary scenario IDs. | ||||
| CVE-2026-14262 | 2 Nicu M, Wordpress | 2 Simple Jwt Login – Allows You To Use Jwt On Rest Endpoints., Wordpress | 2026-07-13 | 8.8 High |
| The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list — leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with the site's HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator's email address into the `payload` parameter at the `/wp-json/simple-jwt-login/v1/auth` endpoint, then redeeming the resulting JWT at the `/autologin` endpoint to obtain a fully authenticated session as that administrator. | ||||
| CVE-2026-1832 | 2 Thrivedesk, Wordpress | 2 Agentic Help Desk Plugin For Wordpress – Live Chat, Ai Chatbot & Ticketing – Thrivedesk, Wordpress | 2026-07-13 | 4.3 Medium |
| The ThriveDesk – Live Chat, AI Chatbot, Helpdesk & Knowledge Base plugin for WordPress is vulnerable to unauthorized cache deletion due to a missing capability check on the 'thrivedesk_clear_cache' AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's cache. | ||||
| CVE-2026-13378 | 2 Wordpress, Wpvibes | 2 Wordpress, Form Vibes – Save Contact Form 7 & Elementor Form Entries To Database | 2026-07-13 | 7.2 High |
| The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-7655 | 2 Surecart, Wordpress | 2 Surecart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments, Wordpress | 2026-07-13 | 8.1 High |
| The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user's email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user's password and gain access to their account if the customer ID is known. | ||||
| CVE-2025-6784 | 2 Tigroumeow, Wordpress | 2 Code Engine – Php Snippets, Ai Functions & Automation For Wordpress, Wordpress | 2026-07-13 | 8.8 High |
| The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. | ||||
| CVE-2026-12738 | 2 Saadiqbal, Wordpress | 2 Wp Easy Pay – Payment And Donation Form Builder For Square, Wordpress | 2026-07-13 | 4.3 Medium |
| The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to set the status of arbitrary posts and pages to 'draft', effectively unpublishing arbitrary site content. | ||||