Export limit exceeded: 86097 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (86097 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-12348 | 1 The Browsercompany Of New York | 1 Arcsearch | 2026-06-26 | 7.4 High |
| Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing. | ||||
| CVE-2026-12256 | 2 Theme-fusion, Wordpress | 2 Avada, Wordpress | 2026-06-26 | 8.8 High |
| Contributor PHP Object Injection in Avada <= 3.15.3 versions. | ||||
| CVE-2026-39539 | 2 Edge-themes, Wordpress | 2 Alloggio Hotel Booking, Wordpress | 2026-06-26 | 8.1 High |
| Unauthenticated PHP Object Injection in Alloggio - Hotel Booking <= 2.1.2 versions. | ||||
| CVE-2026-49073 | 2 Wordpress, Wpwax | 2 Wordpress, Directorist | 2026-06-26 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3. | ||||
| CVE-2026-39598 | 2 Kodezen, Wordpress | 2 Academy Lms, Wordpress | 2026-06-26 | 8 High |
| Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2. | ||||
| CVE-2026-8089 | 2 Wedevs, Wordpress | 2 Wemail: Email Marketing, Email Automation, Newsletters, Subscribers & Ecommerce Email Optins, Wordpress | 2026-06-26 | 7.1 High |
| The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL. | ||||
| CVE-2026-9690 | 2 Joomunited, Wordpress | 2 Wp Media Folder, Wordpress | 2026-06-26 | 7.5 High |
| Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions. | ||||
| CVE-2026-40721 | 2 Bdthemes, Wordpress | 2 Element Pack, Wordpress | 2026-06-26 | 7.5 High |
| Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions. | ||||
| CVE-2026-42385 | 2 Cozmoslabs, Wordpress | 2 Profile Builder, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions. | ||||
| CVE-2026-42629 | 2 Powerpackelements, Wordpress | 2 Powerpack Addons For Elementor, Wordpress | 2026-06-26 | 8.8 High |
| Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions. | ||||
| CVE-2026-49778 | 2 Getwpfunnels, Wordpress | 2 Wpfunnels, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions. | ||||
| CVE-2026-54802 | 2 Cozyvision, Wordpress | 2 Sms Alert Order Notifications, Wordpress | 2026-06-26 | 7.5 High |
| Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions. | ||||
| CVE-2025-69140 | 2 Seventhqueen, Wordpress | 2 Sweet Date, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in SweetDate Core < 1.1.5 versions. | ||||
| CVE-2026-54821 | 2 Bootstrapped, Wordpress | 2 Visual Link Preview, Wordpress | 2026-06-26 | 7.4 High |
| Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.3.1 versions. | ||||
| CVE-2026-54822 | 2 Salesmanago, Wordpress | 2 Salesmanago, Wordpress | 2026-06-26 | 8.5 High |
| Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions. | ||||
| CVE-2026-54828 | 2 Stylemix, Wordpress | 2 Motors, Wordpress | 2026-06-26 | 7.5 High |
| Unauthenticated Broken Access Control in Motors <= 1.4.109 versions. | ||||
| CVE-2026-56053 | 2 Theeventprime, Wordpress | 2 Eventprime, Wordpress | 2026-06-26 | 8.8 High |
| Subscriber PHP Object Injection in EventPrime <= 4.3.4.1 versions. | ||||
| CVE-2026-56071 | 2 Wordpress, Wpmudev | 2 Wordpress, Forminator Forms | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions. | ||||
| CVE-2026-9099 | 1 Redhat | 1 Build Keycloak | 2026-06-26 | 7.7 High |
| A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability. | ||||
| CVE-2026-56769 | 1 Hcengineering | 1 Huly Platform | 2026-06-26 | 8.5 High |
| Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems. | ||||