Skip to main content
CVE-2026-1000 MEDIUM This Month

The MailerLite WooCommerce integration plugin for WordPress fails to validate user permissions in its resetIntegration() function, allowing authenticated users with Subscriber-level access to delete critical plugin data including customer cart records and sync histories. Attackers can reset integration settings and drop associated database tables, resulting in complete loss of operational data without administrative authorization. No patch is currently available for versions up to 3.1.3.

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0913 MEDIUM This Month

Stored cross-site scripting in the User Submitted Posts WordPress plugin through version 20260110 allows authenticated Contributor-level users to inject malicious scripts via the 'usp_access' shortcode due to inadequate input sanitization. When other users visit pages containing the injected payload, the attacker's JavaScript executes in their browsers, potentially enabling session hijacking or unauthorized actions. No patch is currently available to remediate this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0916 MEDIUM This Month

Stored XSS in the Related Posts by Taxonomy WordPress plugin through version 2.7.6 allows contributors and higher-privileged authenticated users to inject malicious scripts into shortcode attributes that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content viewed by site visitors. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14375 MEDIUM This Month

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-23528 MEDIUM PATCH This Month

Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]

Linux Python AI / ML Dask
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1011 MEDIUM This Month

Stored XSS in Altium Live's Support Center AddComment endpoint allows attackers to inject malicious JavaScript that persists and executes when support staff or other users view affected support cases. The vulnerability stems from inadequate server-side input validation that bypasses client-side HTML escaping, enabling attackers to compromise elevated-privilege support accounts through victim browser execution. No patch is currently available.

XSS Altium Live
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-23769 MEDIUM PATCH This Month

lucy-xss-filter before commit e5826c0 contains a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers through improper input sanitization caused by misconfigured default filter rules. The vulnerability requires user interaction to trigger and affects the confidentiality and integrity of web applications relying on this filter. A patch is available to address the misconfigured rule set.

XSS Lucy Xss Filter
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-43508 MEDIUM This Month

Macos versions up to 26.0 is affected by insertion of sensitive information into log file (CVSS 5.5).

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23643 MEDIUM PATCH This Month

CakePHP versions prior to 5.2.12 and 5.3.1 contain a stored cross-site scripting vulnerability in the PaginatorHelper::limitControl() method that allows unauthenticated attackers to inject malicious scripts through query string parameters. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The vulnerability requires user interaction to trigger but affects all installations using the vulnerable PaginatorHelper component.

Red Hat Cakephp
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21624 MEDIUM This Month

Insufficient input validation in the Easy Discuss component for Joomla allows authenticated users to inject persistent cross-site scripting (XSS) payloads through user avatar text fields. An attacker with valid credentials can exploit this to execute malicious scripts in the browsers of other users viewing affected content. The vulnerability affects Joomla installations using the vulnerable Easy Discuss component, with no patch currently available.

Joomla XSS Easydiscuss
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21623 MEDIUM This Month

Stored cross-site scripting in Joomla's Easy Discuss component allows authenticated users to inject malicious scripts into forum posts due to insufficient input validation. An attacker with login credentials can execute arbitrary JavaScript in the browsers of other users viewing affected posts, potentially leading to session hijacking or credential theft. No patch is currently available for this vulnerability.

Joomla XSS Easydiscuss
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14757 MEDIUM PATCH This Month

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via wi...

WordPress Cost Calculator Builder PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0939 MEDIUM This Month

Rede Itaú for WooCommerce (WordPress plugin) versions up to 5.1.2. is affected by insufficient verification of data authenticity (CVSS 5.3).

WordPress Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0942 MEDIUM This Month

The Rede Itaú for WooCommerce plugin versions up to 5.1.2 lack proper authentication controls on the clearOrderLogs() function, allowing unauthenticated attackers to remotely delete order log metadata from WooCommerce installations. This missing capability check enables data tampering on affected WordPress sites without requiring user credentials. No patch is currently available for this vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1020 MEDIUM This Month

Gotac's Police Statistics Database System contains a path traversal vulnerability that enables unauthenticated remote attackers to enumerate system directories and access sensitive files. The flaw affects industrial and law enforcement deployments with network accessibility, potentially exposing confidential database contents and system architecture details. No patch is currently available for this medium-severity vulnerability.

Industrial Path Traversal Police Statistics Database System
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1004 MEDIUM This Month

Essential Addons for Elementor (WordPress plugin) versions up to 6.5.5 is affected by missing authorization (CVSS 5.3).

WordPress Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-15526 MEDIUM This Month

The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulner...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-24089 MEDIUM This Month

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. [CVSS 5.3 MEDIUM]

Apple iOS Iphone Os Ipados
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14793 MEDIUM This Month

The DK PDF - WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. [CVSS 5.0 MEDIUM]

WordPress SSRF
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-51602 MEDIUM This Month

mmstu.c in VideoLAN VLC media player versions up to 3.0.22 is affected by out-of-bounds read (CVSS 4.8).

Denial Of Service Information Disclosure Buffer Overflow Suse
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-20894 MEDIUM This Month

Stored XSS in TOA Corporation TRIFORA 3 network cameras allows authenticated administrators to inject malicious scripts through configuration settings that execute in other administrators' browsers when accessing the settings interface. An attacker with administrative privileges could exploit this to compromise other admin sessions and potentially gain unauthorized access to camera management functions. No patch is currently available for this medium-severity vulnerability.

XSS
NVD
CVSS 3.0
4.8
EPSS
0.0%
CVE-2026-1003 MEDIUM This Month

Unauthorized post deletion in GetGenie for WordPress (versions up to 4.3.0) allows authenticated users with Author-level permissions or higher to delete any post on a site, regardless of authorship, due to insufficient authorization checks. Attackers with basic authenticated access can exploit this to remove content authored by other users without proper privilege verification. No patch is currently available.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14982 MEDIUM This Month

The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other u...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14853 MEDIUM This Month

LEAV Last Email Address Validator (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15527 MEDIUM This Month

WP Recipe Maker (WordPress plugin) versions up to 10.2.2 is affected by information exposure (CVSS 4.3).

WordPress Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14384 MEDIUM This Month

The All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. [CVSS 4.3 MEDIUM]

WordPress AI / ML PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15370 MEDIUM This Month

and Prevents Security Breache versions up to 21.0.9 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-43904 MEDIUM PATCH This Month

In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator. [CVSS 4.2 MEDIUM]

Authentication Bypass Suse
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2012-10064 POC This Week

Omni Secure File versions up to 0.1.14 is affected by unrestricted upload of file with dangerous type.

WordPress PHP RCE
NVD WPScan Exploit-DB
EPSS
0.5%
CVE-2025-31186 LOW Monitor

A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. [CVSS 3.3 LOW]

Apple Authentication Bypass
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-24090 LOW Monitor

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. [CVSS 3.3 LOW]

Apple iOS
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2024-44210 LOW Monitor

This issue was addressed with improved permissions checking. This issue is fixed in macOS Sequoia 15.1. [CVSS 3.3 LOW]

Apple macOS
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-14822 LOW PATCH Monitor

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens [CVSS 3.1 LOW]

Information Disclosure Mattermost Server
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-61873 LOW Monitor

Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. [CVSS 2.6 LOW]

Code Injection
NVD
CVSS 3.1
2.6
EPSS
0.0%
CVE-2024-54556 LOW Monitor

This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. [CVSS 2.4 LOW]

Apple iOS
NVD
CVSS 3.1
2.4
EPSS
0.0%
CVE-2026-0858 LOW PATCH Monitor

PlantUML versions before 1.2026.0 fail to properly sanitize interactive attributes in GraphViz diagrams, allowing attackers to inject malicious JavaScript into SVG output through crafted diagram files. Applications that render these SVGs are vulnerable to arbitrary script execution within the user's browser context. A patch is available to address this stored XSS vulnerability.

XSS Plantuml
NVD GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-23735 PATCH Monitor

testable and extendable modules out of your GraphQL server. From 2.2.1 to versions up to 2.4.1 is affected by race condition.

Race Condition
NVD GitHub
EPSS
0.1%
CVE-2019-25297 This Week

Quiz Maker Plugin by Opinion Stage Wordpre versions up to 19.6.25 is affected by cross-site scripting (xss).

WordPress XSS
NVD WPScan
EPSS
0.0%
CVE-2026-0629 This Week

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state.

Authentication Bypass
NVD
EPSS
0.0%
CVE-2026-23634 NONE PATCH Awaiting Data

Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors.

Kubernetes
NVD GitHub
EPSS
0.0%
CVE-2025-29943 Monitor

Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an SEV-SNP guest.

Information Disclosure
NVD
EPSS
0.0%
CVE-2025-5489 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
CVE-2025-5102 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
CVE-2024-8506 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
CVE-2024-8491 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy