Skip to main content
CVE-2026-24374 MEDIUM This Month

Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager is affected by cross-site request forgery (csrf) (CVSS 5.4).

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24365 MEDIUM This Month

storeapps Stock Manager for WooCommerce woocommerce-stock-manager is affected by cross-site request forgery (csrf) (CVSS 5.4).

WordPress CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22483 MEDIUM This Month

teachPress through version 9.0.12 is vulnerable to Cross-Site Request Forgery attacks that enable unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction and can result in data integrity compromise or service disruption, though confidentiality is not affected. No patch is currently available for this vulnerability.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1036 MEDIUM This Month

The Photo Gallery by 10Web plugin for WordPress versions up to 1.8.36 lacks proper authentication checks on its comment deletion function, allowing unauthenticated attackers to delete arbitrary image comments from the Pro version. This integrity vulnerability (CVSS 5.3) requires no user interaction and can be exploited remotely, though no patch is currently available. The impact is limited to comment data manipulation, but affects all unpatched installations of the plugin.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23961 MEDIUM This Month

Suspended remote users in Mastodon can bypass suspension restrictions and have their posts appear in timelines through boosting and post processing logic errors. This affects all Mastodon versions for older posts, with additional bypass capabilities in versions 4.5.0-4.5.4, 4.4.5-4.4.11, 4.3.13-4.3.17, and 4.2.26-4.2.29, allowing suspended users to inject new content into the system. No patch is currently available for this integrity issue.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-69001 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection.This issue affects FluentForm: from n/a through <= 6.1.11. [CVSS 5.3 MEDIUM]

Code Injection
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-24380 MEDIUM This Month

Metagauss EventPrime eventprime-event-calendar-management is affected by missing authorization (CVSS 8.8).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-24368 MEDIUM This Month

Improper access control in Theme-one The Grid versions prior to 2.8.0 enables authenticated users to bypass authorization checks and gain unauthorized access to sensitive functionality. An attacker with valid credentials could exploit misconfigured security levels to read, modify, or delete data without proper permissions. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23974 MEDIUM This Month

Uxper Golo versions prior to 1.7.5 contain an access control bypass that allows authenticated attackers to exploit improperly configured security levels to gain unauthorized access to sensitive functions and data. An attacker with valid credentials can leverage this missing authorization check to escalate privileges and perform administrative actions without proper permission validation. No patch is currently available for this high-severity vulnerability (CVSS 8.8).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23831 MEDIUM PATCH This Month

Rekor versions 1.4.3 and below are vulnerable to denial of service through a null pointer dereference when processing malformed cose/v0.0.1 entries with empty spec.message fields. An unauthenticated remote attacker can trigger a panic in the Rekor process by sending a specially crafted entry, resulting in a 500 error response and temporary service disruption, though the thread recovery mechanism limits availability impact. The vulnerability has been patched in version 1.5.0.

Denial Of Service Rekor Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63019 MEDIUM This Month

Johan Jonk Stenström Cookies and Content Security Policy cookies-and-content-security-policy contains a security vulnerability (CVSS 7.5).

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62754 MEDIUM This Month

Payment Gateway bKash for WooCommerce has a missing authorization vulnerability allowing attackers to exploit incorrect access controls for privilege escalation.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24366 MEDIUM This Month

YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22445 MEDIUM This Month

The Apimo Connector plugin for WordPress versions 2.6.4 and earlier contains an authorization bypass that allows unauthenticated attackers to access sensitive information through improperly configured access controls. An attacker can exploit this vulnerability over the network without user interaction to read confidential data from the affected application. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22348 MEDIUM This Month

Tasos Fel Civic Cookie Control civic-cookie-control-8 is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-47600 MEDIUM This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through <= 8.3.7. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1332 MEDIUM This Month

Meetinghub Paperless Meetings is affected by missing authentication for critical function (CVSS 5.3).

Authentication Bypass Meetinghub Paperless Meetings
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1102 MEDIUM This Month

Gitlab versions up to 18.6.4 is affected by allocation of resources without limits or throttling (CVSS 5.3).

Gitlab SSH Denial Of Service
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-27377 MEDIUM This Month

Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. [CVSS 5.3 MEDIUM]

Authentication Bypass Designer
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24130 MEDIUM PATCH This Month

Moonraker versions 0.9.3 and below with LDAP authentication enabled are susceptible to LDAP injection attacks through the login endpoint, enabling attackers to enumerate valid user IDs and attributes via response analysis. An unauthenticated remote attacker can exploit this vulnerability to discover LDAP directory information without requiring valid credentials. A patch is available in version 0.10.0 and later.

Python LDAP Moonraker
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22469 MEDIUM This Month

DeepDigital versions 1.0.2 and earlier fail to properly sanitize HTML script tags, enabling stored or reflected cross-site scripting (XSS) attacks that allow code injection. An unauthenticated attacker can exploit this vulnerability over the network to inject malicious scripts that execute in users' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24117 MEDIUM PATCH This Month

Rekor versions 1.4.3 and earlier contain a server-side request forgery (SSRF) vulnerability in the /api/v1/index/retrieve endpoint that allows unauthenticated remote attackers to probe internal networks through blind SSRF attacks by supplying arbitrary URLs for public key retrieval. While the vulnerability cannot directly exfiltrate data or modify state since responses are not returned and only GET requests are supported, it enables reconnaissance of internal infrastructure. The issue is patched in version 1.5.0, or can be mitigated by disabling the retrieve API with --enable_retrieve_api=false.

SSRF Rekor Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22461 MEDIUM This Month

WebAppick CTX Feed webappick-product-feed-for-woocommerce is affected by missing authorization (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22447 MEDIUM This Month

Select-Themes Prowess through version 1.8.1 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to access sensitive information due to improperly configured access controls. An attacker can exploit this flaw to read confidential data without requiring authentication or user interaction. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-22234 MEDIUM PATCH This Month

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. [CVSS 5.3 MEDIUM]

Information Disclosure Red Hat
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22280 MEDIUM This Month

Powerscale Onefs versions up to 9.5.1.5 is affected by incorrect permission assignment for critical resource (CVSS 5.0).

Denial Of Service Powerscale Onefs
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-24356 MEDIUM This Month

Roxnor GetGenie versions up to 4.3.0 contain an authorization bypass vulnerability that allows authenticated users to exploit misconfigured access controls and gain unauthorized access to sensitive functionality. An attacker with low-level credentials can escalate privileges to perform confidential data theft, modify critical information, or disrupt service availability. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-22482 MEDIUM This Month

IMGspider WordPress plugin has a Server-Side Request Forgery vulnerability enabling attackers to make the server perform requests to internal network resources.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-23959 MEDIUM PATCH This Month

Improper input sanitization in CoreShop's CustomerTransformerController prior to version 4.1.9 allows authenticated administrators to inject SQL commands through the admin panel, enabling database error-based information disclosure. An attacker with high-privilege access can exploit this to extract sensitive data from the underlying database without modifying or deleting records. A patch is available in version 4.1.9 and later.

SQLi Coreshop
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-64252 MEDIUM This Month

Marco Milesi ANAC XML Viewer anac-xml-viewer is affected by server-side request forgery (ssrf) (CVSS 4.9).

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-9289 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator.

XSS Oc200 Firmware Oc400 Firmware Oc300 Firmware Oc220 Firmware +1
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-24360 MEDIUM This Month

Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting is affected by server-side request forgery (ssrf) (CVSS 4.6).

SSRF
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-24371 MEDIUM This Month

BA Book Everything WordPress plugin has a missing authorization vulnerability allowing unauthenticated users to access and modify booking data.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-23963 MEDIUM This Month

Mastodon prior to versions 4.5.5, 4.4.12, and 4.3.18 lacks input validation on list and filter names, allowing authenticated users to create arbitrarily long strings that consume excessive server resources and storage. A local attacker can exploit this to degrade system performance or render their own web interface unusable, though no patch is currently available for affected versions.

Denial Of Service Mastodon
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-24358 MEDIUM This Month

ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by missing authorization (CVSS 8.8).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-22481 MEDIUM This Month

Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker is affected by missing authorization (CVSS 8.8).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-22472 MEDIUM This Month

Missing authorization controls in Easy Form Builder versions 3.9.6 and earlier enable authenticated attackers to exploit improperly configured access restrictions and gain unauthorized capabilities. An attacker with valid credentials can bypass intended security boundaries to read, modify, or delete form data and configurations they should not have access to. No patch is currently available for this vulnerability affecting the Easy Form Builder plugin.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-63018 MEDIUM This Month

Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bard: from n/a through <= 2.229. [CVSS 8.8 HIGH]

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-24377 MEDIUM This Month

POSIMYTH Nexter Blocks the-plus-addons-for-block-editor contains a security vulnerability (CVSS 7.5).

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24357 MEDIUM This Month

Inadequate access control in WP Recipe Maker versions 10.2.4 and earlier allows authenticated users to bypass authorization checks and perform unauthorized actions. An attacker with low-level WordPress credentials could exploit this vulnerability to gain elevated privileges and modify sensitive recipe data without proper permissions.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24353 MEDIUM This Month

Improper access control in wpeverest User Registration plugin through version 4.4.9 allows authenticated attackers to bypass authorization checks and gain unauthorized access to sensitive functionality. An attacker with low-privilege credentials can exploit misconfigured security levels to perform actions beyond their intended permissions, potentially exposing or modifying user registration data. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22279 MEDIUM This Month

Dell PowerScale OneFS versions before 9.13.0.0 fail to adequately log security events, allowing unauthenticated remote attackers to tamper with information without leaving a detectable audit trail. The insufficient logging mechanism prevents administrators from identifying unauthorized modifications to system data. No patch is currently available for this medium-severity vulnerability.

Information Disclosure Dell Powerscale Onefs
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24388 MEDIUM This Month

WPMasterToolKit through version 2.14.0 contains an authorization bypass vulnerability that allows authenticated users to modify data due to improperly enforced access controls. An attacker with valid credentials can exploit this flaw to perform unauthorized actions beyond their intended permission level. A security patch is not currently available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22466 MEDIUM This Month

WP MapIt plugin for WordPress through version 3.0.3 contains an authorization bypass that allows authenticated users to modify content they should not have access to. An attacker with user-level privileges can exploit misconfigured access controls to perform unauthorized actions, though the impact is limited to integrity violations without affecting confidentiality or availability.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24386 MEDIUM This Month

Element Invader Template Kits for Elementor versions up to 1.2.4 contain an authorization bypass vulnerability that allows authenticated users to access resources or functionality beyond their intended permission level. An attacker with valid login credentials could exploit improperly configured access controls to view or manipulate sensitive data. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22468 MEDIUM This Month

AbsolutePlugins Absolute Addons For Elementor absolute-addons is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22450 MEDIUM This Month

The Don Peppe WordPress theme version 1.3 and earlier contains inadequate access control validation that permits authenticated users to access sensitive information they should not have permission to view. An attacker with valid login credentials could exploit this misconfiguration to retrieve confidential data, though the impact is limited to information disclosure without the ability to modify or delete content.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-31413 MEDIUM This Month

bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite is affected by cross-site request forgery (csrf) (CVSS 8.8).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22462 MEDIUM This Month

richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22360 MEDIUM This Month

SearchAzon versions 1.4 and earlier are vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow unauthenticated attackers to perform unauthorized actions on behalf of users. The vulnerability requires user interaction and has limited impact, restricted to integrity violations without affecting confidentiality or availability. No patch is currently available for this issue.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy