Skip to main content
CVE-2026-1613 MEDIUM This Month

Stored XSS in the Wonka Slide WordPress plugin (versions up to 1.3.3) allows authenticated users with contributor-level permissions to inject malicious scripts through the `list_class` shortcode attribute due to inadequate input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1611 MEDIUM This Month

Stored XSS in WordPress Wikiloops Track Player plugin (versions up to 1.0.1) allows authenticated contributors and above to inject malicious scripts through the wikiloops shortcode due to inadequate input sanitization and output escaping. Injected scripts execute in the browsers of users viewing affected pages, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1608 MEDIUM This Month

Stored cross-site scripting in the WordPress Video Onclick plugin through version 0.4.7 allows authenticated contributors and above to inject malicious scripts into pages via the youtube shortcode due to inadequate input sanitization. When users access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive information. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1570 MEDIUM This Month

Simple Bible Verse via Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15267 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13463 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12803 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12159 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2111 LOW POC Monitor

Path traversal in JeecgBoot's Retrieval-Augmented Generation Module (versions up to 3.9.0) allows authenticated remote attackers to access arbitrary files through manipulation of the filePath parameter in the /airag/knowledge/doc/edit endpoint. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Path Traversal Jeecg Boot
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2105 LOW POC Monitor

Improper authorization in the Department Management component of yeqifu Warehouse allows authenticated users to manipulate department operations (add, update, delete) without proper access controls. Public exploit code exists for this vulnerability, which can be leveraged remotely by attackers with valid credentials. No patch is currently available from the vendor.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2079 LOW POC Monitor

Improper authorization in the Menu Management component of Yeqifu Warehouse allows authenticated remote attackers to manipulate menu operations (add, update, delete) without proper access controls. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. The flaw affects Java-based deployments running the vulnerable commit and could enable unauthorized administrative actions.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2078 LOW POC Monitor

Improper authorization in the Permission Management component of yeqifu Warehouse allows authenticated remote attackers to manipulate permission-related functions (addPermission, updatePermission, deletePermission) and gain unauthorized access or modify system permissions. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects Java-based Warehouse deployments with a CVSS score of 6.3.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2077 LOW POC Monitor

Improper authorization in yeqifu Warehouse's Role Management Handler (addRole/updateRole/deleteRole functions) allows authenticated remote attackers to perform unauthorized privilege escalation and data manipulation. Public exploit code exists for this vulnerability, and the vendor has not released a patch or responded to disclosure. An attacker with valid credentials can bypass authorization controls to modify system roles and access restrictions.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2076 LOW POC Monitor

A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. [CVSS 6.3 MEDIUM]

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2074 LOW POC Monitor

O2OA versions up to 9.0.0 contain an XML external entity (XXE) injection vulnerability in the /x_program_center/jaxrs/mpweixin/check HTTP POST handler that allows authenticated remote attackers to read sensitive files or conduct denial-of-service attacks. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The attack requires valid credentials but can be executed over the network without user interaction.

XXE O2oa
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1643 MEDIUM This Month

Reflected XSS in the WordPress MP-Ukagaka plugin through version 1.5.2 allows unauthenticated attackers to inject malicious scripts into web pages due to insufficient input sanitization and output escaping. An attacker can exploit this by tricking users into clicking a malicious link, causing arbitrary JavaScript to execute in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1634 MEDIUM This Month

The Subitem AL Slider plugin for WordPress through version 1.0.0 fails to properly sanitize the PHP_SELF parameter, allowing unauthenticated attackers to inject malicious scripts through a crafted link. An attacker can trick users into clicking a malicious URL to execute arbitrary JavaScript in their browser sessions. No patch is currently available for this reflected XSS vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2107 LOW POC Monitor

Improper authorization in the yeqifu Warehouse Log Info Handler allows authenticated remote attackers to access, modify, or delete log information through the loadAllLoginfo, deleteLoginfo, and batchDeleteLoginfo functions. Public exploit code exists for this vulnerability, and the developers have not yet released a patch despite early notification. Java-based deployments using affected versions are at risk of unauthorized log manipulation by authenticated users.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2106 LOW POC Monitor

Improper authorization in Yeqifu Warehouse's Notice Management component allows authenticated users to perform unauthorized operations on notice records through the addNotice, updateNotice, deleteNotice, and batchDeleteNotice functions. Public exploit code exists for this vulnerability, and the vendor has not yet responded to the disclosure. An attacker with valid credentials can remotely manipulate notice data, compromising the confidentiality, integrity, and availability of the application.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2075 LOW POC Monitor

Improper access control in the Role-Permission Binding Handler of yeqifu Warehouse allows authenticated remote attackers to modify role permissions through the saveRolePermission function, potentially gaining unauthorized access to sensitive operations. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification of the issue.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2109 LOW POC Monitor

Coco Annotator through version 0.11.1 contains an authorization bypass in the Delete Category Handler endpoint (/api/undo/) that allows authenticated attackers to manipulate category IDs and access or modify unauthorized data. The vulnerability requires valid credentials but can be exploited remotely with public exploit code available. No patch is currently available from the vendor.

Information Disclosure Coco Annotator
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2081 LOW POC Monitor

D-Link DIR-823X firmware contains an OS command injection vulnerability in the /goform/set_password endpoint that allows remote attackers with high privileges to execute arbitrary commands by manipulating the http_passwd parameter. Public exploit code exists for this vulnerability, and no patch is currently available. An authenticated attacker could leverage this to compromise the affected device with limited confidentiality, integrity, and availability impact.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-2082 LOW POC Monitor

D-Link DIR-823X routers contain an OS command injection vulnerability in the /goform/set_mac_clone endpoint that allows remote attackers with high privileges to execute arbitrary commands through manipulation of the mac parameter. Public exploit code exists for this vulnerability, which affects confidentiality, integrity, and availability. No patch is currently available.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2025-15564 LOW POC Monitor

A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod<...>::operator of the file src/value.cpp. [CVSS 3.3 LOW]

Information Disclosure Mapnik
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2090 MEDIUM This Month

Online Class Record System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2089 MEDIUM This Month

SourceCodester Online Class Record System 1.0 contains a SQL injection vulnerability in the subject controller that allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and could enable unauthorized data access, modification, or system compromise.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2087 MEDIUM This Month

SQL injection in SourceCodester Online Class Record System 1.0 allows unauthenticated remote attackers to manipulate the user_email parameter in /admin/login.php, potentially enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15491 MEDIUM This Month

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks [CVSS 5.5 MEDIUM]

WordPress LFI PHP
NVD WPScan
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-1675 MEDIUM This Month

Advanced Country Blocker (WordPress plugin) versions up to 2.3.1 contains a security vulnerability (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25562 MEDIUM PATCH This Month

Wekan versions before 8.19 fail to properly restrict attachment metadata visibility, allowing authenticated users to enumerate attachment information from boards and cards they should not have access to. This information disclosure vulnerability requires valid credentials and can expose sensitive metadata to unauthorized users across the platform. A patch is available.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-25567 MEDIUM PATCH This Month

Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 4.3).

Authentication Bypass Wekan
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-15476 MEDIUM This Month

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1082 MEDIUM This Month

The TITLE ANIMATOR plugin for WordPress lacks CSRF protection on its settings page, allowing unauthenticated attackers to modify plugin configuration through forged requests if a site administrator clicks a malicious link. This vulnerability affects all versions up to 1.0 and requires social engineering to exploit but poses a direct integrity risk to plugin functionality and site configuration.

WordPress PHP CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy