Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21148
Total
1520
Critical
6441
High
6722
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-11997 | MEDIUM | 4.3 | The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing … | Jun 24, 2026 |
| CVE-2026-11370 | MEDIUM | 6.4 | The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. … | Jun 24, 2026 |
| CVE-2026-10753 | LOW | 2.7 | The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have … | Jun 24, 2026 |
| CVE-2026-10749 | HIGH | 7.2 | The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's … | Jun 24, 2026 |
| CVE-2026-10735 | HIGH | 7.5 | Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress … | Jun 24, 2026 |
| CVE-2026-10552 | MEDIUM | 4.3 | The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or … | Jun 24, 2026 |
| CVE-2026-10531 | MEDIUM | 5.4 | The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, … | Jun 24, 2026 |
| CVE-2026-10092 | HIGH | 7.2 | The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up … | Jun 24, 2026 |
| CVE-2026-10091 | HIGH | 7.2 | The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, … | Jun 24, 2026 |
| CVE-2026-9539 | MEDIUM | 6.5 | An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., … | Jun 24, 2026 |
| CVE-2026-12851 | CRITICAL | 9.1 | Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command … | Jun 24, 2026 |
| CVE-2026-12850 | CRITICAL | 9.1 | Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command … | Jun 24, 2026 |
| CVE-2026-12849 | CRITICAL | 9.1 | Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command … | Jun 24, 2026 |
| CVE-2026-12848 | CRITICAL | 10.0 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is … | Jun 24, 2026 |
| CVE-2026-12847 | CRITICAL | 10.0 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is … | Jun 24, 2026 |
| CVE-2026-12846 | CRITICAL | 10.0 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is … | Jun 24, 2026 |
| CVE-2026-12488 | MEDIUM | 6.2 | A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted network request can lead to a denial of … | Jun 24, 2026 |
| CVE-2026-12486 | CRITICAL | 9.1 | Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command … | Jun 24, 2026 |
| CVE-2026-12485 | CRITICAL | 10.0 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is … | Jun 24, 2026 |
| CVE-2026-3652 | HIGH | 7.2 | The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value` parameter of the `arf_save_incomplete_form_data` AJAX action in all versions up to, … | Jun 24, 2026 |
| CVE-2026-11614 | MEDIUM | 6.4 | The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up … | Jun 24, 2026 |
| CVE-2026-12681 | UNKNOWN | — | Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading … | Jun 24, 2026 |
| CVE-2026-54639 | HIGH | 8.8 | Style Dictionary, a build system for creating cross-platform styles, has a prototype pollution vulnerability starting in version 4.3.0 and prior to version 5.4.4. Impact users … | Jun 24, 2026 |
| CVE-2026-7574 | HIGH | 8.7 | Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1.1617.0, and v1.2278.0) validates only file presence and a version marker … | Jun 24, 2026 |
| CVE-2026-6458 | UNKNOWN | — | Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty … | Jun 24, 2026 |