Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20346
Total
1466
Critical
6163
High
6464
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-13251 | HIGH | 7.5 | The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it … | Jul 02, 2026 |
| CVE-2026-12657 | MEDIUM | 5.3 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, … | Jul 02, 2026 |
| CVE-2026-12472 | MEDIUM | 5.3 | The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, … | Jul 02, 2026 |
| CVE-2026-12134 | MEDIUM | 4.3 | The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, … | Jul 02, 2026 |
| CVE-2026-12122 | MEDIUM | 5.3 | The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and … | Jul 02, 2026 |
| CVE-2026-11896 | MEDIUM | 5.3 | The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 … | Jul 02, 2026 |
| CVE-2026-10104 | MEDIUM | 4.4 | The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, … | Jul 02, 2026 |
| CVE-2026-9563 | HIGH | 7.5 | In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed … | Jul 02, 2026 |
| CVE-2026-8147 | HIGH | 8.1 | In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to … | Jul 02, 2026 |
| CVE-2026-33592 | HIGH | 7.5 | An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length … | Jul 02, 2026 |
| CVE-2026-5821 | HIGH | 8.1 | The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path … | Jul 02, 2026 |
| CVE-2026-5348 | MEDIUM | 5.3 | The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, … | Jul 02, 2026 |
| CVE-2026-14249 | HIGH | 7.5 | The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emd_delete_file AJAX action. This … | Jul 02, 2026 |
| CVE-2026-13704 | MEDIUM | 6.4 | The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in all versions up … | Jul 02, 2026 |
| CVE-2026-13357 | MEDIUM | 4.9 | The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due … | Jul 02, 2026 |
| CVE-2026-11965 | MEDIUM | 6.5 | The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering … | Jul 02, 2026 |
| CVE-2026-11781 | LOW | 2.7 | The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users … | Jul 02, 2026 |
| CVE-2026-11600 | MEDIUM | 4.3 | The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check … | Jul 02, 2026 |
| CVE-2026-11592 | MEDIUM | 4.3 | The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all … | Jul 02, 2026 |
| CVE-2026-11578 | LOW | 2.7 | The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized … | Jul 02, 2026 |
| CVE-2026-10089 | MEDIUM | 6.4 | The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, … | Jul 02, 2026 |
| CVE-2026-10077 | MEDIUM | 6.8 | The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, … | Jul 02, 2026 |
| CVE-2026-57278 | HIGH | 8.3 | GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software … | Jul 02, 2026 |
| CVE-2026-57277 | HIGH | 8.3 | GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software … | Jul 02, 2026 |
| CVE-2026-57276 | HIGH | 8.3 | GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software … | Jul 02, 2026 |