Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22296
Total
1591
Critical
6822
High
7139
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2023-32959 | MEDIUM | 4.3 | Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MetroStore: from n/a through 1.3.2. | Jun 11, 2026 |
| CVE-2023-25969 | MEDIUM | 5.4 | Missing Authorization vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form … | Jun 11, 2026 |
| CVE-2022-47150 | MEDIUM | 4.3 | Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery. This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10. | Jun 11, 2026 |
| CVE-2022-45813 | MEDIUM | 5.4 | Missing Authorization vulnerability in BeRocket Advanced AJAX Product Filters allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced AJAX Product Filters: from … | Jun 11, 2026 |
| CVE-2026-5497 | HIGH | 7.5 | vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` … | Jun 11, 2026 |
| CVE-2026-53911 | UNKNOWN | — | Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching … | Jun 11, 2026 |
| CVE-2026-11850 | MEDIUM | 5.0 | An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without … | Jun 11, 2026 |
| CVE-2025-7064 | MEDIUM | 6.6 | Authentication bypass by primary weakness vulnerability in ABB Freelance. This issue affects Freelance: through 2013, 2013 SP1, 2016, 2016 SP1, 2019, 2019 SP1, 2019 SP1 … | Jun 11, 2026 |
| CVE-2022-44630 | MEDIUM | 4.6 | Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery. This issue affects YITH WooCommerce Product Slider Carousel: … | Jun 11, 2026 |
| CVE-2022-42479 | MEDIUM | 5.4 | Missing Authorization vulnerability in TemplateHouse Soledad allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Soledad: from n/a through 8.2.5. | Jun 11, 2026 |
| CVE-2026-53901 | UNKNOWN | — | Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params … | Jun 11, 2026 |
| CVE-2024-32110 | MEDIUM | 4.3 | Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. WpEvently allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through 4.1.2. | Jun 11, 2026 |
| CVE-2023-40200 | MEDIUM | 5.3 | Authorization bypass through User-Controlled key vulnerability in Essential Plugin WP Logo Showcase Responsive Slider and Carousel allows Exploiting Incorrectly Configured Access Control Security Levels. This … | Jun 11, 2026 |
| CVE-2023-33999 | HIGH | 7.1 | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: … | Jun 11, 2026 |
| CVE-2026-41856 | HIGH | 7.5 | The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue … | Jun 11, 2026 |
| CVE-2026-41700 | HIGH | 8.1 | Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting … | Jun 11, 2026 |
| CVE-2026-41699 | HIGH | 8.1 | Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead … | Jun 11, 2026 |
| CVE-2026-41001 | MEDIUM | 5.3 | Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker … | Jun 11, 2026 |
| CVE-2026-41000 | LOW | 3.7 | Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation … | Jun 11, 2026 |
| CVE-2026-40999 | HIGH | 8.6 | When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from … | Jun 11, 2026 |
| CVE-2026-40998 | HIGH | 8.2 | Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of … | Jun 11, 2026 |
| CVE-2026-40997 | MEDIUM | 5.3 | Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through … | Jun 11, 2026 |
| CVE-2026-40996 | MEDIUM | 4.8 | Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key … | Jun 11, 2026 |
| CVE-2026-40995 | MEDIUM | 5.4 | X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, … | Jun 11, 2026 |
| CVE-2026-40994 | HIGH | 8.2 | Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on … | Jun 11, 2026 |