Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10307
Total
705
Critical
2965
High
3260
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-6177 | HIGH | 7.2 | The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient … | May 13, 2026 |
| CVE-2026-42961 | MEDIUM | 4.3 | ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while … | May 13, 2026 |
| CVE-2026-42950 | MEDIUM | 4.3 | ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged … | May 13, 2026 |
| CVE-2026-42948 | MEDIUM | 4.8 | Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be … | May 13, 2026 |
| CVE-2026-42062 | CRITICAL | 9.8 | ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command … | May 13, 2026 |
| CVE-2026-40621 | CRITICAL | 9.8 | ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication. | May 13, 2026 |
| CVE-2026-3426 | MEDIUM | 4.3 | The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save_widget() and reset_all_widgets() … | May 13, 2026 |
| CVE-2026-3425 | HIGH | 8.8 | The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' … | May 13, 2026 |
| CVE-2026-35506 | HIGH | 7.2 | ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a … | May 13, 2026 |
| CVE-2026-25107 | MEDIUM | 6.5 | ELECOM wireless LAN access point devices use a hard-coded cryptographic key when creating backups of configuration files. An attacker who knows the encryption key can … | May 13, 2026 |
| CVE-2026-7168 | MEDIUM | 5.3 | Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second … | May 13, 2026 |
| CVE-2026-7009 | MEDIUM | 5.3 | When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is … | May 13, 2026 |
| CVE-2026-6429 | MEDIUM | 5.3 | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host … | May 13, 2026 |
| CVE-2026-6276 | HIGH | 7.5 | Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy … | May 13, 2026 |
| CVE-2026-6253 | MEDIUM | 5.9 | curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl … | May 13, 2026 |
| CVE-2026-5773 | HIGH | 7.5 | libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse … | May 13, 2026 |
| CVE-2026-5545 | MEDIUM | 6.5 | libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the … | May 13, 2026 |
| CVE-2026-4873 | MEDIUM | 5.9 | A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made … | May 13, 2026 |
| CVE-2026-4798 | HIGH | 7.5 | The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due … | May 13, 2026 |
| CVE-2026-4782 | MEDIUM | 6.5 | The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with … | May 13, 2026 |
| CVE-2026-44931 | UNKNOWN | — | The newly introduced RecordUsage D-Bus method https://gitlab.freedesktop.org/pwithnall/malcontent/-/blob/0.14.0/libmalcontent-timer/child-timer-service.c in malcontent-timerd allows arbitrary users in the system to slowly fill up disk space in /var/lib/malcontent-timerd | May 13, 2026 |
| CVE-2026-41051 | MEDIUM | 5.0 | csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories. | May 13, 2026 |
| CVE-2026-2515 | MEDIUM | 5.3 | The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check … | May 13, 2026 |
| CVE-2026-25710 | UNKNOWN | — | The new upstream added a privileged D-Bus helper called plasmaloginauthhelper, which suffers from multiple issues, e.g.aA compromised plasmalogin service account can chown() arbitrary files in … | May 13, 2026 |
| CVE-2024-47091 | UNKNOWN | — | Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a … | May 13, 2026 |