Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10557
Total
721
Critical
3059
High
3365
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-6247 | MEDIUM | 6.4 | The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up … | May 12, 2026 |
| CVE-2026-6237 | MEDIUM | 6.4 | The Quick Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute of the 'qtbl' shortcode in all versions up to, … | May 12, 2026 |
| CVE-2026-5715 | MEDIUM | 6.4 | The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, … | May 12, 2026 |
| CVE-2026-5693 | MEDIUM | 5.3 | The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation … | May 12, 2026 |
| CVE-2026-5340 | MEDIUM | 6.4 | The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fancy-img-show` shortcode in all versions up to, and including, … | May 12, 2026 |
| CVE-2026-5028 | MEDIUM | 6.5 | The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the `pp-get-articles` AJAX action … | May 12, 2026 |
| CVE-2026-4920 | MEDIUM | 6.4 | The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 … | May 12, 2026 |
| CVE-2026-4859 | MEDIUM | 6.4 | The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the `wpsbd_post_carousel` shortcode in all versions up … | May 12, 2026 |
| CVE-2026-4663 | MEDIUM | 5.3 | The iPOSpays Gateways WC plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.3.7. This is due to the plugin … | May 12, 2026 |
| CVE-2026-4301 | MEDIUM | 4.3 | The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and … | May 12, 2026 |
| CVE-2026-3604 | MEDIUM | 4.9 | The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and … | May 12, 2026 |
| CVE-2026-39432 | HIGH | 8.2 | Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Timetics: from n/a through 1.0.53. | May 12, 2026 |
| CVE-2026-2993 | HIGH | 7.5 | The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to … | May 12, 2026 |
| CVE-2026-2300 | MEDIUM | 6.4 | The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. … | May 12, 2026 |
| CVE-2026-35227 | UNKNOWN | — | An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is … | May 12, 2026 |
| CVE-2026-1681 | MEDIUM | 6.1 | Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input … | May 12, 2026 |
| CVE-2026-1185 | MEDIUM | 5.4 | A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability … | May 12, 2026 |
| CVE-2026-0804 | MEDIUM | 6.7 | An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be … | May 12, 2026 |
| CVE-2026-0802 | MEDIUM | 6.0 | An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited … | May 12, 2026 |
| CVE-2026-0541 | MEDIUM | 6.7 | ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be … | May 12, 2026 |
| CVE-2026-41872 | HIGH | 7.4 | "Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication … | May 12, 2026 |
| CVE-2026-41530 | LOW | 3.3 | The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with … | May 12, 2026 |
| CVE-2026-44499 | UNKNOWN | — | ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated … | May 08, 2026 |
| CVE-2026-43967 | UNKNOWN | — | Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each … | May 08, 2026 |
| CVE-2026-42794 | UNKNOWN | — | Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes … | May 08, 2026 |