|
CVE-2026-58054
|
|
MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when...
MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when...
|
High
|
Cwe 269
Mybb
PHP
Privilege Escalation
|
1 week ago
|
|
CVE-2026-3652
|
|
The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value`...
The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value`...
|
High
|
WordPress
Cross-Site Scripting
Cwe 79
PHP
|
2 weeks ago
|
|
CVE-2026-46489
|
|
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG f...
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every...
|
High
|
JavaScript
Cross-Site Scripting
Cwe 79
Cwe 434
|
3 weeks ago
|
|
CVE-2026-5415
|
|
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the...
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the...
|
High
|
WordPress
Authentication Bypass
Cwe 288
PHP
|
1 month ago
|
|
CVE-2026-5411
|
|
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the...
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the...
|
High
|
PHP
WordPress
Remote Code Execution
Cwe 434
|
1 month ago
|
|
CVE-2026-46392
|
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filen...
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML...
|
High
|
PHP
JavaScript
Cwe 178
Cwe 434
+1
|
1 month ago
|
|
CVE-2026-1829
|
|
The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code...
The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code...
|
High
|
WordPress
Remote Code Execution
Cwe 94
PHP
|
1 month ago
|
|
CVE-2026-39555
|
|
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection.
...
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection.
...
|
High
|
Insecure Deserialization
Cwe 502
WordPress
PHP
|
1 month ago
|
|
CVE-2026-39553
|
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
High
|
PHP
Cwe 98
WordPress
Remote Code Execution
|
1 month ago
|
|
CVE-2026-39552
|
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
High
|
PHP
Cwe 98
WordPress
Remote Code Execution
+1
|
1 month ago
|
|
CVE-2025-69369
|
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
High
|
PHP
Cwe 98
WordPress
Local File Inclusion
|
1 month ago
|
|
CVE-2025-68886
|
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
High
|
PHP
Cwe 98
WordPress
Remote Code Execution
|
1 month ago
|
|
CVE-2025-11262
|
|
The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the...
The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the...
|
High
|
WordPress
Cross-Site Scripting
Cwe 79
PHP
|
1 month ago
|
|
CVE-2026-42762
|
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')...
|
High
|
Cross-Site Scripting
Cwe 79
WordPress
PHP
|
1 month ago
|
|
CVE-2026-42760
|
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and...
Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and...
|
High
|
WordPress
Authentication Bypass
Cwe 288
|
1 month ago
|
|
CVE-2026-42753
|
|
Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows...
Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows...
|
High
|
Cwe 862
WordPress
Authentication Bypass
|
1 month ago
|
|
CVE-2026-42745
|
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online...
Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online...
|
High
|
Authentication Bypass
Cwe 288
WordPress
PHP
|
1 month ago
|
|
CVE-2026-42737
|
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in...
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in...
|
High
|
Path Traversal
Cwe 22
WordPress
PHP
|
1 month ago
|
|
CVE-2026-42735
|
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare...
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare...
|
High
|
Authentication Bypass
Cwe 288
WordPress
PHP
|
1 month ago
|
|
CVE-2026-42730
|
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
|
High
|
SQL Injection
Cwe 89
WordPress
PHP
|
1 month ago
|
|
CVE-2026-46367
|
|
Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
|
High
|
JavaScript
Cross-Site Scripting
Cwe 79
PHP
+1
|
1 month ago
|
|
CVE-2026-46366
|
|
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
|
High
|
Cwe 863
phpMyFAQ
PHP
Authentication Bypass
|
1 month ago
|
|
CVE-2026-46359
|
|
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
|
High
|
SQL Injection
Cwe 89
phpMyFAQ
PHP
+1
|
1 month ago
|
|
CVE-2021-47964
|
|
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated...
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated...
|
High
|
PHP
Remote Code Execution
Cwe 94
Schlix
+1
|
1 month ago
|
|
CVE-2021-47959
|
|
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows...
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows...
|
High
|
WordPress
Denial of Service
Cwe 770
PHP
|
1 month ago
|
|
CVE-2026-4094
|
|
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to...
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to...
|
High
|
WordPress
Cwe 862
PHP
Cross-Site Request Forgery
|
1 month ago
|
|
CVE-2026-36458
|
|
Code Injection in sqli (CVE-2026-36458)
code injection in sqli (CVE-2026-36458). Successful exploitation can lead to full system takeover.
|
Critical
|
SQL Injection
Cwe 94
Chestnutcms
Cms
+13
|
2 months ago
|
|
CVE-2025-0610
|
|
Cross-Site Request Forgery (CSRF) vulnerability in Akınsoft QR Menü allows Cross Site Request...
Cross-Site Request Forgery (CSRF) vulnerability in Akınsoft QR Menü allows Cross Site Request...
|
High
|
Cross-Site Request Forgery
Cwe 352
|
10 months ago
|