脆弱性一覧
CVE / GHSA / KEV / OSV を統合監視。タグ・カテゴリで絞り込み可能。
| ID | タイトル | |
|---|---|---|
| CVE-2026-58054 |
|
MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when...
MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when...
|
| CVE-2026-3652 |
|
The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value`...
The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value`...
|
| CVE-2026-46489 |
|
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG f...
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every...
|
| CVE-2026-5415 |
|
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the...
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the...
|
| CVE-2026-5411 |
|
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the...
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the...
|
| CVE-2026-46392 |
|
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filen...
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML...
|
| CVE-2026-1829 |
|
The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code...
The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code...
|
| CVE-2026-39555 |
|
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection.
...
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection.
...
|
| CVE-2026-39553 |
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
| CVE-2026-39552 |
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
| CVE-2025-69369 |
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
| CVE-2025-68886 |
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File...
|
| CVE-2025-11262 |
|
The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the...
The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the...
|
| CVE-2026-42760 |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and...
Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and...
|
| CVE-2026-42762 |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')...
|
| CVE-2026-42753 |
|
Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows...
Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows...
|
| CVE-2026-42745 |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online...
Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online...
|
| CVE-2026-42737 |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in...
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in...
|
| CVE-2026-42736 |
|
Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp...
Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp...
|
| CVE-2026-42735 |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare...
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare...
|
| CVE-2026-42730 |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
|
| CVE-2026-46408 |
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter t...
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another u...
|
| CVE-2026-46407 |
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to...
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclo...
|
| CVE-2026-46367 |
|
Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
Duplicate Advisory: phpMyFAQ: Stored XSS via Utils::parseUrl() in comment rendering
|
| CVE-2026-46366 |
|
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
|
| CVE-2026-46359 |
|
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
|
| CVE-2026-44826 |
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add...
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive...
|
| CVE-2021-47964 |
|
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated...
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated...
|
| CVE-2021-47959 |
|
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows...
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows...
|
| CVE-2026-4094 |
|
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to...
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to...
|
| CVE-2025-0610 |
|
Cross-Site Request Forgery (CSRF) vulnerability in Akınsoft QR Menü allows Cross Site Request...
Cross-Site Request Forgery (CSRF) vulnerability in Akınsoft QR Menü allows Cross Site Request...
|