Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-49268 |
|
Vulnerability in org.apache.shiro:shiro-core (CVE-2026-49268)
vulnerability in org.apache.shiro:shiro-core (CVE-2026-49268). Confidential information can be exposed externally. Mitigation: upgrade to `3.0.0-alpha-2` or later.
|
| CVE-2026-49108 |
|
Unauthenticated PHP Object Injection in Moderno < 1.43 versions.
Unauthenticated PHP Object Injection in Moderno < 1.43 versions.
|
| CVE-2026-54809 |
|
SQL Injection in sqli (CVE-2026-54809)
SQL injection in sqli (CVE-2026-54809). Confidential information can be exposed externally.
|
| CVE-2026-54819 |
|
SQL Injection in sqli (CVE-2026-54819)
SQL injection in sqli (CVE-2026-54819). Confidential information can be exposed externally.
|
| CVE-2025-69111 |
|
Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.
Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.
|
| CVE-2025-59554 |
|
Unauthenticated SQL Injection in Advanced Ads – Tracking < 3.0.7 versions.
Unauthenticated SQL Injection in Advanced Ads – Tracking < 3.0.7 versions.
|
| CVE-2025-60231 |
|
Unsafe Deserialization in deserialization (CVE-2025-60231)
vulnerability in deserialization (CVE-2025-60231). Successful exploitation can lead to full system takeover.
|
| CVE-2025-60229 |
|
Unsafe Deserialization in deserialization (CVE-2025-60229)
vulnerability in deserialization (CVE-2025-60229). Successful exploitation can lead to full system takeover.
|
| CVE-2025-69127 |
|
Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions.
Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions.
|
| CVE-2025-60236 |
|
Unsafe Deserialization in deserialization (CVE-2025-60236)
vulnerability in deserialization (CVE-2025-60236). Successful exploitation can lead to full system takeover.
|
| CVE-2025-60230 |
|
Unsafe Deserialization in deserialization (CVE-2025-60230)
vulnerability in deserialization (CVE-2025-60230). Successful exploitation can lead to full system takeover.
|
| CVE-2026-54807 |
|
Unauthenticated Privilege Escalation in Registration Form for WooCommerce <= 1.0.9 versions.
Unauthenticated Privilege Escalation in Registration Form for WooCommerce <= 1.0.9 versions.
|
| CVE-2026-54811 |
|
Unauthenticated SQL Injection in WP eMember < v10.9.4 versions.
Unauthenticated SQL Injection in WP eMember < v10.9.4 versions.
|
| CVE-2026-54194 |
|
Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.
Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.
|
| CVE-2026-52706 |
|
Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions.
Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions.
|
| CVE-2026-54186 |
|
Unauthenticated SQL Injection in JobSearch <= 3.2.9 versions.
Unauthenticated SQL Injection in JobSearch <= 3.2.9 versions.
|
| CVE-2026-54806 |
|
Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions.
Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions.
|
| CVE-2026-54803 |
|
Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.
Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.
|
| CVE-2026-54187 |
|
Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions.
Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions.
|
| CVE-2026-52705 |
|
Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions.
Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions.
|
| CVE-2026-50203 |
|
Path Traversal in apache-airflow-providers-sftp (CVE-2026-50203)
path traversal in apache-airflow-providers-sftp (CVE-2026-50203). Confidential information can be exposed externally. Exploitable via ``SFTPHook.retrieve_directory``. Mitigation: upgrade to `5.8.1` or later.
|
| CVE-2026-49107 |
|
Unauthenticated PHP Object Injection in Thrive Apprentice < 10.8.10.2 versions.
Unauthenticated PHP Object Injection in Thrive Apprentice < 10.8.10.2 versions.
|
| CVE-2026-49767 |
|
Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.
Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.
|
| CVE-2026-49084 |
|
Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions.
Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions.
|
| CVE-2026-49058 |
|
Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.
Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.
|
| CVE-2026-49080 |
|
Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.
Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.
|
| CVE-2026-49079 |
|
Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions.
Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions.
|
| CVE-2026-48616 |
|
Vulnerability in rocketchat (CVE-2026-48616)
vulnerability in rocketchat (CVE-2026-48616). Confidential information can be exposed externally.
|
| CVE-2026-49075 |
|
Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.
Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.
|
| CVE-2026-49076 |
|
Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions.
Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions.
|
| CVE-2026-48875 |
|
Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.
Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.
|
| CVE-2026-42380 |
|
Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.
Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.
|
| CVE-2026-40783 |
|
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.
|
| CVE-2026-40725 |
|
Unauthenticated PHP Object Injection in WooCommerce Product Filters < 2.0.6 versions.
Unauthenticated PHP Object Injection in WooCommerce Product Filters < 2.0.6 versions.
|
| CVE-2026-40747 |
|
Subscriber Arbitrary File Upload in Ecommerce Zone <= 0.9.7 versions.
Subscriber Arbitrary File Upload in Ecommerce Zone <= 0.9.7 versions.
|
| CVE-2026-40746 |
|
Subscriber Arbitrary File Upload in Restaurant Zone <= 0.7.8 versions.
Subscriber Arbitrary File Upload in Restaurant Zone <= 0.7.8 versions.
|
| CVE-2026-40749 |
|
Subscriber Arbitrary File Upload in Charity Zone <= 1.1.1 versions.
Subscriber Arbitrary File Upload in Charity Zone <= 1.1.1 versions.
|
| CVE-2026-40748 |
|
Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions.
Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions.
|
| CVE-2026-39596 |
|
Unauthenticated SQL Injection in Blocksy Companion Pro < 2.1.29 versions.
Unauthenticated SQL Injection in Blocksy Companion Pro < 2.1.29 versions.
|
| CVE-2026-39589 |
|
Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions.
Subscriber Arbitrary File Upload in Webenvo <= 0.0.6 versions.
|
| CVE-2026-39529 |
|
Unauthenticated PHP Object Injection in Elementra <= 1.0.9 versions.
Unauthenticated PHP Object Injection in Elementra <= 1.0.9 versions.
|
| CVE-2026-39438 |
|
Unauthenticated SQL Injection in ListingPro <= 2.9.10 versions.
Unauthenticated SQL Injection in ListingPro <= 2.9.10 versions.
|
| CVE-2026-27395 |
|
Unauthenticated Privilege Escalation in Support Board < 3.8.9 versions.
Unauthenticated Privilege Escalation in Support Board < 3.8.9 versions.
|
| CVE-2026-32967 |
|
Authorization Flaw in org.apache.dolphinscheduler:dolphinscheduler-api (CVE-2026-32967)
vulnerability in org.apache.dolphinscheduler:dolphinscheduler-api (CVE-2026-32967). Confidential information can be exposed externally. Mitigation: upgrade to `3.4.2` or later.
|
| CVE-2026-32966 |
|
Authorization Flaw in org.apache.dolphinscheduler:dolphinscheduler-api (CVE-2026-32966)
vulnerability in org.apache.dolphinscheduler:dolphinscheduler-api (CVE-2026-32966). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.4.2` or later.
|
| CVE-2026-25446 |
|
Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions.
Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions.
|
| CVE-2026-27429 |
|
Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions.
Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions.
|
| CVE-2026-27041 |
|
Contributor Arbitrary File Upload in Unlimited Elements for Elementor (Premium) <= 2.0.6 versions.
Contributor Arbitrary File Upload in Unlimited Elements for Elementor (Premium) <= 2.0.6 versions.
|
| CVE-2026-25470 |
|
Code Injection in wordpress (CVE-2026-25470)
code injection in wordpress (CVE-2026-25470). Successful exploitation can lead to full system takeover.
|
| CVE-2026-24611 |
|
Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions.
Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions.
|