Patch Tuesday — July 2026

2026-07-14 · 772 CVEs

CVEs published or modified the week of 2026-07-14, partitioned by vendor.

Microsoft (3 CVEs)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-58596High8.32026-07-12Untrusted pointer dereference in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-58281High8.32026-07-11Deserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
CVE-2026-57211Medium6.52026-07-10RabbitMQ is a messaging and streaming broker.

Other vendors (769 CVEs across 360 vendors)

Drupal · 46 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-11913Critical9.82026-07-10vulnerability in Drupal Mother May I allows .
CVE-2026-12535Critical9.82026-07-10Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection.
CVE-2026-15089Critical9.12026-07-10vulnerability in Drupal Commerce guest registration allows .
CVE-2026-55810High8.12026-07-10Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection.
CVE-2026-55809High8.12026-07-10Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection.
CVE-2026-13244High8.12026-07-10Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection.
CVE-2026-15081High7.42026-07-10Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection.
CVE-2026-13242Medium6.52026-07-10Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Geolocation Field allows SQL Injection.
CVE-2026-13241Medium6.52026-07-10Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing.
CVE-2026-13240Medium6.52026-07-10Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing.
CVE-2026-13239Medium6.52026-07-10Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing.
CVE-2026-58588Medium6.12026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS).
CVE-2026-58587Medium6.12026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS).
CVE-2026-13234Medium6.12026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).
CVE-2026-13231Medium6.12026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Stored XSS.
CVE-2026-15087Medium5.92026-07-10vulnerability in Drupal Clean RESTful allows .
CVE-2026-15086Medium5.92026-07-10vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows .
CVE-2026-11915Medium5.92026-07-10vulnerability in Drupal Brute force attack protection allows .
CVE-2026-11914Medium5.92026-07-10vulnerability in Drupal Composer allows .
CVE-2026-55806Medium5.92026-07-10URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing.
CVE-2026-55804Medium5.92026-07-10Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.
CVE-2026-55803Medium5.92026-07-10Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.
CVE-2026-58591Medium5.42026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS).
CVE-2026-58590Medium5.42026-07-10Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing.
CVE-2026-58589Medium5.42026-07-10Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing.
CVE-2026-55808Medium5.42026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
CVE-2026-15085Medium5.42026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS.
CVE-2026-15084Medium5.42026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS.
CVE-2026-15082Medium5.42026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS).
CVE-2026-15079Medium5.42026-07-10Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force.
CVE-2026-13243Medium4.82026-07-10Cross-Site Request Forgery (CSRF) vulnerability in Drupal Salesforce Suite allows Cross Site Request Forgery.
CVE-2026-13238Medium4.82026-07-10Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing.
CVE-2026-13237Medium4.82026-07-10Incorrect Authorization vulnerability in Drupal AI Agents allows Forceful Browsing.
CVE-2026-15080Medium4.32026-07-10Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery.
CVE-2026-15083Medium4.22026-07-10Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection.
CVE-2026-13236Medium4.22026-07-10Missing Authorization vulnerability in Drupal AI Agents allows Forceful Browsing.
CVE-2026-13235Low3.32026-07-10Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing.
CVE-2026-13233Low3.32026-07-10Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenAI Provider allows Server Side Request Forgery.
CVE-2026-11909Low3.32026-07-10Missing Authorization vulnerability in Drupal Examples for Developers allows Forceful Browsing.
CVE-2026-55807Low3.12026-07-10Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery.
CVE-2026-13232Low3.12026-07-10Incorrect Authorization vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Forceful Browsing.
CVE-2026-119082026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Stored XSS.
CVE-2026-107702026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Reflected XSS.
CVE-2026-107692026-07-10Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Commerce Core allows Stored XSS.
CVE-2026-107682026-07-10Missing Authorization vulnerability in Drupal LocalGov Workflows allows Forceful Browsing.
CVE-2026-97262026-07-10Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal AlternativeCommerce (Basket) allows Object Injection.

Red Hat · 22 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5260High8.22026-05-26A flaw was found in libgnutls.
CVE-2026-42013High8.22026-05-26A flaw was found in gnutls.
CVE-2026-50264High7.82026-06-05An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat.
CVE-2026-50261High7.82026-06-05A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter().
CVE-2026-50260High7.82026-06-05A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter().
CVE-2026-50259High7.82026-06-05A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland.
CVE-2026-50258High7.82026-06-05A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland.
CVE-2026-50257High7.82026-06-05A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence().
CVE-2026-50256High7.82026-06-05A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland.
CVE-2026-11332High7.82026-06-05A flaw was found in ansible-core.
CVE-2026-15584High7.52026-07-13A privilege escalation vulnerability was found in the incluster-checks tool for OpenShift.
CVE-2026-15574High7.52026-07-13A flaw was found in the vllm-orchestrator-gateway component.
CVE-2026-58379High7.32026-07-03A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser.
CVE-2026-42012High7.12026-05-26A flaw was found in gnutls.
CVE-2026-48914Medium6.72026-06-12A flaw was found in QEMU's virtio-blk device.
CVE-2026-42014Medium6.62026-06-16A flaw was found in GnuTLS.
CVE-2026-62147Medium6.52026-07-13The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants'…
CVE-2026-50263Medium5.52026-06-05A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow().
CVE-2026-50262Medium5.52026-06-05An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes().
CVE-2026-42015Medium5.32026-05-26A flaw was found in gnutls.
CVE-2026-15028Low3.92026-07-10A flaw was found in libarchive.
CVE-2026-5419Low3.72026-06-01A flaw was found in gnutls.

N/a · 18 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-26396High7.52026-07-13OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py.
CVE-2025-45869High7.32026-07-13LogicalDOC Enterprise Version up to and before v9.1.1 is vulnerable to Server-Side Request Forgery (SSRF).
CVE-2026-15510Medium6.32026-07-12A vulnerability was found in Leantime up to 3.8.0.
CVE-2026-15509Medium6.32026-07-12A vulnerability has been found in Leantime up to 3.8.0.
CVE-2026-15478Medium6.32026-07-12A flaw has been found in IceHRM up to 35.0.1.
CVE-2026-15516Medium5.62026-07-13A vulnerability was detected in MacCMS Pro up to 2022.1000.3005.
CVE-2026-15530Medium5.32026-07-13A flaw has been found in WuzhiCMS up to 4.1.0.
CVE-2026-15533Medium4.72026-07-13A security flaw has been discovered in DedeCMS 5.7.118.
CVE-2026-15605Low3.12026-07-13A security vulnerability has been detected in wandb 0.25.2.dev1.
CVE-2026-525332026-07-13An issue in D-Link DIR-1253 v.1.0.1.250923.142435 allows an attacker to escalate privileges via the etc/shadow component file
CVE-2026-518212026-07-13SQL Injection vulnerability in Shenzhou Shihan Video Conference System v.1.0 allows a remote attacker to execute arbitrary code via the /user/getUserLogin endpoint
CVE-2026-515412026-07-13OpENer 2.3.0 (commit 76b95cf) has an out-of-bounds read issue in CIP message parsing when handling malformed explicit requests with a forged EPath size.
CVE-2026-515402026-07-13OpENer 2.3.0 (master branch up to commit 76b95cf) is vulnerable to a severe memory corruption issue caused by an integer underflow in the processing of connected explicit messages (SendUnitData).
CVE-2026-515392026-07-13A Denial of Service (DoS) vulnerability exists in the receive loop of libmodbus 3.1.12 when running on Windows.
CVE-2026-515382026-07-13EIPStackGroup OpENer 2.3.0 (commit 76b95cf) suffers from an Incorrect Access Control vulnerability in its handling of encapsulation sessions.
CVE-2026-515372026-07-13EIPStackGroup OpENer 2.3.0 (commit 76b95cf) has an out-of-bounds read issue in Connection Manager handling of ForwardOpen requests when processing short malformed packets.
CVE-2026-515362026-07-13In OpENer 2.3.0 (commit 76b95cf) when parsing incoming CIP (Common Industrial Protocol) network packets, the length parameter is inconsistently typed across the call stack.
CVE-2026-390422026-07-13An issue in MikroTIk (SIA Mikrotikls, Latvia) RouterOS 7.21.x before v.7.21.4 and 7.22.x before v.7.22.2 allows a remote attacker to cause a denial of service via the unflatten() function in libumsg.so.

Juniper · 14 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57028High7.32026-07-09An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause license exhaustion.
CVE-2026-57032Medium6.52026-07-09An Improper Handling of Undefined Parameters vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on EX Series devices allows an authenticated attacker with low privileges to cause a Denial-of-Service (DoS).
CVE-2026-57027Medium6.52026-07-09A Missing Release of Memory after Effective Lifetime vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series devices allows an unauthenticated adjacent attacker to cause a Denial-of-Service (D…
CVE-2026-57020Medium6.52026-07-09An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on QFX10000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
CVE-2026-57019Medium6.52026-07-09An Improper Validation of Specified Quantity in Input vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
CVE-2026-33803Medium6.52026-07-09An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a limited information disclosure and availability impact t…
CVE-2026-33801Medium6.52026-07-09An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker sending a specific BGP update over an…
CVE-2026-57030Medium5.92026-07-09A Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker…
CVE-2026-33794Medium5.92026-07-09An Improper Check for Unusual or Exceptional Conditions vulnerability in the advanced forwarding toolkit (evo-aftmand) of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated network-based attacker generating conti…
CVE-2026-57054Medium5.82026-07-09A Use of Incorrectly-Resolved Name or Reference vulnerability in the URL filtering plugin of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass web filtering and access downstream resources t…
CVE-2026-57025Medium5.52026-07-09A Return of Pointer Value Outside of Expected Range vulnerability in the fileio library of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privilged attacker to cause a Denial-of-Service (DoS).
CVE-2026-57029Medium5.32026-07-09A Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service (DoS).
CVE-2026-57021Medium5.32026-07-09An Out-of-bounds Write vulnerability in the http-gatekeeper (http-gk) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
CVE-2026-33799Medium4.32026-07-09An Out-of-bounds Write vulnerability in the SNMP daemon (snmpd) of Juniper Networks Junos OS and Junos OS Evolved allows an authenticated network-based attacker sending specific valid SNMPv3 queries to trigger a memory leak.

Openclaw · 14 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-62200High8.82026-07-13OpenClaw versions before 2026.6.1 contain a flaw in host exec environment filtering that could allow Git ext transport to be abused.
CVE-2026-62199High8.82026-07-13OpenClaw versions before 2026.6.6 contain a flaw in host exec environment filtering that can miss interpreter startup variables.
CVE-2026-62194High8.82026-07-13OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization.
CVE-2026-62190High8.82026-07-13OpenClaw versions before 2026.6.9 contain an authorization bypass vulnerability in the flock wrapper that allows lower-trust callers to execute or persist actions beyond their intended authorization.
CVE-2026-62197High8.52026-07-13OpenClaw before 2026.6.6 contains a policy bypass vulnerability in browser CDP discovery that accepts blocked WebSocket URLs.
CVE-2026-62196High8.32026-07-13OpenClaw versions 2026.3.22 before 2026.6.6 contain an authorization bypass vulnerability where WhatsApp group IDs can satisfy elevated sender allowlists.
CVE-2026-62195High8.32026-07-13OpenClaw versions 2026.5.20 before 2026.6.6 contain an authorization bypass vulnerability in the MCP loopback feature that allows lower-trust callers to execute owner-only tools.
CVE-2026-62192High8.12026-07-13OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in Discord guild actions that allows lower-trust callers to perform actions requiring stronger authorization checks.
CVE-2026-62187High8.12026-07-13OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 could ignore per-account disablement.
CVE-2026-62186High7.62026-07-13OpenClaw versions before 2026.6.8 contain an authorization bypass vulnerability in OpenAI-compatible HTTP model overrides that allows lower-trust callers to perform actions requiring stronger authorization checks.
CVE-2026-62191High7.12026-07-13OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in message mutation handling that allows lower-trust callers to perform actions requiring stronger authorization checks.
CVE-2026-62189High7.12026-07-13OpenClaw versions before 2026.6.9 contain a symlink following vulnerability in the mirror sync feature that allows lower-trust callers to perform actions requiring stronger authorization.
CVE-2026-62193Medium4.92026-07-13OpenClaw versions 2026.6.5 before 2026.6.9 contain a vulnerability in the plugin install wrappers that could skip the install policy (authorization) check.
CVE-2026-62198Medium4.32026-07-13OpenClaw versions 2026.5.28 before 2026.6.6 contain an authorization bypass vulnerability in native web search that allows lower-trust callers to perform actions requiring stronger policy checks.

Grokability · 13 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55469Medium6.52026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-55843Medium6.52026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-55461Medium6.12026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-55475Medium5.72026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-55464Medium5.42026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-55515Medium5.02026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-55462Medium4.32026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-55476Medium4.32026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-55472Medium4.32026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-554812026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-554792026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-554662026-07-10Snipe-IT is an IT asset/license management system.
CVE-2026-554522026-07-10Snipe-IT is an IT asset/license management system.

Mozilla · 13 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12297Critical9.62026-06-16Sandbox escape due to incorrect boundary conditions in the Networking component.
CVE-2026-12296Critical9.62026-06-16Sandbox escape in the Security: Process Sandboxing component.
CVE-2026-12295Critical9.62026-06-16Sandbox escape in the DOM: Navigation component.
CVE-2026-12294Critical9.62026-06-16Sandbox escape in the DOM: Workers component.
CVE-2026-12291High8.82026-06-16Use-after-free in the Networking: HTTP component.
CVE-2026-12289High8.82026-06-16Privilege escalation in the Graphics: WebRender component.
CVE-2026-12328High8.12026-06-16Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151.
CVE-2026-12292High8.12026-06-16Incorrect boundary conditions in the Web Audio component.
CVE-2026-12290High8.12026-06-16Memory safety bug fixed in Firefox 152.
CVE-2026-12299Medium5.42026-06-16JIT miscompilation in the DOM: Core & HTML component.
CVE-2026-12298Medium5.42026-06-16Memory safety bug fixed in Firefox 152.
CVE-2026-14906Medium5.32026-07-13Pages with malicious titles could potentially allow saved PDF content to overwrite PDF files or bundled content within the Firefox for iOS application sandbox.
CVE-2026-12329Medium5.32026-06-16Memory safety bug fixed in Thunderbird ESR 140.12.

Palo Alto Networks · 11 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-0284Critical9.92026-07-09An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information…
CVE-2026-0287High7.52026-07-09Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic to or through…
CVE-2026-0286High7.22026-07-09A command injection vulnerability in the management plane of Palo Alto Networks PAN-OS® software enables an authenticated administrator to execute arbitrary OS commands as root.
CVE-2026-0283High7.22026-07-09An authentication bypass vulnerability in Large Scale VPN ( LSVPN) functionality of Palo Alto Networks PAN-OS software allows an attacker with network access to bypass security restrictions and establish an unauthorized site-to-site VPN co…
CVE-2026-0280High7.22026-07-09An IPv6 packet processing vulnerability in the dataplane of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to bypass firewall security policy enforcement, allowing network traffic that should be blocked to reach pr…
CVE-2026-0281High7.12026-07-09An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to the management web interface to obtain web session tokens.
CVE-2026-0282Medium6.52026-07-09A file deletion vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to the management web interface to delete files from a temporary directory.
CVE-2026-0279Medium6.12026-07-09Multiple cross site scripting vulnerabilities in the User-ID™ Authentication Portal (aka Captive Portal) service, GlobalProtect™ gateway/portal features and Clientless VPN of Palo Alto Networks PAN-OS® software enables a malicious unauthen…
CVE-2026-0269Medium5.72026-06-10A memory corruption vulnerability in the processing of tunnel traffic in Palo Alto Networks PAN-OS® software allows an authenticated user to initiate system reboots using a maliciously crafted packet.
CVE-2026-0285Medium4.92026-07-09A server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator with network access to the management web interface to make unauthorized requests from the firewall to internal…
CVE-2026-0266Medium4.82026-06-10A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface.

Unknown · 11 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-11964Critical9.12026-07-13The User Registration & Membership WordPress plugin before 5.2.2 does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved eve…
CVE-2026-12582High8.62026-07-13The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data f…
CVE-2026-11963High8.12026-07-13The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing…
CVE-2026-12275High7.12026-07-13The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated…
CVE-2026-12274Medium6.52026-07-13The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated id…
CVE-2026-10551Medium6.12026-07-13The Breeze Cache WordPress plugin before 2.5.6 is vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression.
CVE-2026-12396Medium5.42026-07-13The WP Job Portal WordPress plugin before 2.5.5 does not perform capability or ownership checks before allowing job moderation actions, allowing authenticated users with a subscriber-level (self-registerable) account to approve, feature…
CVE-2026-12271Medium5.42026-07-13The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' qui…
CVE-2026-12081Medium5.02026-07-13The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary…
CVE-2026-12397Medium4.32026-07-13The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers…
CVE-2026-12273Medium4.32026-07-13The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-…

Broadcom · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57215High8.82026-07-10RabbitMQ is a messaging and streaming broker.
CVE-2026-57212High7.72026-07-10RabbitMQ is a messaging and streaming broker.
CVE-2026-57220High7.52026-07-10RabbitMQ is a messaging and streaming broker.
CVE-2026-57219High7.52026-07-10RabbitMQ is a messaging and streaming broker.
CVE-2026-57216Medium6.82026-07-10RabbitMQ is a messaging and streaming broker.
CVE-2026-57218Medium6.52026-07-10RabbitMQ is a messaging and streaming broker.
CVE-2026-57217Medium6.52026-07-10RabbitMQ is a messaging and streaming broker.
CVE-2026-57214Medium5.42026-07-10RabbitMQ is a messaging and streaming broker.
CVE-2026-57221Medium5.02026-07-10RabbitMQ is a messaging and streaming broker.
CVE-2026-57213Medium4.82026-07-10RabbitMQ is a messaging and streaming broker.

Eleveo · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15473Medium6.32026-07-12A vulnerability was identified in Eleveo Call Recording Software 9.7.0.
CVE-2026-15376Medium6.32026-07-10A vulnerability was found in Eleveo Call Recording Software 9.7.0.
CVE-2026-15374Medium6.32026-07-10A flaw has been found in Eleveo Call Recording Software 9.7.0.
CVE-2026-15373Medium6.32026-07-10A vulnerability was detected in Eleveo Call Recording Software 9.7.0.
CVE-2026-15474Medium4.32026-07-12A security flaw has been discovered in Eleveo Call Recording Software 9.7.0.
CVE-2026-15472Medium4.32026-07-12A vulnerability was determined in Eleveo Call Recording Software 9.7.0.
CVE-2026-15471Medium4.32026-07-12A vulnerability was found in Eleveo Call Recording Software 9.7.0.
CVE-2026-15470Medium4.32026-07-12A vulnerability has been found in Eleveo Call Recording Software 9.7.0.
CVE-2026-15377Medium4.32026-07-10A vulnerability was determined in Eleveo Call Recording Software 9.7.0.
CVE-2026-15375Medium4.32026-07-10A vulnerability has been found in Eleveo Call Recording Software 9.7.0.

Linuxfoundation · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-58253High8.82026-07-08NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system.
CVE-2026-58250High7.52026-07-08NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system.
CVE-2026-58210High7.52026-07-08NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system.
CVE-2026-58213High7.12026-07-08NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system.
CVE-2026-58254Medium6.52026-07-08NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system.
CVE-2026-58252Medium6.52026-07-08NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system.
CVE-2026-58251Medium6.52026-07-08NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system.
CVE-2026-44512Medium5.52026-07-08Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability.
CVE-2026-58214Medium4.32026-07-08NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system.
CVE-2026-58209Medium4.32026-07-08NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system.

Mattermost · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6850Medium6.52026-07-13Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a…
CVE-2026-10106Medium6.52026-07-13Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a priva…
CVE-2026-9571Medium5.92026-07-13Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to ob…
CVE-2026-9597Medium5.42026-07-13Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional s…
CVE-2026-10085Medium5.42026-07-13Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct mes…
CVE-2026-9708Medium4.92026-07-13Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to c…
CVE-2026-9824Medium4.32026-07-13Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enume…
CVE-2026-6541Medium4.32026-07-13Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook met…
CVE-2026-10103Medium4.32026-07-13Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local…
CVE-2026-9820Low3.82026-07-13Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or…

Capgo · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-56241High8.32026-07-12Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted super_admin users retain access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs due to stale org_users.user_right column not being clear…
CVE-2026-56313High8.12026-07-12Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in foreign organizations.
CVE-2026-56238High7.52026-07-12Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey.
CVE-2026-56303High7.52026-07-11Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role.
CVE-2026-56308High7.32026-07-12Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address.
CVE-2026-56252Medium5.42026-07-12Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations.
CVE-2026-56336Medium5.32026-07-12Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /private/sso/check-domain endpoint that returns internal org_id and provider_id values.
CVE-2026-56240Medium4.32026-07-11Capgo before 12.128.12 contains a billing authorization bypass vulnerability in the plan_valid calculation that allows organizations with exhausted or expired usage credit grants to bypass billing gates.
CVE-2026-56281Low3.82026-07-12Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/admin_stats endpoint where the limit parameter is destructured from unvalidated request body and interpolated directly into Cloudflare Analytics Engine SQL q…

Evbee · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-221032026-07-13The NPC start endpoint on the web server at port 8090 is vulnerable to command injection.
CVE-2026-221022026-07-13A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations.
CVE-2026-221002026-07-13The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection.
CVE-2026-220992026-07-13The charging station does not require authentication for Bluetooth commands to perform actions.
CVE-2026-220982026-07-13Various sensitive information such as passwords and charging card UIDs are written to log files.
CVE-2026-220972026-07-13The firmware update mechanism does not include cryptographic signature validation.
CVE-2026-220962026-07-13The webserver running on port 8090 does not require authentication.
CVE-2026-220952026-07-13The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection.
CVE-2026-220932026-07-13The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server.

Golang · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46595Critical10.02026-05-22Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
CVE-2026-39821Critical9.62026-05-22The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label.
CVE-2026-39830Critical9.12026-05-22A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop.
CVE-2026-39822High7.82026-07-08On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /.
CVE-2023-54365High7.52026-06-23Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique).
CVE-2026-39829High7.52026-05-22The RSA and DSA public key parsers did not enforce size limits on key parameters.
CVE-2026-39828Medium6.32026-05-22When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeede…
CVE-2026-42505Medium5.32026-07-08Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.
CVE-2026-39835Medium5.32026-05-22SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate.

Mervinpraison · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61447Critical10.02026-07-11PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement.
CVE-2026-61445Critical9.92026-07-11PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in the AICoder component due to missing path validation and command sanitization in LLM tool calls.
CVE-2026-60090Critical9.82026-07-11PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store create_collection() backends.
CVE-2026-61426High8.62026-07-11PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS.
CVE-2026-61429High8.52026-07-11PraisonAI versions before 1.6.78 contain a server-side request forgery vulnerability in the Crawl4AI/Chromium backend that allows attackers to bypass SSRF validation by exploiting DNS rebinding and HTTP redirects.
CVE-2026-61439High7.52026-07-11PraisonAI versions before 4.6.78 contain a prompt injection defense misconfiguration where the block threshold defaults to CRITICAL severity, allowing HIGH-level threats to pass through unblocked.
CVE-2026-61428High7.32026-07-11PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses.
CVE-2026-61442High7.12026-07-11PraisonAI Platform (praisonai-platform) before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role.
CVE-2026-60088Medium5.52026-07-11PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace.

Unattributed · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61500Critical9.82026-07-13Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random() generator and discloses outputs of the same generator to unauthenticated clients during login.
CVE-2026-61498Critical9.82026-07-13Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/gen_graphs.php endpoint that allows remote unauthenticated attackers to execute arbitrary commands by supplying shell metacharacters in…
CVE-2026-20744Critical9.82026-07-10The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation.
CVE-2026-57855High8.82026-07-13Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api).
CVE-2026-62188High8.12026-07-13OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings.
CVE-2026-61501Medium6.12026-07-13Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without sanitization.
CVE-2026-6804Medium5.32026-07-11The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12.
CVE-2026-581022026-07-13Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap out-of-bounds read via a long certificate extension OID in hv_exts.
CVE-2026-558832026-07-10Tilt defines dev environments as code for microservice apps on Kubernetes.

Frappe · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-585032026-07-10Frappe is a full-stack web application framework.
CVE-2026-558522026-07-10Frappe is a full-stack web application framework.
CVE-2026-493942026-07-10Frappe is a full-stack web application framework.
CVE-2026-481272026-07-10Frappe is a full-stack web application framework.
CVE-2026-474222026-07-10Frappe is a full-stack web application framework.
CVE-2026-471992026-07-10Frappe is a full-stack web application framework.
CVE-2026-422192026-07-10Frappe is a full-stack web application framework.
CVE-2026-414822026-07-10Frappe is a full-stack web application framework.

Gnu · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42009High7.52026-05-18A flaw was found in gnutls.
CVE-2026-56289Medium5.52026-07-09GNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input.
CVE-2026-56288Medium5.52026-07-09GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file.
CVE-2026-15520Medium5.32026-07-13A vulnerability was determined in GNU LibreDWG 0.13.4-154-g0b573035.
CVE-2026-405532026-07-13Buffer overflow vulnerability has been found in "extension/readdir.c" program file of gawk (ftype() routine).
CVE-2026-404692026-07-13Integer overflow vulnerability has been found in "builtin.c" program file of gawk (do_sub() routine).
CVE-2026-404682026-07-13Integer overflow vulnerability has been found in "builtin.c" program file of gawk.
CVE-2026-404672026-07-13Use After Free vulnerability has been found in "io.c" program file of gawk (do_getline_redir() routine).

Imagemagick · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61861Low3.72026-07-11ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption method when memory allocation fails.
CVE-2026-61857Low3.72026-07-11ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing null check when parsing XMP profiles.
CVE-2026-56373Low3.72026-07-10ImageMagick before 7.1.2-15 contains a use-after-free vulnerability in the PDB decoder that uses a stale pointer when memory allocation fails.
CVE-2026-61858Low3.32026-07-11ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks.
CVE-2026-61465Low3.32026-07-11ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation limit in matrix-backed operations such as -canny.
CVE-2026-56372Low3.32026-07-11ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the magnify operation that allows attackers to read out of bounds memory.
CVE-2026-56366Low3.32026-07-10ImageMagick before 7.1.2-18 contains a memory leak vulnerability in the META reader when processing APP1JPEG input paths.
CVE-2026-61870Low2.92026-07-11ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memory allocation fails.

Sourcecodester · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15597High7.32026-07-13A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0/2.php.
CVE-2026-15537High7.32026-07-13A security flaw has been discovered in SourceCodester Online Book Store System 1.0.
CVE-2026-15539Medium4.72026-07-13A security vulnerability has been detected in SourceCodester Online Book Store System 1.0.
CVE-2026-15596Medium4.32026-07-13A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0.
CVE-2026-15595Medium4.32026-07-13A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0.
CVE-2026-15540Medium4.32026-07-13A vulnerability was detected in SourceCodester Online Book Store System 1.0.
CVE-2026-15532Low2.42026-07-13A vulnerability was identified in SourceCodester Online Book Store System 1.0.

Trendnet · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15484High8.82026-07-12A vulnerability was detected in TRENDnet TEW-821DAP 1.12B01.
CVE-2026-15483High8.82026-07-12A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01.
CVE-2026-15481High8.82026-07-12A security flaw has been discovered in Trendnet TEW-635BRM up to 1.00.03.
CVE-2026-15480High8.82026-07-12A vulnerability was identified in Trendnet TEW-635BRM up to 1.00.03.
CVE-2026-15487Medium6.32026-07-12A vulnerability was found in TRENDnet TEW-821DAP 1.11B03.
CVE-2026-15486Medium6.32026-07-12A vulnerability has been found in TRENDnet TEW-821DAP 1.11B03.
CVE-2026-15485Medium6.32026-07-12A flaw has been found in TRENDnet TEW-821DAP 1.11B03.

Zephyrproject · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-10666High8.12026-07-12parse_ipv4() in subsys/net/ip/utils.c (reached via net_ipaddr_parse() for strings of the form "a.b.c.d:port") copies the port substring into a fixed 17-byte stack buffer (char ipaddr[NET_IPV4_ADDR_LEN + 1]) using a length of str_len - end…
CVE-2026-10667High7.82026-07-12Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj_list) of dynamically allocated kernel objects.
CVE-2026-10665High7.42026-07-12In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg_process_data_message() in wg_crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption.
CVE-2026-10660Medium6.42026-07-11The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assistant.c reassembled remote Broadcast Receive State data into a single file-static net_buf_simple (att_buf, BT_ATT_MAX_ATTRIBUTE_LEN = 512 bytes)…
CVE-2026-10663Medium6.12026-07-12In Zephyr's experimental USB host stack (CONFIG_USB_HOST_STACK), usbh_device_disconnect() (subsys/usb/host/usbh_device.c) freed the root usb_device slab object without clearing the cached pointer ctx->root.
CVE-2026-10664Medium5.02026-07-12The nRF70 Wi-Fi driver's power-save event handler nrf_wifi_event_proc_get_power_save_info() in drivers/wifi/nrf_wifi/src/wifi_mgmt.c copied TWT (Target Wake Time) flow entries from an nrf_wifi_umac_event_power_save_info event into the fixe…
CVE-2026-10668Low2.42026-07-12The Nuvoton NuMaker HSUSBD USB device-controller driver (drivers/usb/udc/udc_numaker.c) armed the control Data IN stage unconditionally (base->CEPTXCNT = len in numaker_hsusbd_ep_trigger).

Freerdp · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45700Critical9.82026-05-29FreeRDP is a free implementation of the Remote Desktop Protocol.
CVE-2026-57158Critical9.12026-07-10FreeRDP is a free implementation of the Remote Desktop Protocol.
CVE-2026-55827High7.52026-07-10FreeRDP is a free implementation of the Remote Desktop Protocol.
CVE-2026-57157Medium6.52026-07-10FreeRDP is a free implementation of the Remote Desktop Protocol.
CVE-2026-571562026-07-10FreeRDP is a free implementation of the Remote Desktop Protocol.

Imagination Technologies · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7639High7.82026-07-10Software installed and run as a non-privileged user may conduct a sequence of improper GPU system calls causing use after free, which helps in facilitating unprivileged memory access from a shader code.
CVE-2026-45203High7.82026-07-10Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel.
CVE-2026-45196High7.82026-07-10Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a GPU register access which can lead to privilege escalation.
CVE-2026-41154High7.82026-07-10Software installed and run as a non-privileged user may cause OOB kernel memory reads or writes through GPU API calls.
CVE-2026-34196High7.82026-07-10Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an integer overflow and map two GPU virtual addresses to the same physical address.

Shibby · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15548High8.82026-07-13A security vulnerability has been detected in Shibby Tomato up to 1.28.0000.
CVE-2026-15545High8.82026-07-13A vulnerability was identified in Shibby Tomato up to 1.28.0000.
CVE-2026-15544High8.82026-07-13A vulnerability was determined in Shibby Tomato up to 1.28.0000.
CVE-2026-15547Medium6.32026-07-13A weakness has been identified in Shibby Tomato up to 1.28.0000.
CVE-2026-15546Medium6.32026-07-13A security flaw has been discovered in Shibby Tomato up to 1.28.0000.

Themeum · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57724Critical9.82026-07-13Deserialization of Untrusted Data vulnerability in Themeum Kirki kirki allows Object Injection.This issue affects Kirki: from n/a through <= 6.0.12.
CVE-2026-57726Critical9.32026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Kirki kirki allows Blind SQL Injection.This issue affects Kirki: from n/a through <= 6.0.12.
CVE-2026-57727High7.52026-07-13Missing Authorization vulnerability in Themeum Kirki kirki allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kirki: from n/a through <= 6.0.13.
CVE-2026-57725High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Kirki kirki allows Stored XSS.This issue affects Kirki: from n/a through <= 6.0.11.
CVE-2026-57694Medium6.52026-07-13Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.13.

Berriai · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59822High8.22026-07-08LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format.
CVE-2026-59821High7.22026-07-08LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format.
CVE-2026-59820Medium6.52026-07-08LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format.
CVE-2026-59819Medium4.92026-07-08LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format.

Churchcrm · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-58409Critical9.12026-07-13ChurchCRM is an open-source church management system.
CVE-2026-58410High7.12026-07-13ChurchCRM is an open-source church management system.
CVE-2026-58408Medium6.52026-07-13ChurchCRM is an open-source church management system.
CVE-2026-584112026-07-13ChurchCRM is an open-source church management system.

Decolua · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59801Critical9.82026-07-139Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middl…
CVE-2026-62327Critical9.12026-07-139Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request t…
CVE-2026-62328High7.52026-07-139Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints.
CVE-2026-56676High7.42026-07-109Router is an AI router & token saver.

Hedgedoc · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-584892026-07-13HedgeDoc is an open source, real-time collaborative markdown notes application.
CVE-2026-584882026-07-13HedgeDoc is an open source, real-time, collaborative, markdown notes application.
CVE-2026-584872026-07-13HedgeDoc is an open source, real-time, collaborative, markdown notes application.
CVE-2026-584862026-07-13HedgeDoc is an open source, real-time, collaborative, markdown notes application.

Linux · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-52923High7.82026-06-24In the Linux kernel, the following vulnerability has been resolved: ipc: limit next_id allocation to the valid ID range The checkpoint/restore sysctl path can request the next SysV IPC id through ids->next_id.
CVE-2026-0268Medium4.42026-06-10A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel.
CVE-2026-533652026-07-13In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix zerocopy completion for multi-skb sends When a large message is fragmented into multiple skbs, the zerocopy uarg is only allocated and attached to the…
CVE-2026-533642026-07-13In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate() hci_le_big_terminate() allocates iso_list_data via kzalloc_obj but returns 0 without freeing it when neith…

Logto-io · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55789High8.52026-07-10Logto is the modern, open-source auth infrastructure for SaaS and AI apps.
CVE-2026-55377High8.12026-07-10Logto is the modern, open-source auth infrastructure for SaaS and AI apps.
CVE-2026-55370Medium6.42026-07-10Logto is the modern, open-source auth infrastructure for SaaS and AI apps.
CVE-2026-54714Medium6.12026-07-10Logto is the modern, open-source auth infrastructure for SaaS and AI apps.

Openreplay · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55879Critical9.32026-07-10OpenReplay is a self-hosted session replay suite.
CVE-2026-55880High7.12026-07-10OpenReplay is a self-hosted session replay suite.
CVE-2026-57230Medium5.42026-07-10OpenReplay is a self-hosted session replay suite.
CVE-2026-558812026-07-10OpenReplay is a self-hosted session replay suite.

Openwrt · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61876High8.82026-07-12LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup.
CVE-2026-61875High8.82026-07-12luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests.
CVE-2026-59260High8.82026-07-12OpenWrt luci-app-samba4 read ACL grants file.exec permission on /usr/sbin/smbd, allowing authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments.
CVE-2026-62184High7.52026-07-13luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like user…

Plank · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-49972High8.82026-07-13Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell…
CVE-2026-49970High8.82026-07-13Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath() function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader…
CVE-2026-49969High7.42026-07-13Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUp…
CVE-2026-49971Medium6.12026-07-13Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event…

Quantumcloud · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57710Critical9.92026-07-13Unrestricted Upload of File with Dangerous Type vulnerability in quantumcloud WoowBot Pro Max woowbot-pro-max allows Using Malicious Files.This issue affects WoowBot Pro Max: from n/a through <= 14.1.7.
CVE-2026-57707Critical9.32026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows SQL Injection.This issue affects Simple Business Director…
CVE-2026-57363High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot chatbot allows Stored XSS.This issue affects ChatBot: from n/a through <= 8.3.7.
CVE-2026-57414Medium6.52026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot for eCommerce &#8211; WoowBot woowbot-woocommerce-chatbot allows Stored XSS.This issue affects ChatBot for eCommerce…

Rejetto · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61504Medium5.42026-07-13Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter.
CVE-2026-61505Medium5.32026-07-13Rejetto HFS 3.0.0 through 3.2.0 allows path traversal through the lang query parameter, permitting a remote unauthenticated attacker to read certain JSON files outside the shared folders.
CVE-2026-61503Medium5.32026-07-13Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists.
CVE-2026-61502Medium4.32026-07-13Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check.

Select-themes · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57805High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Tonda tonda allows PHP Local File Inclusion.This issue affects Tonda: from n/a through <= 2.5.
CVE-2026-57803High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur Core struktur-core allows PHP Local File Inclusion.This issue affects Struktur Core: from n/a t…
CVE-2026-57802High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1.
CVE-2026-57801High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes SetSail setsail allows PHP Local File Inclusion.This issue affects SetSail: from n/a through <= 2.1.

Acymailing Newsletter Team · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57739Critical9.32026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Blind SQL Injection.This issue affects AcyMailing SMTP Newsletter…
CVE-2026-57741High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Stored XSS.This issue affects AcyMailing SMTP Newsletter: from n/…
CVE-2026-57740High7.12026-07-13Missing Authorization vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AcyMailing SMTP Newsletter: from n/a through…

Apache Software Foundation · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-592452026-07-13In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_control` on that one DAG was silently grante…
CVE-2026-580652026-07-13The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification.
CVE-2026-498442026-07-10Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON.

Astrbotdevs · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15501Medium6.32026-07-12A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2.
CVE-2026-15500Medium6.32026-07-12A weakness has been identified in AstrBotDevs AstrBot up to 4.25.2.
CVE-2026-15499Medium6.32026-07-12A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2.

Cedar-policy · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55773High8.82026-07-13CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions.
CVE-2026-55771High8.82026-07-13CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions.
CVE-2026-55772High8.82026-07-13CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions.

Cloudfoundry · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-47826Critical9.12026-07-09The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information.
CVE-2026-47829High7.82026-07-09Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the locally-spawned ssh process when an operator runs bosh ssh -c, bosh logs -f, or other non-interactive SSH paths, leading to loca…
CVE-2026-41857High7.82026-07-09A compromised or malicious BOSH Director can execute arbitrary shell commands on the operator's workstation when the operator runs bosh ssh (or bosh scp/bosh logs -f) with default flags.

Codeastro · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15559Medium6.32026-07-13A vulnerability was detected in CodeAstro Simple Online Leave Management System 1.0.
CVE-2026-15558Medium6.32026-07-13A security vulnerability has been detected in CodeAstro Simple Online Leave Management System 1.0.
CVE-2026-15523Medium6.32026-07-13A weakness has been identified in CodeAstro Simple Online Leave Management System 1.0.

Crawl4ai · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-56260Critical9.12026-07-12Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints.
CVE-2026-56261High8.62026-07-10Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation.
CVE-2026-56259High8.22026-07-12Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables.

Crocoblock · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61977Medium5.32026-07-13Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetSearch jet-search allows Retrieve Embedded Sensitive Data.This issue affects JetSearch: from n/a through <= 3.6.1.2.
CVE-2026-61976Medium5.32026-07-13Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Retrieve Embedded Sensitive Data.This issue affects JetBlocks For Elementor: from n/a through…
CVE-2026-61975Medium5.32026-07-13Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetReviews jet-reviews allows Retrieve Embedded Sensitive Data.This issue affects JetReviews: from n/a through <= 3.0.1.

Decompress_project · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39246High7.52026-07-09decompress before 4.2.2 allows arbitrary symlink creation during archive extraction.
CVE-2026-39245Medium6.22026-07-09decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write.
CVE-2026-39243Medium5.52026-07-09decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption.

Fluent · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44024Critical9.82026-07-08Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on.
CVE-2026-44160High7.52026-07-08Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on.
CVE-2026-44161High7.22026-07-08Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on.

Grafana · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33382High7.52026-07-10Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it.
CVE-2026-8595Medium6.82026-07-10A user with Editor permissions can craft a dashboard whose table (TableNG) panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard (stored cross-site scripting).
CVE-2026-8609Medium5.32026-07-10An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance (denial of service).

Gristlabs · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55659High7.72026-07-10Grist is spreadsheet software using Python as its formula language.
CVE-2026-55664Medium4.32026-07-10Grist is spreadsheet software using Python as its formula language.
CVE-2026-556652026-07-10Grist is spreadsheet software using Python as its formula language.

N8n · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59209Medium6.52026-07-09n8n is an open source workflow automation platform.
CVE-2026-58661Medium4.32026-07-10n8n before 2.28.0 (and before 1.123.58 on the 1.x branch) contains a disk space exhaustion vulnerability in the data-table file upload endpoint.
CVE-2026-56354Medium4.12026-07-10n8n before 1.123.24, 2.10.4, and 2.12.0 (across its 1.x and 2.x branches) contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox poli…

Nodejs · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6734High7.52026-06-17Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin.
CVE-2026-12151High7.52026-06-17Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments.
CVE-2026-9697High7.42026-06-17Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://).

Rafymrx · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15491High7.32026-07-12A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99.
CVE-2026-15490High7.32026-07-12A security flaw has been discovered in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99.
CVE-2026-15489High7.32026-07-12A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99.

Saad Iqbal · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57810High8.52026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: f…
CVE-2026-61968Medium5.42026-07-13Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 3.1.2.
CVE-2026-61958Medium5.42026-07-13Missing Authorization vulnerability in Saad Iqbal License Manager for WooCommerce license-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects License Manager for WooCommerce: f…

Soniccloudorg · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15497High7.32026-07-12A vulnerability was determined in SonicCloudOrg sonic-agent up to 2.7.2.
CVE-2026-15496Medium6.32026-07-12A vulnerability was found in SonicCloudOrg sonic-agent up to 2.7.2.
CVE-2026-15495Medium6.32026-07-12A vulnerability has been found in SonicCloudOrg sonic-agent up to 2.7.2.

Stmcan · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57744Critical9.82026-07-13Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Object Injection.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
CVE-2026-57743High8.12026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows PHP Local File Inclusion.This issue affects RT-Theme 18 | Exten…
CVE-2026-57745High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Reflected XSS.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.

Tagdiv · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57734High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.3.
CVE-2026-57733High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Cloud Library td-cloud-library allows DOM-Based XSS.This issue affects tagDiv Cloud Library: from n/a through <= 3.9.4.
CVE-2026-57732High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows DOM-Based XSS.This issue affects tagDiv Opt-In Builder: from n/a through <= 1.7.4.

Themefic · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57388High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through <= 1.1.44.
CVE-2026-57395Medium6.52026-07-13Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.22.5.
CVE-2026-57392Medium6.52026-07-13Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.22.5.

Thememove · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57791High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook brook allows PHP Local File Inclusion.This issue affects Brook: from n/a through <= 2.9.0.
CVE-2026-57790High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Billey billey allows PHP Local File Inclusion.This issue affects Billey: from n/a through <= 2.1.8.
CVE-2026-57797Medium4.32026-07-13Missing Authorization vulnerability in ThemeMove EduMall edumall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduMall: from n/a through <= 4.5.1.

Themifyme · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57369High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Builder themify-builder allows Reflected XSS.This issue affects Themify Builder: from n/a through <= 7.7.4.
CVE-2026-15097Medium6.42026-07-11The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'height_slider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping.
CVE-2026-15096Medium6.42026-07-11The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'b_width_map' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping.

U-boot · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-29009High8.22026-07-08U-Boot through 2026.04-rc3 contains a buffer overflow vulnerability in nfs_readlink_reply() (net/nfs-common.c) when CONFIG_CMD_NFS is enabled, allowing a malicious or compromised NFS server to overflow the 2048-byte nfs_path_buff buffer by…
CVE-2026-29008High7.52026-07-08U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine() function (net/tcp.c) that allows a network-adjacent attacker to crash the bootloader by sending a malformed TCP SYN+ACK packet with a mani…
CVE-2026-29007Medium5.32026-07-08U-Boot through 2026.04-rc3 contains an out-of-bounds read vulnerability in tcp_rx_state_machine() (net/tcp.c) when CONFIG_PROT_TCP is enabled, allowing remote attackers to read beyond TCP segment boundaries by crafting a malicious packet w…

Wclovers · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12126Medium6.42026-07-11The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization…
CVE-2026-12994Medium5.32026-07-11The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27.
CVE-2026-10041Medium4.32026-07-11The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key…

Wp Swings · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57709High8.62026-07-13Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Path Traversal.This issue affects Membership For WooCommerce: from n/a t…
CVE-2026-57407High7.22026-07-13Server-Side Request Forgery (SSRF) vulnerability in WP Swings PDF Generator for WordPress pdf-generator-for-wp allows Server Side Request Forgery.This issue affects PDF Generator for WordPress: from n/a through <= 1.6.2.
CVE-2026-57400Medium6.52026-07-13Missing Authorization vulnerability in WP Swings Event Tickets Manager for WooCommerce event-tickets-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets Manager f…

Adobe · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-48364High8.22026-07-13ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-48363High8.22026-07-13ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user.

Anydesk · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15682Medium4.72026-07-13AnyDesk Support Information Link Following Denial-of-Service Vulnerability.
CVE-2026-15681Medium4.72026-07-13AnyDesk Screen Recording Link Following Denial-of-Service Vulnerability.

Apache · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41041Critical9.12026-07-13URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino.
CVE-2026-49876Medium6.52026-07-13Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs.

Boldgrid · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-9282High7.52026-07-11The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function.
CVE-2026-57418Medium6.52026-07-13Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a th…

Citeum · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-35210High7.12026-07-08OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables.
CVE-2026-35211Medium6.52026-07-08OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables.

Codemenschen · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57415High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codemenschen Gift Vouchers gift-voucher allows Stored XSS.This issue affects Gift Vouchers: from n/a through <= 4.7.0.
CVE-2026-57412Medium6.52026-07-13Missing Authorization vulnerability in Codemenschen Gift Vouchers gift-voucher allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gift Vouchers: from n/a through <= 4.6.9.

Crm Perks · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57708High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Contact Form Entries contact-form-entries allows Reflected XSS.This issue affects Contact Form Entries: from n/a through <= 1.5…
CVE-2026-57421High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms crm-perks-forms allows Reflected XSS.This issue affects CRM Perks Forms: from n/a through <= 1.1.7.

Denishua · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57371High8.82026-07-13Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through <= 7.0.
CVE-2026-57372High7.22026-07-13Server-Side Request Forgery (SSRF) vulnerability in denishua WPJAM Basic wpjam-basic allows Server Side Request Forgery.This issue affects WPJAM Basic: from n/a through <= 7.0.

Digi International · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12352Medium5.92026-07-07This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.
CVE-2026-129482026-07-07A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator to inject script into certain system con…

Discourse · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55420High7.52026-07-09Discourse is an open-source discussion platform.
CVE-2026-59828Medium5.32026-07-09Discourse is an open-source discussion platform.

Edgarrojas · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57393Medium6.52026-07-13Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder woo-pdf-invoice-builder allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce PDF Invoi…
CVE-2026-57390Medium6.52026-07-13Missing Authorization vulnerability in EDGARROJAS Extra Product Options Builder for WooCommerce additional-product-fields-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extra Prod…

Edge-themes · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57800High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion.This issue affects Overworld: from n/a through <= 1.5.
CVE-2026-57788High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Aalto aalto allows PHP Local File Inclusion.This issue affects Aalto: from n/a through <= 1.8.

Getgrav · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61454Medium5.32026-07-11The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes).
CVE-2026-584932026-07-10grav-plugin-database is the database plugin for Grav CMS.

Hydro-québec · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44383High7.52026-07-10Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.
CVE-2026-42952High7.52026-07-10Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack.

Iqonicdesign · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15073Medium6.52026-07-11The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied p…
CVE-2026-15072Medium6.52026-07-11The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied p…

Jetbrains · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59796High8.12026-07-10In JetBrains TeamCity before 2026.1.2 pipeline modification was possible due to improper permission checks
CVE-2026-59795High8.12026-07-10In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible

Joomshaper.com · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-578302026-07-13The Joomla extension Helix Ultimate is vulnerable to an unauthenticated arbitrary file deletion.
CVE-2026-578292026-07-13The Joomla extension Helix Ultimate is vulnerable to an unauthenticated stored XSS.

Lorex · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15683High7.52026-07-13Lorex 2K Indoor Wi-Fi Security Camera Device Management Server Improper Certificate Validation Vulnerability.
CVE-2026-15680High7.52026-07-13Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability.

Magepeopleteam · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57404Medium6.52026-07-13Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manag…
CVE-2026-61985Medium5.32026-07-13Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.3.7.

Milan Petrovic · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57771High8.52026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Milan Petrovic GD Rating System gd-rating-system allows Blind SQL Injection.This issue affects GD Rating System: from n/a through <= 3.7.
CVE-2026-57403High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Security Headers gd-security-headers allows Reflected XSS.This issue affects GD Security Headers: from n/a through <= 1…

Misskey-dev · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-575752026-07-10Misskey is an open source, federated social media platform.
CVE-2026-575742026-07-10Misskey is an open source, federated social media platform.

Nodeca · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59869High7.52026-07-08js-yaml is a JavaScript YAML parser and dumper.
CVE-2026-59868Medium5.32026-07-08js-yaml is a JavaScript YAML parser and dumper.

Nsquared · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59523Medium6.52026-07-13Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a thr…
CVE-2026-57812Medium6.52026-07-13Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a thr…

Open-webui · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59216High7.72026-07-09Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform.
CVE-2026-59215Low3.12026-07-09Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform.

Owasp-modsecurity · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-52747High8.62026-07-10ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.
CVE-2026-52761Medium5.82026-07-10ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.

Phalcon · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-575842026-07-10Phalcon is a high-performance, full-stack PHP framework.
CVE-2026-547362026-07-10Phalcon is a high-performance, full-stack PHP framework.

Ragic · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15552Medium6.12026-07-13Enterprise Cloud Database developed by Ragic has a Stored Cross-Site Scripting vulnerability, allowing unauthenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load.
CVE-2026-15553Medium5.32026-07-13Enterprise Cloud Database developed by Ragic has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload malicious files and make them available for users to download.

Shay · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-574322026-07-13Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack.
CVE-2026-132212026-07-13Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk.

Socket · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59725High7.52026-07-08Socket.IO enables bidirectional and low-latency communication for every platform.
CVE-2026-59724High7.52026-07-08Socket.IO enables bidirectional and low-latency communication for every platform.

Spinnaker · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44795High8.82026-07-10Spinnaker is an open source, multi-cloud continuous delivery platform.
CVE-2026-55175High7.52026-07-10Spinnaker is an open source, multi-cloud continuous delivery platform.

Stylemix · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-13114High7.22026-07-11The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content and User Biographical Info in all versions up to, and including, 1.4.112 due to insufficient inp…
CVE-2026-10865Medium5.32026-07-11The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the (template body).

Tilt-dev · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-558842026-07-10Tilt defines dev environments as code for microservice apps on Kubernetes.
CVE-2026-558822026-07-10Tilt defines dev environments as code for microservice apps on Kubernetes.

Ux-themes · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57729High7.52026-07-13Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.20.5.
CVE-2026-57728High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UX-themes Flatsome flatsome allows Reflected XSS.This issue affects Flatsome: from n/a through <= 3.20.5.

Uxper · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57799High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Nuss nuss allows PHP Local File Inclusion.This issue affects Nuss: from n/a through <= 1.3.6.
CVE-2026-57794High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo Framework golo-framework allows PHP Local File Inclusion.This issue affects Golo Framework: from n/a throug…

Villatheme · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57422High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Bopo – WooCommerce Product Bundle Builder bopo-woo-product-bundle-builder allows Reflected XSS.This issue affects Bopo – WooCo…
CVE-2026-57698Medium6.52026-07-13Authentication Bypass Using an Alternate Path or Channel vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Authentication Abuse.This issue affects Abandoned Cart Recovery for WooCommerce…

Vowelweb · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57776Medium5.32026-07-13Missing Authorization vulnerability in vowelweb VW Wedding vw-wedding allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Wedding: from n/a through <= 1.3.7.
CVE-2026-57774Medium5.32026-07-13Missing Authorization vulnerability in vowelweb VW Food Corner vw-food-corner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Food Corner: from n/a through <= 1.1.0.

Waooai · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15557High7.32026-07-13A weakness has been identified in waooAI waoowaoo up to 0.4.1.
CVE-2026-15594Low3.72026-07-13A vulnerability was found in waooAI waoowaoo up to 0.4.1.

Will-moss · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15542High7.32026-07-13A vulnerability has been found in will-moss Isaiah up to 1.36.9.
CVE-2026-15541High7.32026-07-13A flaw has been found in will-moss Isaiah up to 1.36.9.

Wpmu Dev - Your All-in-one Wordpress Platform · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57815High7.52026-07-13Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Path Traversal.This issue affects Forminator: from n/a through <= 1…
CVE-2026-57814High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows DOM-Based XSS.This issue affects Forminator: from n/a through…

2coders · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7544Medium4.32026-07-11The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideo_enqueue_settings_script.

4real · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-68472026-07-13Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function.

Adrian Tobey · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57389High8.62026-07-13Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Adrian Tobey Groundhogg groundhogg allows Path Traversal.This issue affects Groundhogg: from n/a through <= 4.4.1.

Ahmadmj · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-13262Medium6.52026-07-11The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the…

Akariasai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15535Medium6.32026-07-13A vulnerability was determined in AkariAsai self-rag up to 1fcdc420e48f50a7d7ab1ece5494221b93252e99.

Akpali9 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15493Low3.52026-07-12A vulnerability was detected in Akpali9 Attendance-Management-System up to 70b91fe38f4195b701a45f0edcd4f42d5f64aeee.

Alioshr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15524Low3.32026-07-13A security vulnerability has been detected in alioshr memory-bank-mcp up to 0.2.1/3.1.

Aman · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57411High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman CF7 Views &#8211; Complete Entry Management for Contact Form 7 cf7-views allows DOM-Based XSS.This issue affects CF7 Views &#8211; C…

Amtt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15494Medium4.72026-07-12A flaw has been found in AMTT Hotel Broadband Operation System 1.0.

Andy_moyle · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61983Medium5.32026-07-13Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through <= 5.0.30.

Antv · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15598Medium6.32026-07-13A weakness has been identified in antv layout 2.0.0.

Aojiaozero · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15502Medium6.32026-07-12A vulnerability was detected in AojiaoZero Antaris 1.0.

Appium · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-58500High8.22026-07-13MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS.

Appsbd · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57385High8.52026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in appsbd Vitepos vitepos-lite allows Blind SQL Injection.This issue affects Vitepos: from n/a through <= 3.4.2.

Area 17 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15518Medium4.72026-07-13A vulnerability has been found in AREA 17 Twill CMS up to 3.6.0.

Argoproj · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-62185High7.62026-07-13Argo CD Helm Chart before 10.0.0 fails to install network policies by default, allowing any pod on a cluster to access repo-server and other Argo APIs.

Arraytics · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-13039Medium5.32026-07-10The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15.

Aster Telecom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15482High7.32026-07-12A weakness has been identified in Aster Telecom Azcall 10/11.

Augmnt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15526Low3.32026-07-13A flaw has been found in augmnt augments-mcp-server 7.1.0.

Axiomthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57738Critical9.82026-07-13Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This issue affects 777: from n/a through <= 1.13.0.

Axllent · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55187Medium5.82026-07-10Mailpit is an email testing tool and API for developers.

Bahmni · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15477Medium6.32026-07-12A vulnerability was detected in Bahmni bahmnicore up to 0.93.

Baptistearno · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-49213High8.12026-07-10TypeBot is a chatbot builder tool.

Basix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57668High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Stored XSS.This issue affects NEX-Forms: from n/a through <= 9.2.2.

Bdthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57413Medium6.42026-07-13Server-Side Request Forgery (SSRF) vulnerability in bdthemes Instant Image Generator ai-image allows Server Side Request Forgery.This issue affects Instant Image Generator: from n/a through <= 2.1.4.

Better-auth · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15527Medium5.32026-07-13A vulnerability has been found in better-auth better-icons up to 1.0.5.

Blender · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-60103Medium6.12026-07-13Blender 3.0.0 through 5.1.2 contains an out-of-bounds read vulnerability that allows attackers to trigger a crash or read adjacent heap memory by supplying a crafted .blend file with a malicious signed short member_index value in the SDNA…

Blendmedia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4661High7.52026-07-11The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2.

Bosh-ecosystem / Bosh (Bosh-cli) · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-47828High8.82026-07-09During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint…

Brainstorm Force · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57401Critical9.92026-07-13Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Brainstorm Force SureDash suredash allows Path Traversal.This issue affects SureDash: from n/a through <= 1.8.0.

Bytecodealliance · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44216High7.52026-05-14Wasmtime is a runtime for WebAssembly.

Cakephp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55590Medium6.12026-07-09CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications.

Cap-go · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-56296Medium5.32026-07-11Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transfer_app RPC function that returns distinct error messages for existing versus non-existing app IDs.

Catalyst2020 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-5017Medium4.92026-07-11The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and…

Centreon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-14453Critical9.62026-07-13This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution.

Choijun · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15338High7.52026-07-11The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the get_type_template function.

Cockpit Hq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57856High8.82026-07-13Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api).

Codecentric · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-62242High8.62026-07-13Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation again…

Coderevolution · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57719Critical10.02026-07-13Unrestricted Upload of File with Dangerous Type vulnerability in CodeRevolution Aimogen Pro aimogen-pro allows Using Malicious Files.This issue affects Aimogen Pro: from n/a through <= 2.8.3.

Codexthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57804High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue…

Comfast · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15511Critical9.82026-07-12A vulnerability was determined in Comfast CF-WR631AX V3 up to 2.7.0.8.

Coollabsio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15507Medium6.32026-07-12A vulnerability was detected in coollabsio Coolify up to 4.1.1.

Corvusinfo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6939High7.22026-07-11The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approval_code' parameter in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output esc…

Coturn · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-53449Medium6.02026-07-10Coturn is a free open source implementation of TURN and STUN Server.

Cozmoslabs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61971Low2.72026-07-13Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: fro…

Creativews · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57787High8.52026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CreativeWS CWS SVGicons cws-svgicons allows Blind SQL Injection.This issue affects CWS SVGicons: from n/a through <= 1.5.5.

Crewaiinc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-62240High7.42026-07-13CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged.

Cvat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-58373Medium4.32026-06-30CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing c…

Cyberlord92 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12761Critical9.82026-07-10The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0.
CVESeverityCVSSKEVPublishedSummary
CVE-2026-15270High7.52026-07-09A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207.

Dan Rossiter · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57695High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan Rossiter Document Gallery document-gallery allows Reflected XSS.This issue affects Document Gallery: from n/a through <= 5.1.0.

Dao-ailab · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-62239Medium6.62026-07-13FlashAttention through 2.8.3.post1, fixed in commit 0816ef1, contains a symlink attack vulnerability in the download_and_copy() function within hopper/setup.py that extracts NVIDIA toolchain archives without validating symlinks or filterin…

Dassault Systèmes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-14165High7.52026-07-13An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization.

Dcooney · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15295Medium4.42026-07-10The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.0.1 due to insufficient input sanitization and output escaping.

Dokan, Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57706High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan, Inc.

Elated-themes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57793High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Flow flow allows PHP Local File Inclusion.This issue affects Flow: from n/a through <= 1.8.

Element Invader · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57376High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows DOM-Based XSS.This issue affects ElementIn…

Eli · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57691Medium5.82026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eli Anti-Malware Security and Brute-Force Firewall gotmls allows Reflected XSS.This issue affects Anti-Malware Security and Brute-Force F…

Envoyproxy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-47774High7.52026-06-17Envoy is an open source edge and service proxy designed for cloud-native applications.

Etcd · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59818Medium6.52026-07-08etcd is a distributed key-value store for the data of a distributed system.

Evermind-ai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-58499High8.22026-07-10EverOS is a memory runtime for agents.

Eyecix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57383High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eyecix JobSearch wp-jobsearch allows Stored XSS.This issue affects JobSearch: from n/a through <= 3.2.9.

F5 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42055High8.12026-06-17NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules.

Fahad Mahmood · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57419Medium6.52026-07-13Missing Authorization vulnerability in Fahad Mahmood Stock Locations for WooCommerce stock-locations-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stock Locations for WooCommerce…

Favethemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57768High8.22026-07-13Incorrect Privilege Assignment vulnerability in favethemes Houzez Login Register houzez-login-register allows Privilege Escalation.This issue affects Houzez Login Register: from n/a through <= 3.3.3.

Filebrowser · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61874Low3.12026-07-12filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind.

Flintop · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57396High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flintop Free Gifts for WooCommerce free-gifts-for-woocommerce allows Stored XSS.This issue affects Free Gifts for WooCommerce: from n/a t…

Flowise · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-56271Critical9.82026-07-12Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passport authentication mid…

Flux159 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61459Critical9.82026-07-10MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying reso…

Fluxbuilder · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57375Medium6.52026-07-13Missing Authorization vulnerability in FluxBuilder MStore API mstore-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MStore API: from n/a through <= 4.18.4.

Form-data · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12143High7.52026-06-12form-data is a library for creating readable multipart/form-data streams.

Freshlabs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1382Medium6.42026-07-11The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplie…

Funnelkit · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57816High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelKit Funnel Builder by FunnelKit funnel-builder allows Reflected XSS.This issue affects Funnel Builder by FunnelKit: from n/a throug…

Gallerycreator · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5743Medium6.42026-07-11The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2.

Genolve · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1359High8.82026-07-11The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve_setOpt() function in all versions up to, and including, 5.0.5.

Gigabyte · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-9492High7.82026-07-13The MBStorage DRAM lighting control module within Gigabyte Control Center (GCC) developed by GIGABYTE Technology has an Improper Access Control vulnerability.

Gimp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2050High7.82026-06-24GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability.

Glarysoft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15684High7.32026-07-13Glarysoft Glary Utilities Link Following Local Privilege Escalation Vulnerability.

Go-shiori · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61463High8.82026-07-13Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks.

Google Cloud · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-149342026-07-13A Missing Authorization vulnerability in the repository creation functionality in Google Cloud BigQuery, Dataform and Colab Enterprise, in the versions between October 2025 and May 10th, 2026, on Google Cloud Platform, allows an authentica…

Gotenberg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55229High7.52026-07-10Gotenberg is a Docker-powered stateless API for PDF files.

Gpsd_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-58459High7.82026-07-09gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads i…

Guzzle · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59883Medium4.72026-07-08Guzzle is an extensible PHP HTTP client.

H2o · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55213High7.52026-07-10h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3.

H3c · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15479High7.32026-07-12A vulnerability was found in H3C NX15 V100R017.

Haarg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-574332026-07-13Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record.

Hamsalam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61956High7.12026-07-13Cross-Site Request Forgery (CSRF) vulnerability in hamsalam ووسلام &#8211; همگام سازی ووکامرس و باسلام sync-basalam allows Cross Site Request Forgery.This issue affects ووسلام &#8211; همگام سازی ووکامرس و باسلام: from n/a through <= 1.9.1.

Hannan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61955High7.62026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hannan گرویتی فرم فارسی persian-gravity-forms allows Blind SQL Injection.This issue affects گرویتی فرم فارسی: from n/a through <= 3.0.2.

Hclsoftware · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-56460Medium6.52026-07-09HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.

Hcr707305003 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15488High7.32026-07-12A vulnerability was determined in hcr707305003 shiroiAdmin 1.1/1.3.

Helicone · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15508Medium6.32026-07-12A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30.

Hestiacp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-30007High8.82026-07-10HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types.

Hitesh Chandwani · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57365Medium6.52026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 &amp; v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA…

Hmbrand · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-9698Critical9.82026-06-09DBI versions before 1.648 for Perl saved errors in a limited-sized buffer.

Hono · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-56763Medium4.82026-07-11Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties.

Httplib2 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59939High7.52026-07-08httplib2 is a comprehensive HTTP client library for Python.

Hupe13 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57380High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hupe13 Extensions for Leaflet Map extensions-leaflet-map allows DOM-Based XSS.This issue affects Extensions for Leaflet Map: from n/a thr…

Igweze · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15492Medium4.32026-07-12A security vulnerability has been detected in igweze wizgrade up to b1d55f22b90cd7e7a6e5002f006d7c649e8086d6.

Image-size · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-71319High7.52026-06-09image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-ty…

Itsourcecode · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15536Medium6.32026-07-13A vulnerability was identified in itsourcecode Hospital Management System 1.0.

Jinher · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15517High7.32026-07-13A flaw has been found in Jinher OA 1.0.

Jonasbn · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-581012026-07-13Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference.

Jose Vega · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61952Medium4.92026-07-13Missing Authorization vulnerability in Jose Vega WooCommerce Bulk Edit Products – WP Sheet Editor woo-bulk-edit-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Edit Produ…

Jpadilla · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-48526High7.42026-05-28PyJWT is a JSON Web Token implementation in Python.

Jwsthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57789High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Aqua aqua allows PHP Local File Inclusion.This issue affects Aqua: from n/a through <= 5.1.2.

Klosk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15525Medium6.32026-07-13A vulnerability was detected in kLOsk adloop up to 0.9.0.

Knitpay · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57424Medium6.52026-07-13Missing Authorization vulnerability in knitpay Razorpay Payment Links for WooCommerce rzp-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay Payment Links for WooCommerce: from n…

Kodezen Llc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57386High8.82026-07-13Incorrect Privilege Assignment vulnerability in Kodezen LLC aBlocks ablocks allows Privilege Escalation.This issue affects aBlocks: from n/a through < 2.9.1.

Kofi Mokome · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57423High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kofi Mokome Message Filter for Contact Form 7 cf7-message-filter allows Reflected XSS.This issue affects Message Filter for Contact Form…

Lamaalrajih · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15528Low3.32026-07-13A vulnerability was found in lamaalrajih kicad-mcp up to 3.3.1.

Langchain4j · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55405High7.62026-07-10LangChain4j is a Java library for building LLM-powered applications on the JVM.

Latepoint · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57714Critical9.32026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LatePoint LatePoint latepoint allows Blind SQL Injection.This issue affects LatePoint: from n/a through <= 5.6.3.

Leap13 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12141Medium4.92026-07-11The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insuf…

Lustmored · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3367Medium4.42026-07-11The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0.

M2team · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-557802026-07-10NanaZip is the 7-Zip derivative intended for the modern Windows experience.

Mailerpress Team · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57410High8.82026-07-13Incorrect Privilege Assignment vulnerability in MailerPress Team MailerPress mailerpress allows Privilege Escalation.This issue affects MailerPress: from n/a through <= 2.0.2.

Makafeli · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15521Medium5.32026-07-13A vulnerability was identified in makafeli n8n-workflow-builder up to 0.11.0.

Marcus (Aka @Msykes) · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57713High8.82026-07-13Deserialization of Untrusted Data vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Object Injection.This issue affects Events Manager: from n/a through <= 7.3.6.

Mariadb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44172Critical9.82026-06-12MariaDB server is a community developed fork of MySQL server.

Masaakitanaka · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15335High7.52026-07-11The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (form<N>) in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of suffi…

Mediawiki · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-13707High7.62026-07-01Session fixation vulnerability in Wikimedia Foundation OAuth.

Melograno Venture Studio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57702Critical9.32026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Melograno Venture Studio Amelia ameliabooking allows Blind SQL Injection.This issue affects Amelia: from n/a through <= 2.4.2.

Merkulove · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57783Medium6.52026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in merkulove Speaker speaker allows Stored XSS.This issue affects Speaker: from n/a through <= 4.1.13.

Metabase · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59827Critical9.92026-07-09Metabase is an open-source business intelligence and embedded analytics tool.

Metagauss · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57697High7.52026-07-13Authentication Bypass Using an Alternate Path or Channel vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Password Recovery Exploitation.This issue affects ProfileGrid : from n/a through <= 5…

Metasoft 美特软件 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15514High7.32026-07-13A weakness has been identified in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06.

Mikado-themes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57792High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Dør dor allows PHP Local File Inclusion.This issue affects Dør: from n/a through <= 2.4.1.

Miniorange Security Software Pvt Ltd. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57807Critical9.82026-07-10Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security Software Pvt Ltd.

Minitool · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15475Medium5.32026-07-12A weakness has been identified in MiniTool Partition Wizard up to 13.6.

Misp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-621432026-07-13A Server-Side Request Forgery (SSRF) protection bypass existed in the html_to_markdown expansion module of misp-modules.

Mitchell Bennis · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57382High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Reflected XSS.This issue affects Simple File List: from n/a through <= 6.3.8.

Mura Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-122572026-07-13Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution (RCE) vulnerability.

Netrr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57420Medium6.52026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Netrr Author Box WP Lens author-box-for-divi allows Stored XSS.This issue affects Author Box WP Lens: from n/a through <= 2.1.5.

Nexcess · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57705High7.52026-07-13Missing Authorization vulnerability in Nexcess Event Tickets event-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Tickets: from n/a through <= 5.28.5.

Nextendweb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12385Medium4.32026-07-13The Smart Slider 3 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1.37 via the 'keyword' parameter.

Nezhahq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-591552026-07-10Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool.

Nicu_m · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-14262High8.82026-07-11The Simple JWT Login – Allows you to use JWT on REST endpoints.

Nootheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57368High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster noo-jobmonster allows Reflected XSS.This issue affects Jobmonster: from n/a through <= 4.8.5.

Ollama · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15685High7.52026-07-13Ollama downloadBlob Improper Validation of Array Index Denial-of-Service Vulnerability.

Openbsd · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55706Medium5.82026-06-17sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths.

Openplc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-14480Critical9.92026-07-10OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑upload workflow.

Openresty · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55233High7.52026-07-10OpenResty is a high performance web platform.

P11-kit_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-13757Medium6.22026-06-29A flaw was found in p11-kit.

Parse-community · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-614482026-07-11Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83.

Peachpayments · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57408Medium6.52026-07-13Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Peach Payments Gateway: from n/a through <= 4…

Pglombardo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61458High7.52026-07-13PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms.

Phil Kurth · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57378High7.52026-07-13Missing Authorization vulnerability in Phil Kurth Advanced Forms advanced-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Forms: from n/a through <= 1.9.3.7.

Phoca.cz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-578282026-07-11The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.

Phoenixframework · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-582282026-07-13Cross-site scripting vulnerability in phoenixframework phoenix_live_view allows an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session.

Picu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57387High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in picu picu picu allows Stored XSS.This issue affects picu: from n/a through <= 3.5.1.

Pig-mesh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15512Medium6.32026-07-13A vulnerability was identified in pig-mesh Pig up to 3.9.2.

Pipecat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-54695High7.52026-07-09Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents.

Plugin Envision · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57780Medium6.52026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Plugin Envision Envision Page Builder envision-page-builder allows DOM-Based XSS.This issue affects Envision Page Builder: from n/a throu…

Pluginsglpi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-11321Medium6.42026-07-10The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection.

Postmagthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6801Medium5.32026-07-11The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the context_blog_modal_popup.

Presstigers · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57782Medium5.32026-07-13Missing Authorization vulnerability in PressTigers Universal Clocks universal-clocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Clocks: from n/a through <= 1.2.0.

Prestashop · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-148462026-07-13In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function.

Primefaces · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15538Medium6.32026-07-13A weakness has been identified in primefaces primereact up to 10.9.8.

Printfriendly · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-9738Medium4.42026-07-11The Print, PDF, Email by PrintFriendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content_position_css' parameter in all versions up to, and including, 5.5.10 due to insufficient input sanitization and outpu…

Progress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8037Critical9.62026-06-04OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endp…

Properfraction · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57813Critical9.82026-07-13Incorrect Privilege Assignment vulnerability in properfraction MailOptin mailoptin allows Privilege Escalation.This issue affects MailOptin: from n/a through <= 1.2.77.3.

Property Hive · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57381High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows Reflected XSS.This issue affects PropertyHive: from n/a through <= 2.2.3.

Protobufjs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59876Medium4.82026-07-08protobufjs compiles protobuf definitions into JavaScript (JS) functions.

Prowler-cloud · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59151Critical9.62026-07-10Prowler is a cloud security platform.

Proxy &Amp; Vpn Blocker · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57399High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proxy &amp; VPN Blocker Proxy &amp; VPN Blocker proxy-vpn-blocker allows Stored XSS.This issue affects Proxy &amp; VPN Blocker: from n/a…

Psm Plugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57711Medium6.52026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PSM Plugins SupportCandy supportcandy allows Stored XSS.This issue affects SupportCandy: from n/a through <= 3.4.8.

Purethemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57786High8.82026-07-13Cross-Site Request Forgery (CSRF) vulnerability in purethemes WorkScout-Core workscout-core allows Authentication Bypass.This issue affects WorkScout-Core: from n/a through <= 1.7.08.

Pypa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59890Medium6.12026-07-08setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages.

Qiling · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15476Medium5.32026-07-12A security vulnerability has been detected in QILING Disk Master 6.0.0.0.

Rainafarai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7620Medium4.32026-07-11The Notification for Telegram plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.5.1.

Rclone · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-49980Critical9.82026-06-24Rclone is a command-line program to sync files and directories to and from different cloud storage providers.

Rd Station Conversas · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-47652026-07-13Stored Cross-Site Scripting (XSS) vulnerability in the RD Station Conversas chat.

Realmag777 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57409High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows DOM-Based XSS.This issue affects Active P…

Realtyna · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57811Critical10.02026-07-13Improper Control of Generation of Code ('Code Injection') vulnerability in Realtyna Realtyna Organic IDX plugin real-estate-listing-realtyna-wpl allows Remote Code Inclusion.This issue affects Realtyna Organic IDX plugin: from n/a through…

Redefiningtheweb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7559Medium4.32026-07-11The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3.

Rextheme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57417High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RexTheme Cart Lift cart-lift allows Stored XSS.This issue affects Cart Lift: from n/a through <= 3.1.57.

Richardperdaan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8678Medium4.32026-07-11The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.25.1.

Robin-w · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15010Medium6.42026-07-11The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature.

Room 34 Creative Services, Llc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59516High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Reflected XSS.This issue affects ICS Calendar: from n/a through <= 12.1.1.

Roxnor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57406Medium6.52026-07-13Missing Authorization vulnerability in Roxnor FundEngine wp-fundraising-donation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FundEngine: from n/a through <= 1.7.6.

Rsjoomla.com · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-578272026-07-11The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

Rustdesk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57850High8.32026-07-10RustDesk before 1.4.9 does not enforce a session's authorized connection scope on the server side, so a peer granted a limited session type (FileTransfer, PortForward, ViewCamera, or Terminal) can send control messages and login options re…

Saadiqbal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12738Medium4.32026-07-11The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0.

Samsung Open Source · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15551Medium5.52026-07-13Integer overflow or wraparound vulnerability in Samsung Open Source rlottie allows Overflow Buffers.

Saurabhsharma · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57798High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SaurabhSharma NewsPlus Shortcodes newsplus-shortcodes allows PHP Local File Inclusion.This issue affects NewsPlus Shor…

Secureage · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15506High7.82026-07-12A security vulnerability has been detected in SecureAge CatchPulse up to 10.9.3.

Sergey · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59515Critical9.32026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sergey AIWU ai-copilot-content-generator allows Blind SQL Injection.This issue affects AIWU: from n/a through <= 1.5.4.

Sergomanov · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15498High7.32026-07-12A vulnerability was identified in sergomanov SmartHomeAdatum up to cf495353d81b680675eb8d9aa14a318aa45ce12c.

Servicenow · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-68752026-07-13ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform.

Shapedplugin Llc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59521High7.22026-07-13Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC Real Testimonials testimonial-free allows Object Injection.This issue affects Real Testimonials: from n/a through <= 3.1.15.

Siteground · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57416High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SiteGround SiteGround Email Marketing siteground-email-marketing allows Stored XSS.This issue affects SiteGround Email Marketing: from n/…

Skillable · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-56877Medium6.32026-07-13The SCORM lab launch endpoint in Skillable (scorm.skillable.com) through 2026-07-13 does not validate the client-supplied userId parameter against the authenticated SCORM session token.

Smackcoders · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-13353High8.82026-07-11The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter.

Solacewp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-13250Medium5.32026-07-11The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3.

Sovlix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57781Medium5.32026-07-13Missing Authorization vulnerability in Sovlix MeetingHub meetinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MeetingHub: from n/a through <= 1.25.10.

Spacetime · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57693Medium6.52026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spacetime Ad Inserter ad-inserter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ad Inserter…

Spring · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40984High7.52026-06-09In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Stanford · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-54499High7.52026-07-08Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages.

Starboardsuite · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-13968Medium6.42026-07-11The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to, and including, 3.1.4 due to insufficien…

Subratamal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12103Medium4.32026-07-11The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4.

Supercleanse · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12426Medium5.32026-07-11The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest.

Surecart · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7655High8.12026-07-11The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3.

Surflabtech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3552Medium4.32026-07-11The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all versions up to 2.6.0.

Tangible · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57391Medium6.52026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tangible Loops & Logic tangible-loops-and-logic allows Stored XSS.This issue affects Loops & Logic: from n/a through <= 4.2.3.

Tencent · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15515High7.02026-07-13A security vulnerability has been detected in Tencent PC Manager 18.1.30242.301.

Tenda · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15543High8.82026-07-13A vulnerability was found in Tenda CH22 1.0.0.1.

Thales Cert · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-130142026-07-13A vulnerability in Thales CERT "Suspicious" application =< 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including Python modules, configuration files, cro…

Themebeez · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57779Medium5.32026-07-13Missing Authorization vulnerability in themebeez Fascinate fascinate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fascinate: from n/a through <= 1.1.5.

Themefusion · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-12536Medium6.42026-07-13The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping.

Themegoods · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57770Critical9.82026-07-13Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Photography grandphotography allows Object Injection.This issue affects Grand Photography: from n/a through <= 5.7.8.

Themehunk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57405High7.12026-07-13Missing Authorization vulnerability in themehunk Open Shop open-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Open Shop: from n/a through <= 1.7.1.

Themeisle · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61970Medium4.92026-07-13Server-Side Request Forgery (SSRF) vulnerability in Themeisle Auto Featured Image (Auto Post Thumbnail) auto-post-thumbnail allows Server Side Request Forgery.This issue affects Auto Featured Image (Auto Post Thumbnail): from n/a through <…

Themelexus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57795High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Kitchor kitchor allows PHP Local File Inclusion.This issue affects Kitchor: from n/a through <= 1.4.3.

Thimpress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-11901Medium5.32026-07-11The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1.

Thrivedesk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1832Medium4.32026-07-11The ThriveDesk – Live Chat, AI Chatbot, Helpdesk & Knowledge Base plugin for WordPress is vulnerable to unauthorized cache deletion due to a missing capability check on the 'thrivedesk_clear_cache' AJAX action in all versions up to, and in…

Tigroumeow · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-6784High8.82026-07-11The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode.

Tribulant Software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57394High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tribulant Software Newsletters newsletters-lite allows Reflected XSS.This issue affects Newsletters: from n/a through <= 4.14.

Trustindex · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-11591Medium4.42026-07-11The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping.

Tugcantopaloglu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15522Medium5.32026-07-13A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0.

Unlimited Elements · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57718High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Reflected X…

Usestrix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15519Medium5.02026-07-13A vulnerability was found in usestrix strix up to 1.0.2.

Videousermanuals · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-11898Medium4.42026-07-11The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping.

Vitec · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-60121Critical9.82026-07-13Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint that allows remote attackers to execute arbitrary commands by exploiting a double-evaluation flaw in shell argument ha…

Vlthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57796High7.52026-07-13Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VLThemes Leedo leedo allows PHP Local File Inclusion.This issue affects Leedo: from n/a through <= 3.0.0.

Vnotex · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15505Low3.52026-07-12A weakness has been identified in vnotex vnote up to 3.20.1.

Wago · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4769Critical9.82026-07-13Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence.
CVESeverityCVSSKEVPublishedSummary
CVE-2026-15513Medium6.32026-07-13A security flaw has been discovered in Wavlink WL-NU516U1 260515.

Webaways · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-9017Medium5.32026-07-11The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2.

Webcodingplace · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57398High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace Real Estate Manager Pro real-estate-manager-pro allows Reflected XSS.This issue affects Real Estate Manager Pro: from n/a…

Webfactory · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-11426Medium6.52026-07-11The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76.

Websockets · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-48779High7.52026-06-17ws is an open source WebSocket client and server for Node.js.

Winfsp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7162High7.82026-07-13Successful exploitation of the integer overflow vulnerability could allow an attacker to achieve system-level access to the affected software.

Wp Grid Builder · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-13756High8.82026-07-11The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3.

Wp Inventory · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57772High8.52026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Inventory WP Inventory Manager wp-inventory-manager allows Blind SQL Injection.This issue affects WP Inventory Manager: from n/a throu…

Wpdesk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57402Medium6.52026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdesk Flexible Refund and Return Order for WooCommerce flexible-refund-and-return-order-for-woocommerce allows Stored XSS.This issue aff…

Wpdevart · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57778Medium5.32026-07-13Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking…

Wpdeveloper · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57364Medium6.52026-07-13Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment – Instant Payments, Donations, Fundraising with Subscriptions &amp; More better-payment allows Accessing Functionality Not Properly Constrained…

Wpdevteam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15155High8.82026-07-11The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insuffic…

Wpmanageninja · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57715High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPManageNinja Fluent CRM fluent-crm allows Reflected XSS.This issue affects Fluent CRM: from n/a through <= 3.1.7.

Wpmessiah · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2354High8.82026-07-11The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the `upload_extension_files()` function in all versions up to, and including, 1.4.6.

Wpovernight · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-13116Medium4.32026-07-11The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user co…

Wppool · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57379High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPPOOL FormyChat social-contact-form allows Stored XSS.This issue affects FormyChat: from n/a through <= 2.15.3.

Wpswings · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-10628Medium4.32026-07-11The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0.

Wpvibes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-13378High7.22026-07-11The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escap…

Wpwax · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-59518Critical9.82026-07-13Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This issue affects Directorist: from n/a through <= 8.8.2.

Wpxpo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57377Medium6.52026-07-13Missing Authorization vulnerability in WPXPO WowAddons product-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WowAddons: from n/a through <= 1.6.8.

Wpzoom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57712High7.12026-07-13Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Portfolio wpzoom-portfolio allows Reflected XSS.This issue affects WPZOOM Portfolio: from n/a through <= 1.4.29.

Wupsales · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6803Medium5.32026-07-11The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12.

X · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-56002High8.52026-07-08A heap bufferflow in pcfReadFont() due to missing glyph bounds checking in libXfont2 before 2.0.8  allows attackers authenticated as X client to execute code within the X server.

Xtreeme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3576High7.22026-07-11The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0.

Yashbhalgat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15531Medium5.32026-07-13A vulnerability has been found in yashbhalgat HashNeRF-pytorch up to 82885e698295982504eb6a26d060a6b2473e3706.

Yt-dlp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-55404High7.52026-07-08yt-dlp and youtube-dl are command-line audio/video downloaders.

Yzhao062 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-15529Medium6.32026-07-13A vulnerability was detected in yzhao062 pyod 3.5.0/3.5.1/3.5.2.

Zereight · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-61462High8.62026-07-13mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that allows attackers to redirect GitLab API requests to arbitrary endpoints.

Zitadel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-56666Medium4.82026-07-10ZITADEL is an open source identity management platform.

Zorem · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57773High7.62026-07-13Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zorem Advanced Shipment Tracking for WooCommerce woo-advanced-shipment-tracking allows Blind SQL Injection.This issue affects Advanced Sh…