Export limit exceeded: 364191 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364191 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-15096 2026-07-13 6.4 Medium
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'b_width_map' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-11591 2 Trustindex, Wordpress 2 Widgets For Google Reviews, Wordpress 2026-07-13 4.4 Medium
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2026-12994 2 Wclovers, Wordpress 2 Wcfm – Frontend Manager For Woocommerce, Wordpress 2026-07-13 5.3 Medium
The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. Unlike sibling controller branches (wcfm-enquiry and wcfm-enquiry-manage), the wcfm-my-account-enquiry-manage branch performs no is_user_logged_in() or current_user_can() check, and the nonce that serves as the sole barrier is embedded into every public page load without any login gate.
CVE-2026-55475 1 Grokability 1 Snipe-it 2026-07-13 5.7 Medium
Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the created_by value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in version 8.6.1.
CVE-2026-61448 1 Parse Community 1 Parse Server 2026-07-13 N/A
Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a valid type/subtype media type (e.g., 'image', 'image/', or 'image//svg+xml') bypasses the fileUpload.fileExtensions blocklist and is stored unchanged. On storage adapters that persist and serve the uploaded Content-Type (such as Amazon S3, Google Cloud Storage, or Azure Blob Storage), a browser cannot parse the malformed value and falls back to MIME-sniffing; a file whose body begins with HTML is rendered as HTML, executing embedded script in the application's origin against other users who open the file URL. The default GridFS storage adapter is not affected. Fixed in 9.10.0-alpha.2 and 8.6.84.
CVE-2026-61870 1 Imagemagick 1 Imagemagick 2026-07-13 2.9 Low
ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memory allocation fails. Attackers can trigger allocation failures by processing specially crafted VIFF images to exhaust available memory and cause denial of service.
CVE-2026-15470 1 Eleveo 1 Call Recording Software 2026-07-13 4.3 Medium
A vulnerability has been found in Eleveo Call Recording Software 9.7.0. Affected by this issue is some unknown functionality of the file /callrec/group.jsp. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-58587 1 Drupal 1 Drupal Canvas 2026-07-13 6.1 Medium
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
CVE-2026-15476 1 Qiling 1 Disk Master 2026-07-13 5.3 Medium
A security vulnerability has been detected in QILING Disk Master 6.0.0.0. The impacted element is an unknown function in the library diskbckp.sys of the component Kernel Driver. Such manipulation leads to improper access controls. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. It is suggested to upgrade the affected component.
CVE-2026-57396 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flintop Free Gifts for WooCommerce free-gifts-for-woocommerce allows Stored XSS.This issue affects Free Gifts for WooCommerce: from n/a through <= 13.1.0.
CVE-2026-57402 2 Wordpress, Wpdesk 2 Wordpress, Flexible Refund And Return Order For Woocommerce 2026-07-13 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdesk Flexible Refund and Return Order for WooCommerce flexible-refund-and-return-order-for-woocommerce allows Stored XSS.This issue affects Flexible Refund and Return Order for WooCommerce: from n/a through <= 1.0.51.
CVE-2026-57403 2 Milan Petrovic, Wordpress 2 Gd Security Headers, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Security Headers gd-security-headers allows Reflected XSS.This issue affects GD Security Headers: from n/a through <= 1.8.
CVE-2026-57404 2026-07-13 6.5 Medium
Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manager: from n/a through <= 2.6.9.
CVE-2026-57408 2 Peachpayments, Wordpress 2 Peach Payments Gateway, Wordpress 2026-07-13 6.5 Medium
Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Peach Payments Gateway: from n/a through <= 4.0.2.
CVE-2026-57409 2 Realmag777, Wordpress 2 Active Products Tables For Woocommerce, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows DOM-Based XSS.This issue affects Active Products Tables for WooCommerce: from n/a through <= 1.1.0.
CVE-2026-57414 2 Quantumcloud, Wordpress 2 Chatbot For Ecommerce – Woowbot, Wordpress 2026-07-13 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot for eCommerce &#8211; WoowBot woowbot-woocommerce-chatbot allows Stored XSS.This issue affects ChatBot for eCommerce &#8211; WoowBot: from n/a through <= 4.6.1.
CVE-2026-57415 2 Codemenschen, Wordpress 2 Gift Vouchers, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codemenschen Gift Vouchers gift-voucher allows Stored XSS.This issue affects Gift Vouchers: from n/a through <= 4.7.0.
CVE-2026-57420 2 Netrr, Wordpress 2 Author Box Wp Lens, Wordpress 2026-07-13 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Netrr Author Box WP Lens author-box-for-divi allows Stored XSS.This issue affects Author Box WP Lens: from n/a through <= 2.1.5.
CVE-2026-57421 2 Crmperks, Wordpress 2 Crm Perks Forms, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms crm-perks-forms allows Reflected XSS.This issue affects CRM Perks Forms: from n/a through <= 1.1.7.
CVE-2026-57691 2026-07-13 5.8 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eli Anti-Malware Security and Brute-Force Firewall gotmls allows Reflected XSS.This issue affects Anti-Malware Security and Brute-Force Firewall: from n/a through <= 4.23.89.