Export limit exceeded: 359387 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (359387 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-7850 | 2026-06-17 | 5.9 Medium | ||
| The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user. | ||||
| CVE-2025-69147 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Putter <= 1.17 versions. | ||||
| CVE-2025-69149 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Top Dog <= 1.0.5 versions. | ||||
| CVE-2025-69150 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Medeus <= 1.14 versions. | ||||
| CVE-2025-69151 | 2 Themegoods, Wordpress | 2 Grand Car Rental, Wordpress | 2026-06-17 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Grand Car Rental <= 3.7 versions. | ||||
| CVE-2026-8089 | 2026-06-17 | 7.1 High | ||
| The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL. | ||||
| CVE-2025-69159 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Printo <= 1.11 versions. | ||||
| CVE-2025-69160 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Gita <= 1.11 versions. | ||||
| CVE-2025-69162 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Grecko <= 5.17 versions. | ||||
| CVE-2026-8383 | 2026-06-17 | 5.3 Medium | ||
| The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request | ||||
| CVE-2025-69163 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in WineShop <= 3.17 versions. | ||||
| CVE-2025-69165 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Choreo <= 1.6 versions. | ||||
| CVE-2025-69167 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Eros <= 1.3 versions. | ||||
| CVE-2026-9570 | 2 Taskbuilder, Wordpress | 2 Taskbuilder, Wordpress | 2026-06-17 | 7.1 High |
| The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user. | ||||
| CVE-2025-69168 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Spike <= 1.2 versions. | ||||
| CVE-2025-69176 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in ITactics <= 1.0 versions. | ||||
| CVE-2025-69177 | 2026-06-17 | 8.1 High | ||
| Unauthenticated Local File Inclusion in Roneous <= 2.1.5 versions. | ||||
| CVE-2026-28819 | 1 Apple | 4 Ios And Ipados, Ipados, Iphone Os and 1 more | 2026-06-17 | 5.4 Medium |
| An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to execute arbitrary code with kernel privileges. | ||||
| CVE-2026-45185 | 1 Exim | 1 Exim | 2026-06-17 | 9.8 Critical |
| Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code. | ||||
| CVE-2026-29205 | 2 Webpros, Wordpress | 3 Cpanel, Wp Squared, Wordpress | 2026-06-17 | 8.6 High |
| Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints. | ||||