Search

Search Results (365177 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-13353 2 Smackcoders, Wordpress 2 Wp Ultimate Csv Importer – Wordpress Import & Export For Csv, Xml & Excel, Wordpress 2026-07-13 8.8 High
The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page, allowing a Subscriber to install the Import WooCommerce add-on, persist attacker-controlled PHP expressions in the MappedFields parameter, and trigger evaluation via eval() in ImportHelpers::get_meta_values(). This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.
CVE-2026-2354 2 Wordpress, Wpmessiah 2 Wordpress, Swiss Toolkit For Wp 2026-07-13 8.8 High
The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the `upload_extension_files()` function in all versions up to, and including, 1.4.6. The `upload_extension_files()` function hooks into WordPress's `wp_check_filetype_and_ext` filter and uses `strpos()` to check if a filename contains a configured extension string, rather than verifying the actual file extension. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files (including PHP) on the affected site's server which may make remote code execution possible, granted the "Enhanced Multi-Format Image Support" feature is enabled with at least one extension (e.g., avif) in the allowed formats.
CVE-2026-6803 2 Wordpress, Wupsales 2 Wordpress, Ai Copilot – Content Generator 2026-07-13 5.3 Medium
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wp_ajax_ and wp_ajax_nopriv_ hooks, as the base controller's getPermissions() returns an empty array and neither removeGroup nor clear are added to getNoncedMethods(), causing the authorization gate to unconditionally return true for these actions. This makes it possible for unauthenticated attackers to delete specific records by ID or delete all records from any module's database table by unauthenticated attackers.
CVE-2026-57391 2 Tangible, Wordpress 2 Loops & Logic, Wordpress 2026-07-13 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tangible Loops & Logic tangible-loops-and-logic allows Stored XSS.This issue affects Loops & Logic: from n/a through <= 4.2.3.
CVE-2026-57713 2 Marcus (aka @msykes), Wordpress 2 Events Manager, Wordpress 2026-07-13 8.8 High
Deserialization of Untrusted Data vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Object Injection.This issue affects Events Manager: from n/a through <= 7.3.6.
CVE-2026-15539 1 Sourcecodester 1 Online Book Store System 2026-07-13 4.7 Medium
A security vulnerability has been detected in SourceCodester Online Book Store System 1.0. Impacted is an unknown function of the file /admin/index.php?page=books of the component Book Image Upload Feature. Such manipulation leads to unrestricted upload. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
CVE-2026-14165 1 Dassault Systèmes 1 Tuleap Enterprise Edition 2026-07-13 7.5 High
An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization.
CVE-2026-57829 2026-07-13 N/A
The Joomla extension Helix Ultimate is vulnerable to an unauthenticated stored XSS.
CVE-2026-9708 1 Mattermost 1 Mattermost 2026-07-13 4.9 Medium
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via crafted incoming webhook configuration and payloads.. Mattermost Advisory ID: MMSA-2026-00683
CVE-2026-50135 1 Gohugo 1 Hugo 2026-07-13 N/A
Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
CVE-2026-28378 1 Grafana 2 Grafana, Grafana Enterprise 2026-07-13 3.1 Low
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
CVE-2026-56279 1 Cap-go 1 Cap-go 2026-07-13 7.5 High
Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users' organization membership, roles, management emails, and billing metadata.
CVE-2026-56305 1 Cap-go 1 Cap-go 2026-07-13 8.3 High
Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate users and achieve full account takeover.
CVE-2026-57726 2 Themeum, Wordpress 2 Kirki, Wordpress 2026-07-13 9.3 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Kirki kirki allows Blind SQL Injection.This issue affects Kirki: from n/a through <= 6.0.12.
CVE-2026-4769 1 Wago 9 0765-110x/0100-0000, 0765-120x/0100-0000, 0765-150x/0100-0000 and 6 more 2026-07-13 9.8 Critical
Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise.
CVE-2026-15545 1 Shibby 1 Tomato 2026-07-13 8.8 High
A vulnerability was identified in Shibby Tomato up to 1.28.0000. Affected by this vulnerability is the function main of the file www/apcupsd/tomatodata.cgi of the component apcupsd. Such manipulation leads to out-of-bounds write. The attack may be launched remotely. The exploit is publicly available and might be used. This project is superseded by FreshTomato.
CVE-2026-15574 1 Redhat 1 Openshift Ai 2026-07-13 7.5 High
A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information (PII) and secrets, to persistent logs. This sensitive data, including bearer tokens and chat content, can be accessed by any user with logging privileges. This vulnerability leads to information disclosure, potentially allowing an attacker to harvest credentials and sensitive conversation content.
CVE-2026-13039 2 Arraytics, Wordpress 2 Eventin – Event Calendar, Event Registration, Tickets & Booking (ai Powered), Wordpress 2026-07-13 5.3 Medium
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash, granting themselves paid event access, QR-code attendee tickets, and order confirmation emails without making any real payment. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, meaning no WordPress session or credentials are needed to obtain it. This vulnerability represents a regression — the same function and endpoint were previously patched but the fix did not persist through subsequent releases.
CVE-2026-3552 2 Surflabtech, Wordpress 2 Surflink – Link Manager & Backup Restore, Wordpress 2026-07-13 4.3 Medium
The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all versions up to 2.6.0. This is due to a missing capability check (current_user_can()) and missing nonce verification (check_ajax_referer()) in the ajax_import_410() function, while all other AJAX handlers in the same class (ajax_add_single_410, ajax_save_editted_410, ajax_delete_410, ajax_bulk_410_delete, ajax_empty_410, ajax_export_410) properly implement both authorization and nonce checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import arbitrary URLs into the 410 Gone database table via the surfl_import_410 AJAX action. Injected URLs will cause the site to return HTTP 410 Gone responses to all visitors accessing those paths, potentially causing denial of service for legitimate pages and SEO damage through search engine delisting.
CVE-2026-5743 2 Gallerycreator, Wordpress 2 Simply Gallery, Wordpress 2026-07-13 6.4 Medium
The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2. This is due to insufficient input sanitization and output escaping on the sliderMaxHeight block attribute in the pgc_sgb_render_callback() function. The vulnerability exists because the pgc_sgb_sanitize_custom_css() function uses a flawed regex pattern that only removes event handlers with quoted values (e.g., onfocus="alert()") but fails to catch unquoted event handlers (e.g., onfocus=alert(document.cookie)), allowing the malicious code to bypass sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via block attributes that will execute whenever a user accesses an injected page.