Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22332
Total
1596
Critical
6832
High
7160
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-57380 | HIGH | 7.1 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hupe13 Extensions for Leaflet Map extensions-leaflet-map allows DOM-Based XSS.This issue affects Extensions for … | Jul 13, 2026 |
| CVE-2026-57379 | HIGH | 7.1 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPPOOL FormyChat social-contact-form allows Stored XSS.This issue affects FormyChat: from n/a through <= … | Jul 13, 2026 |
| CVE-2026-57378 | HIGH | 7.5 | Missing Authorization vulnerability in Phil Kurth Advanced Forms advanced-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Forms: from n/a through <= … | Jul 13, 2026 |
| CVE-2026-57377 | MEDIUM | 6.5 | Missing Authorization vulnerability in WPXPO WowAddons product-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WowAddons: from n/a through <= 1.6.8. | Jul 13, 2026 |
| CVE-2026-57376 | HIGH | 7.1 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows DOM-Based XSS.This issue affects ElementInvader … | Jul 13, 2026 |
| CVE-2026-57375 | MEDIUM | 6.5 | Missing Authorization vulnerability in FluxBuilder MStore API mstore-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MStore API: from n/a through <= 4.18.4. | Jul 13, 2026 |
| CVE-2026-57372 | HIGH | 7.2 | Server-Side Request Forgery (SSRF) vulnerability in denishua WPJAM Basic wpjam-basic allows Server Side Request Forgery.This issue affects WPJAM Basic: from n/a through <= 7.0. | Jul 13, 2026 |
| CVE-2026-57371 | HIGH | 8.8 | Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through <= 7.0. | Jul 13, 2026 |
| CVE-2026-57369 | HIGH | 7.1 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Builder themify-builder allows Reflected XSS.This issue affects Themify Builder: from n/a … | Jul 13, 2026 |
| CVE-2026-57368 | HIGH | 7.1 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster noo-jobmonster allows Reflected XSS.This issue affects Jobmonster: from n/a through <= … | Jul 13, 2026 |
| CVE-2026-57365 | MEDIUM | 6.5 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 & v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This … | Jul 13, 2026 |
| CVE-2026-57364 | MEDIUM | 6.5 | Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More better-payment allows Accessing Functionality … | Jul 13, 2026 |
| CVE-2026-57363 | HIGH | 7.1 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot chatbot allows Stored XSS.This issue affects ChatBot: from n/a through <= … | Jul 13, 2026 |
| CVE-2026-49876 | MEDIUM | 6.5 | Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache … | Jul 13, 2026 |
| CVE-2026-41041 | CRITICAL | 9.1 | URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from 1.0.0 before 1.2.1. Users are recommended to upgrade … | Jul 13, 2026 |
| CVE-2026-22103 | UNKNOWN | — | The NPC start endpoint on the web server at port 8090 is vulnerable to command injection. | Jul 13, 2026 |
| CVE-2026-22102 | UNKNOWN | — | A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in … | Jul 13, 2026 |
| CVE-2026-22100 | UNKNOWN | — | The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root. | Jul 13, 2026 |
| CVE-2026-22099 | UNKNOWN | — | The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a … | Jul 13, 2026 |
| CVE-2026-22098 | UNKNOWN | — | Various sensitive information such as passwords and charging card UIDs are written to log files. | Jul 13, 2026 |
| CVE-2026-22097 | UNKNOWN | — | The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which … | Jul 13, 2026 |
| CVE-2026-22096 | UNKNOWN | — | The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different … | Jul 13, 2026 |
| CVE-2026-22095 | UNKNOWN | — | The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection. | Jul 13, 2026 |
| CVE-2026-22093 | UNKNOWN | — | The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on … | Jul 13, 2026 |
| CVE-2026-15557 | HIGH | 7.3 | A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the … | Jul 13, 2026 |