Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23830
Total
1706
Critical
7474
High
7609
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-53907 | UNKNOWN | — | MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functionality. An attacker with the ability to change the application logo can … | Jul 01, 2026 |
| CVE-2026-53906 | UNKNOWN | — | MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter … | Jul 01, 2026 |
| CVE-2026-53905 | UNKNOWN | — | MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. … | Jul 01, 2026 |
| CVE-2026-53904 | UNKNOWN | — | MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as … | Jul 01, 2026 |
| CVE-2026-53903 | UNKNOWN | — | MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user … | Jul 01, 2026 |
| CVE-2026-53902 | UNKNOWN | — | MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege … | Jul 01, 2026 |
| CVE-2026-14198 | CRITICAL | 9.1 | @fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding … | Jul 01, 2026 |
| CVE-2026-14181 | HIGH | 7.5 | @fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. … | Jul 01, 2026 |
| CVE-2026-13323 | MEDIUM | 4.1 | In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. … | Jul 01, 2026 |
| CVE-2026-14258 | MEDIUM | 6.5 | A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can … | Jul 01, 2026 |
| CVE-2026-13228 | HIGH | 8.8 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and … | Jul 01, 2026 |
| CVE-2026-12142 | HIGH | 7.2 | The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up … | Jul 01, 2026 |
| CVE-2026-10095 | MEDIUM | 6.4 | The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, … | Jul 01, 2026 |
| CVE-2026-27435 | MEDIUM | 5.3 | Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33. | Jul 01, 2026 |
| CVE-2026-13454 | MEDIUM | 6.5 | The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 … | Jul 01, 2026 |
| CVE-2026-12754 | MEDIUM | 6.1 | The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, … | Jul 01, 2026 |
| CVE-2026-56016 | MEDIUM | 5.9 | CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of … | Jul 01, 2026 |
| CVE-2026-50043 | HIGH | 7.2 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in SkyBridge MB-A100/MB-A110. If this vulnerability is exploited, an arbitrary … | Jul 01, 2026 |
| CVE-2026-13733 | MEDIUM | 6.4 | The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'no_data_msg' Shortcode Attribute in all versions up to, and including, 3.3.60 due … | Jul 01, 2026 |
| CVE-2026-12732 | MEDIUM | 6.4 | The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is … | Jul 01, 2026 |
| CVE-2026-12577 | UNKNOWN | — | DVP80ES3 with Improperly Implemented Security Check for Standard vulnerability. | Jul 01, 2026 |
| CVE-2026-12576 | HIGH | 7.5 | DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability. | Jul 01, 2026 |
| CVE-2026-12575 | HIGH | 7.5 | DVP80ES3 with Improper Resource Shutdown or Release vulnerability. | Jul 01, 2026 |
| CVE-2026-12435 | MEDIUM | 4.3 | The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. … | Jul 01, 2026 |
| CVE-2026-12408 | MEDIUM | 4.3 | The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions … | Jul 01, 2026 |