Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23830
Total
1706
Critical
7474
High
7609
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-12224 | HIGH | 8.8 | The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is … | Jul 01, 2026 |
| CVE-2026-12158 | HIGH | 8.8 | The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This … | Jul 01, 2026 |
| CVE-2026-11387 | CRITICAL | 9.8 | The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account … | Jul 01, 2026 |
| CVE-2026-10540 | MEDIUM | 5.6 | The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an … | Jul 01, 2026 |
| CVE-2026-10539 | CRITICAL | 9.0 | A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized … | Jul 01, 2026 |
| CVE-2026-10538 | HIGH | 8.0 | Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions … | Jul 01, 2026 |
| CVE-2026-10096 | MEDIUM | 4.3 | The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter … | Jul 01, 2026 |
| CVE-2026-1239 | HIGH | 7.5 | The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a … | Jul 01, 2026 |
| CVE-2026-14193 | HIGH | 7.5 | DVP80ES300T with Improper Validation of Array Index Vulnerability | Jul 01, 2026 |
| CVE-2026-12579 | HIGH | 7.4 | AS228T with Authentication Bypass Vulnerability | Jul 01, 2026 |
| CVE-2026-11887 | MEDIUM | 4.3 | The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such … | Jul 01, 2026 |
| CVE-2026-11883 | HIGH | 7.2 | The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a … | Jul 01, 2026 |
| CVE-2026-11880 | LOW | 3.1 | The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account … | Jul 01, 2026 |
| CVE-2026-11823 | HIGH | 7.5 | The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to … | Jul 01, 2026 |
| CVE-2026-11794 | HIGH | 8.1 | The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a … | Jul 01, 2026 |
| CVE-2026-11570 | MEDIUM | 4.2 | The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a … | Jul 01, 2026 |
| CVE-2026-11568 | HIGH | 7.5 | The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public … | Jul 01, 2026 |
| CVE-2026-11562 | MEDIUM | 4.3 | The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level … | Jul 01, 2026 |
| CVE-2026-10750 | HIGH | 8.1 | The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users … | Jul 01, 2026 |
| CVE-2025-15666 | MEDIUM | 5.3 | A security vulnerability has been detected in Open Asset Import Library Assimp up to 5.4.3. Affected by this vulnerability is the function Assimp::SceneCombiner::Copy of the … | Jul 01, 2026 |
| CVE-2026-9107 | MEDIUM | 6.4 | The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'meta[kaliforms_field_components]' parameter in all versions … | Jul 01, 2026 |
| CVE-2026-7840 | CRITICAL | 9.8 | UltraVNC repeater through 1.8.2.2 contains a global buffer overflow in its embedded HTTP administration server. The functions wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c write the caller-supplied … | Jul 01, 2026 |
| CVE-2026-7839 | CRITICAL | 9.1 | UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater … | Jul 01, 2026 |
| CVE-2026-7838 | HIGH | 8.8 | UltraVNC viewer through 1.8.2.2 contains an integer overflow leading to a heap buffer overflow in the RFB protocol failure-response parsing path. In vncviewer/ClientConnection.cpp, the 4-byte … | Jul 01, 2026 |
| CVE-2026-7831 | HIGH | 7.6 | UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. In vncviewer/ClientConnection.cpp, when the server-supplied nameLength equals exactly 2024 … | Jul 01, 2026 |