Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23830
Total
1706
Critical
7474
High
7609
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-7830 | HIGH | 7.4 | UltraVNC through 1.8.2.2 uses inadequate cryptography in the MS-Logon II authentication scheme (rfbUltraVNC_MsLogonIIAuth). In rfb/dh.cpp the Diffie-Hellman key exchange is performed with parameters that fit … | Jul 01, 2026 |
| CVE-2026-7829 | HIGH | 7.2 | UltraVNC repeater through 1.8.2.2 contains a post-authentication out-of-bounds write in the allow/deny rule parser. In repeater/webgui/settings.c:225-272, after strncpy_s copies a rule token into temp1[rule1] (25-byte … | Jul 01, 2026 |
| CVE-2026-7828 | MEDIUM | 5.3 | UltraVNC repeater through 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, the win_log() function allocates list nodes via malloc(sizeof(struct LIST) … | Jul 01, 2026 |
| CVE-2026-7517 | HIGH | 7.2 | The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alg_wc_cpg_input_fields' parameter in all versions up to, and … | Jul 01, 2026 |
| CVE-2026-6070 | CRITICAL | 9.1 | The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in versions up to and including 4.0.1. This is due to insufficient path … | Jul 01, 2026 |
| CVE-2026-58519 | UNKNOWN | — | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS. This issue affects … | Jul 01, 2026 |
| CVE-2026-58518 | UNKNOWN | — | Cross-Site request forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - RedirectManager Extension allows Cross Site Request Forgery. This issue affects Mediawiki - RedirectManager Extension: … | Jul 01, 2026 |
| CVE-2026-44042 | LOW | 3.7 | UltraVNC repeater through 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In repeater/webgui/webutils.c:817, the wi_uudecode() function checks whether … | Jul 01, 2026 |
| CVE-2026-44041 | MEDIUM | 4.3 | UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. In rfb/dh.cpp:204, the vncWc2Mb() function passes a caller-supplied WCHAR pointer to … | Jul 01, 2026 |
| CVE-2026-44040 | MEDIUM | 4.8 | UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. In rfb/vncauth.c:119-129, the vncRandomBytes() function seeds libc rand() with … | Jul 01, 2026 |
| CVE-2026-2387 | MEDIUM | 6.4 | The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.12.9. This is due to the … | Jul 01, 2026 |
| CVE-2026-13731 | HIGH | 7.2 | The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'conversation' parameter … | Jul 01, 2026 |
| CVE-2026-13468 | HIGH | 7.5 | The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and … | Jul 01, 2026 |
| CVE-2026-13443 | MEDIUM | 6.4 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions … | Jul 01, 2026 |
| CVE-2026-13246 | MEDIUM | 6.4 | The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and other) shortcode attributes of … | Jul 01, 2026 |
| CVE-2026-13015 | MEDIUM | 6.1 | The Wp Google Places Review Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter in versions up to, and including, … | Jul 01, 2026 |
| CVE-2026-12923 | HIGH | 7.5 | The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation … | Jul 01, 2026 |
| CVE-2026-12904 | MEDIUM | 4.3 | The Kadence Blocks – Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and … | Jul 01, 2026 |
| CVE-2026-12902 | MEDIUM | 4.3 | The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, … | Jul 01, 2026 |
| CVE-2026-12135 | MEDIUM | 6.4 | The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to, … | Jul 01, 2026 |
| CVE-2026-12133 | MEDIUM | 4.3 | The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in … | Jul 01, 2026 |
| CVE-2026-12127 | MEDIUM | 5.3 | The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of … | Jul 01, 2026 |
| CVE-2026-12113 | MEDIUM | 4.3 | The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabc_appointments_filter_list. This … | Jul 01, 2026 |
| CVE-2026-12110 | MEDIUM | 6.5 | The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'task_search' parameter … | Jul 01, 2026 |
| CVE-2026-12090 | MEDIUM | 6.5 | The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'wppm_proj_filter' parameter … | Jul 01, 2026 |