Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-6397 | MEDIUM | 6.4 | The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `cvmh-sticky` shortcode `readmoretext` attribute in versions up to and including 2.5.6. This … | May 20, 2026 |
| CVE-2026-6395 | MEDIUM | 6.1 | The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. … | May 20, 2026 |
| CVE-2026-6394 | MEDIUM | 5.4 | The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions … | May 20, 2026 |
| CVE-2026-6391 | MEDIUM | 6.1 | The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. … | May 20, 2026 |
| CVE-2026-6072 | MEDIUM | 6.5 | The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up … | May 20, 2026 |
| CVE-2026-5293 | MEDIUM | 6.4 | The 診断ジェネレータ作成プラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This … | May 20, 2026 |
| CVE-2026-45232 | LOW | 3.1 | Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory … | May 20, 2026 |
| CVE-2026-43620 | MEDIUM | 6.5 | Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the … | May 20, 2026 |
| CVE-2026-43619 | MEDIUM | 6.3 | Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, … | May 20, 2026 |
| CVE-2026-43618 | HIGH | 8.1 | Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing … | May 20, 2026 |
| CVE-2026-43617 | MEDIUM | 4.8 | Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can … | May 20, 2026 |
| CVE-2026-3985 | HIGH | 7.5 | The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkout_uuid' parameter in all versions … | May 20, 2026 |
| CVE-2026-45585 | MEDIUM | 6.8 | Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been … | May 20, 2026 |
| CVE-2026-39309 | MEDIUM | 5.5 | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is … | May 20, 2026 |
| CVE-2026-35593 | MEDIUM | 6.8 | Trilium Notes is an open-source, cross-platform hierarchical note taking application for building large personal knowledge bases. Versions 0.102.1 and prior are vulnerable to Local File … | May 20, 2026 |
| CVE-2026-34970 | UNKNOWN | — | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note's Revisions page after … | May 20, 2026 |
| CVE-2026-34754 | MEDIUM | 4.3 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they … | May 20, 2026 |
| CVE-2026-8495 | CRITICAL | 9.8 | Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15. | May 19, 2026 |
| CVE-2026-8493 | MEDIUM | 5.4 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from … | May 19, 2026 |
| CVE-2026-8492 | LOW | 2.7 | Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 … | May 19, 2026 |
| CVE-2026-8491 | LOW | 3.7 | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before … | May 19, 2026 |
| CVE-2026-6871 | MEDIUM | 6.1 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS). This issue affects Obfuscate: from 0.0.0 before … | May 19, 2026 |
| CVE-2026-6367 | MEDIUM | 6.1 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from … | May 19, 2026 |
| CVE-2026-6366 | MEDIUM | 6.6 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from … | May 19, 2026 |
| CVE-2026-6365 | MEDIUM | 6.1 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from … | May 19, 2026 |