CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2025-13374	Kalrav AI Agent <= 2.3.3 - Unauthenticated Arbitrary File Upload via kalrav_upload_file AJAX Action	24.01.2026	9.8
CVE-2026-24399	ChatterMate has Stored Cross-Site Scripting (XSS) via Chatbot Input Execution	24.01.2026	9.3
CVE-2021-47891	Unified Remote 3.9.0.2463 - Remote Code Execution	23.01.2026	9.3
CVE-2026-24423	SmarterTools SmarterMail < Build 9511 Unauthenticated RCE via ConnectToHub API	24.01.2026	9.3
CVE-2025-4319	Improper Access Control in Birebirsoft's Sufirmam	23.01.2026	9.4
CVE-2025-4320	Information Disclosure in Birebirsoft's Sufirmam	23.01.2026	10
CVE-2026-1363	JNC｜IAQS and I6 - Client-Side Enforcement of Server-Side Security	23.01.2026	9.3
CVE-2026-1364	JNC｜IAQS and I6 - Missing Authentication	23.01.2026	9.3
CVE-2025-15061	Framelink Figma MCP Server fetchWithRetry Command Injection Remote Code Execution Vulnerability	23.01.2026	9.8
CVE-2026-0755	gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability	23.01.2026	9.8
CVE-2026-0756	github-kanban-mcp-server execAsync Command Injection Remote Code Execution Vulnerability	23.01.2026	9.8
CVE-2026-0759	Katana Network Development Starter Kit executeCommand Command Injection Remote Code Execution Vulnerability	23.01.2026	9.8
CVE-2026-0760	Foundation Agents MetaGPT deserialize_message Deserialization of Untrusted Data Remote Code Execution Vulnerability	23.01.2026	9.8
CVE-2026-0761	Foundation Agents MetaGPT actionoutput_str_to_mapping Code Injection Remote Code Execution Vulnerability	23.01.2026	9.8
CVE-2026-0763	GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability	23.01.2026	9.8
CVE-2026-0764	GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability	23.01.2026	9.8
CVE-2026-0768	Langflow code Code Injection Remote Code Execution Vulnerability	24.01.2026	9.8
CVE-2026-0769	Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability	24.01.2026	9.8
CVE-2026-0770	Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability	24.01.2026	9.8
CVE-2026-0773	Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability	23.01.2026	9.8
CVE-2025-15063	Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability	23.01.2026	9.8
CVE-2026-24304	Azure Resource Manager Elevation of Privilege Vulnerability	24.01.2026	9.9
CVE-2026-21264	Microsoft Account Spoofing Vulnerability	24.01.2026	9.3
CVE-2026-24305	Azure Entra ID Elevation of Privilege Vulnerability	24.01.2026	9.3
CVE-2026-24306	Azure Front Door Elevation of Privilege Vulnerability	24.01.2026	9.8
CVE-2026-24307	M365 Copilot Information Disclosure Vulnerability	24.01.2026	9.3
CVE-2025-54816	EVMAPA Missing Authentication for Critical Function	23.01.2026	9.4
CVE-2026-1201	Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs	23.01.2026	9.4
CVE-2025-64097	NervesHub has Insufficient Token Entropy that Allows Authentication Bypass via Brute Force	22.01.2026	9.5
CVE-2026-23760	SmarterTools SmarterMail < Build 9511 Authentication Bypass via Password Reset API	23.01.2026	9.3
CVE-2025-67684	Remote Code Execution via Local File Inclusion in Quick.Cart	22.01.2026	9.4
CVE-2026-1331	AMASTAR Technology｜MeetingHub - Arbitrary File Upload	22.01.2026	9.3
CVE-2026-0920	LA-Studio Element Kit for Elementor <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter	22.01.2026	9.8
CVE-2026-24042	Appsmith public apps can execute unpublished actions (viewMode confusion)	22.01.2026	9.4
CVE-2026-23966	sm-crypto Affected by Private Key Recovery in SM2-PKE	22.01.2026	9.1
CVE-2026-24002	pyodide sandbox option is insecure	22.01.2026	9.1
CVE-2026-23524	Laravel Redis Horizontal Scaling Insecure Deserialization	22.01.2026	9.8
CVE-2026-23518	Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment	22.01.2026	9.3
CVE-2026-22822	External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function	22.01.2026	9.3
CVE-2026-22793	5ire vulnerable to Remote Code Execution (RCE) via ECharts	21.01.2026	9.7
CVE-2026-22792	5ire vulnerable to Remote Code Execution (RCE)	21.01.2026	9.7
CVE-2021-47748	Hasura GraphQL 1.3.3 - Remote Code Execution	22.01.2026	9.3
CVE-2021-47851	Mini Mouse 9.2.0 - Remote Code Execution	22.01.2026	9.3
CVE-2026-24061		23.01.2026	9.8
CVE-2025-15521	Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover	21.01.2026	9.8
CVE-2026-21962		23.01.2026	10
CVE-2026-21969		22.01.2026	9.8
CVE-2025-53912		20.01.2026	9.6
CVE-2026-22844	Zoom Node Deployments - Command Injection	20.01.2026	9.9
CVE-2025-14533	Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action	20.01.2026	9.8
CVE-2026-1221	BROWAN COMMUNICATIONS ｜PrismX MX100 AP controller - Use of Hard-coded Credentials	20.01.2026	9.3
CVE-2026-23947	Orval MCP client is vulnerable to code injection via unsanitized x-enum-descriptions in enum generation	21.01.2026	9.3
CVE-2026-23837	MyTube has an Authorization Bypass vulnerability	20.01.2026	9.8
CVE-2026-23840	Movary vulnerable to Cross-site Scripting with `?categoryDeleted=` param	20.01.2026	9.3
CVE-2026-23841	Movary vulnerable to Cross-site Scripting with `?categoryCreated=` param	20.01.2026	9.3
CVE-2026-23839	Movary vulnerable to Cross-site Scripting with `?categoryUpdated=` param	20.01.2026	9.3
CVE-2026-23836	HotCRP vulnerable to remote code execution through formulas	20.01.2026	10
CVE-2026-22797		20.01.2026	9.9
CVE-2026-1162	UTT HiPER 810 setSysAdm strcpy buffer overflow	20.01.2026	9.3
CVE-2025-11043	Improper Server Certificate Validation in Automation Studio	20.01.2026	9.1
CVE-2026-1181	Altium 365 Over-Permissive CORS Configuration Allows Credentialed Cross-Origin Workspace Access	22.01.2026	9

Latest Updates

CVE	Title	Updated	Score
CVE-2025-12836	VK Google Job Posting Manager <= 1.2.20 - Authenticated (Author+) Stored Cross-Site Scripting via Job Description Field	24.01.2026	6.4
CVE-2025-13374	Kalrav AI Agent <= 2.3.3 - Unauthenticated Arbitrary File Upload via kalrav_upload_file AJAX Action	24.01.2026	9.8
CVE-2025-13676	JustClick registration plugin <= 0.1 - Reflected Cross-Site Scripting via PHP_SELF	24.01.2026	6.1
CVE-2025-14609	Wise Analytics <= 1.1.9 - Missing Authorization to Unauthenticated Arbitrary Analytics Database Disclosure via 'name' Parameter	24.01.2026	5.3
CVE-2025-14629	Alchemist Ajax Upload <= 1.1 - Missing Authorization to Unauthenticated Arbitrary Media File Deletion	24.01.2026	5.3
CVE-2025-14797	Same Category Posts <= 1.1.19 - Authenticated (Author+) Stored Cross-Site Scripting via Widget Title Placeholder	24.01.2026	5.4
CVE-2025-14843	Wizit Gateway for WooCommerce <= 1.2.9 - Missing Authentication to Unauthenticated Arbitrary Order Cancellation	24.01.2026	5.3
CVE-2025-14903	Simple Crypto Shortcodes <= 1.0.2 - Cross-Site Request Forgery to Plugin Settings Update	24.01.2026	4.3
CVE-2025-14906	WP Youtube Video Gallery <= 1.0 - Cross-Site Request Forgery to Plugin Settings Update	24.01.2026	4.3
CVE-2025-14941	GZSEO <= 2.0.11 - Authenticated (Contributor+) Authorization Bypass to Stored Cross-Site Scripting	24.01.2026	6.4
CVE-2025-14985	Alpha Blocks <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alpha_block_css' Post Meta	24.01.2026	6.4
CVE-2026-0806	WP-ClanWars <= 2.0.1 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter	24.01.2026	4.9
CVE-2026-0807	Frontis Blocks <= 1.1.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter	24.01.2026	7.2
CVE-2026-1070	Alex User Counter <= 6.0 - Cross-Site Request Forgery to Settings Update	24.01.2026	4.3
CVE-2026-1075	ZT Captcha <= 1.0.4 - Cross-Site Request Forgery to Settings Update	24.01.2026	4.3
CVE-2026-1076	Star Review Manager <= 1.2.2 - Cross-Site Request Forgery to Settings Update	24.01.2026	4.3
CVE-2026-1081	Set Bulk Post Categories <= 1.1 - Cross-Site Request Forgery to Bulk Post Category Update	24.01.2026	4.3
CVE-2026-1084	Cookie consent for developers <= 1.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Multiple Settings Fields	24.01.2026	4.4
CVE-2026-1088	Login Page Editor <= 1.2 - Cross-Site Request Forgery to Settings Update	24.01.2026	4.3
CVE-2026-1095	Canto Testimonials <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fx' Shortcode Attribute	24.01.2026	6.4
CVE-2026-1097	ThemeRuby Multi Authors <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' and 'after' Shortcode Attributes	24.01.2026	6.4
CVE-2026-1099	Administrative Shortcodes <= 0.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'login' and 'logout' Shortcode Attributes	24.01.2026	6.4
CVE-2026-1103	AIKTP <= 5.0.04 - Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions	24.01.2026	5.4
CVE-2026-1257	Administrative Shortcodes <= 0.3.4 - Authenticated (Contributor+) Local File Inclusion via 'slug' Shortcode Attribute	24.01.2026	7.5
CVE-2026-24642		24.01.2026
CVE-2026-24643		24.01.2026
CVE-2026-24644		24.01.2026
CVE-2026-24645		24.01.2026
CVE-2026-24646		24.01.2026
CVE-2026-24647		24.01.2026
CVE-2026-24648		24.01.2026
CVE-2026-24649		24.01.2026
CVE-2025-13952	GPU DDK - libusc UAF via WebGPU shaders at MergeConsecutiveBarriersBP	24.01.2026
CVE-2026-24420	phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)	24.01.2026	6.5
CVE-2026-24422	phpMyFAQ: Public API endpoints expose emails and invisible questions	24.01.2026	5.3
CVE-2026-24469	C++ HTTP Server has Critical Path Traversal Vulnerability in RequestHandler Allowing Arbitrary File Read	24.01.2026	7.5
CVE-2026-24401	Avahi has Uncontrolled Recursion in lookup_handle_cname function	24.01.2026	6.5
CVE-2026-24409	iccDEV has Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml()	24.01.2026	7.1
CVE-2026-24410	iccDEV has Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic()	24.01.2026	7.1
CVE-2026-24411	iccDEV has Undefined Behavior and Null Pointer Deference in CIccTagXmlSegmentedCurve::ToXml()	24.01.2026	7.1
CVE-2026-24412	iccDEV has Heap Buffer Overflow in icCurvesFromXml()	24.01.2026	8.8
CVE-2026-24421	phpMyFAQ missing authorization exposes /api/setup/backup to any authenticated user	24.01.2026	6.5
CVE-2026-24403	iccDEV Undefined Behavior in CIccProfile::CheckHeader() Leads to Integer Overflow	24.01.2026	7.1
CVE-2026-24404	iccDEV has Null Pointer Deference and Undefined Behavior in CIccXmlArrayType()	24.01.2026	7.1
CVE-2026-24405	iccDEV has Heap Buffer Overflow in CIccMpeCalculator::Read()	24.01.2026	8.8
CVE-2026-24406	iccDEV has Heap Buffer Overflow in CIccTagNamedColor2::SetSize()	24.01.2026	8.8
CVE-2026-24407	iccDEV has Undefined Behavior in icSigCalcOp()	24.01.2026	7.1
CVE-2026-22582		24.01.2026
CVE-2026-22583		24.01.2026
CVE-2026-22585		24.01.2026
CVE-2026-22586		24.01.2026
CVE-2026-24399	ChatterMate has Stored Cross-Site Scripting (XSS) via Chatbot Input Execution	24.01.2026	9.3
CVE-2026-24402		24.01.2026
CVE-2026-24140	MyTube has Mass Assignment via Settings Management	23.01.2026	2.7
CVE-2026-24139	MyTube Allows Unauthorized Database Export by Guest Users	23.01.2026
CVE-2026-24474	Dioxus Components has JavaScript injection via user-supplied IDs	23.01.2026
CVE-2026-24136	Saleor has an Insecure Direct Object Reference (IDOR) in GraphQL API	23.01.2026
CVE-2026-24128	XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages	23.01.2026
CVE-2026-24127	Typemill has Reflected XSS via login error view template	23.01.2026	5.4
CVE-2025-12780		23.01.2026
CVE-2026-0991		23.01.2026
CVE-2025-70458		23.01.2026
CVE-2025-70457		23.01.2026
CVE-2025-52022		23.01.2026
CVE-2025-52023		23.01.2026
CVE-2025-52024		23.01.2026
CVE-2025-52025		23.01.2026
CVE-2025-52026		23.01.2026
CVE-2026-1386	Arbitrary Host File Overwrite via Symlink in Firecracker Jailer	23.01.2026	6
CVE-2025-67264		23.01.2026
CVE-2025-70983		23.01.2026
CVE-2025-70985		23.01.2026
CVE-2025-70986		23.01.2026
CVE-2026-21867		23.01.2026
CVE-2025-14947	All-in-One Video Gallery <= 4.6.4 - Missing Authorization to Unauthenticated Bunny Stream Video Creation/Deletion	23.01.2026	6.5
CVE-2018-25116	MyBB Thread Redirect Plugin 0.2.1 - Cross-Site Scripting	23.01.2026
CVE-2018-25132	MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting	23.01.2026
CVE-2021-47881	dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow	23.01.2026
CVE-2021-47888	Textpattern 4.8.3 - Remote code execution	23.01.2026
CVE-2021-47889	Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path	23.01.2026
CVE-2021-47890	LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path	23.01.2026
CVE-2021-47891	Unified Remote 3.9.0.2463 - Remote Code Execution	23.01.2026
CVE-2021-47892	PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting	23.01.2026
CVE-2021-47893	AgataSoft PingMaster Pro 2.1 - Denial of Service	23.01.2026
CVE-2021-47894	Managed Switch Port Mapping Tool 2.85.2 - Denial of Service	23.01.2026
CVE-2021-47895	Nsauditor 3.2.2.0 - 'Event Description' Denial of Service	23.01.2026
CVE-2021-47896	PDFCOMPLETE Corporate Edition 4.1.45 - 'pdfcDispatcher' Unquoted Service Path	23.01.2026
CVE-2021-47897	PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting	23.01.2026
CVE-2021-47898	Epson USB Display 1.6.0.0 Unquoted Service Path Vulnerability	23.01.2026
CVE-2021-47899	YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability	23.01.2026
CVE-2021-47903	LiteSpeed Web Server Enterprise 5.4.11 - Command Injection	23.01.2026
CVE-2021-47904	PhreeBooks 5.2.3 - Remote Code Execution	23.01.2026
CVE-2021-47905	MyBB Delete Account Plugin 1.4 - Cross-Site Scripting	23.01.2026
CVE-2021-47906	BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting	23.01.2026
CVE-2022-25369		23.01.2026
CVE-2026-24423	SmarterTools SmarterMail < Build 9511 Unauthenticated RCE via ConnectToHub API	24.01.2026
CVE-2025-67231		23.01.2026
CVE-2025-71177	LavaLite CMS <= 10.1.0 Stored XSS via Package Creation and Search	23.01.2026
CVE-2026-1299	email BytesGenerator header injection due to unquoted newlines	23.01.2026
CVE-2025-67229		23.01.2026
CVE-2025-67230		23.01.2026
CVE-2025-66719		23.01.2026
CVE-2025-66720		23.01.2026
CVE-2025-67124		23.01.2026
CVE-2025-67125		23.01.2026
CVE-2025-69908		23.01.2026
CVE-2025-71158	gpio: mpsse: ensure worker is torn down	23.01.2026
CVE-2025-71159	btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()	23.01.2026
CVE-2025-71160	netfilter: nf_tables: avoid chain re-validation if possible	23.01.2026
CVE-2025-71161	dm-verity: disable recursive forward error correction	23.01.2026
CVE-2026-22978	wifi: avoid kernel-infoleak from struct iw_point	23.01.2026
CVE-2026-22979	net: fix memory leak in skb_segment_list for GRO packets	23.01.2026
CVE-2026-22980	nfsd: provide locking for v4_end_grace	23.01.2026
CVE-2026-22981	idpf: detach and close netdevs while handling a reset	23.01.2026
CVE-2026-22982	net: mscc: ocelot: Fix crash when adding interface under a lag	23.01.2026
CVE-2026-22983	net: do not write to msg_get_inq in callee	23.01.2026
CVE-2026-22984	libceph: prevent potential out-of-bounds reads in handle_auth_done()	23.01.2026
CVE-2026-22985	idpf: Fix RSS LUT NULL pointer crash on early ethtool operations	23.01.2026
CVE-2026-22986	gpiolib: fix race condition for gdev->srcu	23.01.2026
CVE-2026-22987	net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy	23.01.2026
CVE-2026-22988	arp: do not assume dev_hard_header() does not change skb->head	23.01.2026
CVE-2026-22989	nfsd: check that server is running in unlock_filesystem	23.01.2026
CVE-2026-22990	libceph: replace overzealous BUG_ON in osdmap_apply_incremental()	23.01.2026
CVE-2026-22991	libceph: make free_choose_arg_map() resilient to partial allocation	23.01.2026
CVE-2026-22992	libceph: return the handler error from mon_handle_auth_done()	23.01.2026
CVE-2026-22993	idpf: Fix RSS LUT NULL ptr issue after soft reset	23.01.2026
CVE-2026-22994	bpf: Fix reference count leak in bpf_prog_test_run_xdp()	23.01.2026
CVE-2026-22995	ublk: fix use-after-free in ublk_partition_scan_work	23.01.2026
CVE-2025-69907		23.01.2026
CVE-2026-0994	Denial of Service in Python Protobuf	23.01.2026
CVE-2026-24521	WordPress Kama Thumbnail plugin <= 3.5.1 - Cross Site Request Forgery (CSRF) vulnerability	23.01.2026
CVE-2026-24522	WordPress WP Subscribe plugin <= 1.2.16 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24523	WordPress WP FullCalendar plugin <= 1.6 - Sensitive Data Exposure vulnerability	23.01.2026
CVE-2026-24524	WordPress Tablesome plugin <= 1.1.35.2 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24525	WordPress CLP Varnish Cache plugin <= 1.0.2 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24526	WordPress Email Inquiry & Cart Options for WooCommerce plugin <= 3.4.3 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24528	WordPress Nova Blocks plugin <= 2.1.9 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24529	WordPress Quick Restaurant Reservations plugin <= 1.6.7 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24530	WordPress WebP Conversion plugin <= 2.1 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24531	WordPress Prowess theme <= 2.3 - Local File Inclusion vulnerability	23.01.2026
CVE-2026-24532	WordPress SiteLock Security plugin <= 5.0.2 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24534	WordPress Booter plugin <= 1.5.7 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24535	WordPress Automatic Featured Images from Videos plugin <= 1.2.7 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24536	WordPress Webpushr plugin <= 4.38.0 - Sensitive Data Exposure vulnerability	23.01.2026
CVE-2026-24538	WordPress Omnipress plugin <= 1.6.6 - Local File Inclusion vulnerability	23.01.2026
CVE-2026-24539	WordPress Protección de datos – RGPD plugin <= 0.68 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24540	WordPress Integrate Google Drive plugin <= 1.5.5 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24541	WordPress Download After Email plugin <= 2.1.9 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24542	WordPress WP Term Order plugin <= 2.1.0 - Cross Site Request Forgery (CSRF) vulnerability	23.01.2026
CVE-2026-24543	WordPress Materialis Companion plugin <= 1.3.52 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24544	WordPress HD Quiz plugin <= 2.0.9 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24548	WordPress Radio Player plugin <= 2.0.91 - Server Side Request Forgery (SSRF) vulnerability	23.01.2026
CVE-2026-24549	WordPress GeoDirectory plugin <= 2.8.147 - Cross Site Request Forgery (CSRF) vulnerability	23.01.2026
CVE-2026-24550	WordPress Blockons plugin <= 1.2.15 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24551	WordPress Monetag Official Plugin plugin <= 1.1.3 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24553	WordPress Fraud Prevention For Woocommerce plugin <= 2.3.1 - Sensitive Data Exposure vulnerability	23.01.2026
CVE-2026-24555	WordPress ArtPlacer Widget plugin <= 2.23.1 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24556	WordPress ElementCamp plugin <= 2.3.2 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24557	WordPress Contact Form 7 GetResponse Extension plugin <= 1.0.8 - Sensitive Data Exposure vulnerability	23.01.2026
CVE-2026-24558	WordPress ABG Rich Pins plugin <= 1.1 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24559	WordPress Integration for Contact Form 7 HubSpot plugin <= 1.4.3 - Sensitive Data Exposure vulnerability	23.01.2026
CVE-2026-24560	WordPress Cloudinary plugin <= 3.3.0 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24561	WordPress FluentBoards plugin <= 1.91.1 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24562	WordPress Ryviu – Product Reviews for WooCommerce plugin <= 3.1.26 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24563	WordPress LifePress plugin <= 2.1.3 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24564	WordPress Textmetrics plugin <= 3.6.3 - Arbitrary Shortcode Execution vulnerability	23.01.2026
CVE-2026-24565	WordPress B Accordion plugin <= 2.0.0 - Sensitive Data Exposure vulnerability	23.01.2026
CVE-2026-24566	WordPress iNET Webkit plugin <= 1.2.4 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24567	WordPress Anything Order by Terms plugin <= 1.4.0 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24568	WordPress WP Travel plugin <= 11.0.0 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24569	WordPress Media Library File Size plugin <= 1.6.7 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24570	WordPress Edwiser Bridge plugin <= 4.3.2 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24571	WordPress BOX NOW Delivery plugin <= 3.0.2 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24572	WordPress Nelio Content plugin <= 4.1.0 - SQL Injection vulnerability	23.01.2026
CVE-2026-24576	WordPress UX Flat plugin <= 5.4.0 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24577	WordPress Pie Register plugin <= 3.8.4.7 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24578	WordPress Admin login URL Change plugin <= 1.1.5 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24579	WordPress Ai Image Alt Text Generator for WP plugin <= 1.1.9 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24580	WordPress Ecwid Shopping Cart plugin <= 7.0.5 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24581	WordPress Points and Rewards for WooCommerce plugin <= 2.9.5 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24583	WordPress SumUp Payment Gateway For WooCommerce plugin <= 2.7.9 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24584	WordPress Tutor LMS BunnyNet Integration plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24585	WordPress Hyyan WooCommerce Polylang Integration plugin <= 1.5.0 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24587	WordPress AJAX Hits Counter + Popular Posts Widget plugin <= 0.10.210305 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24588	WordPress Smart Product Viewer plugin <= 1.5.4 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24589	WordPress Cargus plugin <= 1.5.8 - Sensitive Data Exposure vulnerability	23.01.2026
CVE-2026-24591	WordPress Turn Yoast SEO FAQ Block to Accordion plugin <= 1.0.6 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24593	WordPress AWP Classifieds plugin <= 4.4.3 - Sensitive Data Exposure vulnerability	23.01.2026
CVE-2026-24594	WordPress Livemesh Addons for WPBakery Page Builder plugin <= 3.9.4 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24595	WordPress Zoho CRM Lead Magnet plugin <= 1.8.1.5 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24596	WordPress Related Posts Thumbnails Plugin for WordPress plugin <= 4.3.1 - Cross Site Request Forgery (CSRF) vulnerability	23.01.2026
CVE-2026-24598	WordPress Multilanguage by BestWebSoft plugin <= 1.5.2 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24599	WordPress NextMove Lite plugin <= 2.23.0 - Insecure Direct Object References (IDOR) vulnerability	23.01.2026
CVE-2026-24600	WordPress Penci Review plugin <= 3.5 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24601	WordPress Penci Pay Writer plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24602	WordPress Raptive Ads plugin <= 3.10.0 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24603	WordPress Universal Google Adsense and Ads manager plugin <= 1.1.8 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24604	WordPress Simple GDPR Cookie Compliance plugin <= 2.0.0 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24605	WordPress X Addons for Elementor plugin <= 1.0.23 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24606	WordPress Bayarcash WooCommerce plugin <= 4.3.11 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24607	WordPress Travel Monster theme <= 1.3.3 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24608	WordPress Laurent Core plugin <= 2.4.1 - Local File Inclusion vulnerability	23.01.2026
CVE-2026-24609	WordPress Laurent theme <= 3.1 - Local File Inclusion vulnerability	23.01.2026
CVE-2026-24612	WordPress Orchid Store theme <= 1.5.15 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24613	WordPress Ecwid Shopping Cart plugin <= 7.0.5 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24614	WordPress Flex QR Code Generator plugin <= 1.2.8 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24615	WordPress Cream Magazine theme <= 2.1.10 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24616	WordPress WP Popups plugin <= 2.2.0.3 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24617	WordPress Easy Modal plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24619	WordPress PopCash.Net Code Integration Tool plugin <= 1.8 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24620	WordPress Landing Page Builder plugin <= 1.5.3.3 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24621	WordPress Terms descriptions plugin <= 3.4.9 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24622	WordPress Suggestion Toolkit plugin <= 5.0 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24623	WordPress Neoforum plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24624	WordPress Neoforum plugin <= 1.0 - SQL Injection vulnerability	23.01.2026
CVE-2026-24625	WordPress File Uploads Addon for WooCommerce plugin <= 1.7.3 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24626	WordPress Logo Slider plugin <= 4.9.0 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24627	WordPress Trusona for WordPress plugin <= 2.0.0 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24629	WordPress Web Accessibility with Max Access plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24630	WordPress Stylish Cost Calculator plugin <= 8.1.8 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24631	WordPress Rosebud theme <= 1.4 - Insecure Direct Object References (IDOR) vulnerability	23.01.2026
CVE-2026-24632	WordPress Delay Redirects plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability	23.01.2026
CVE-2026-24633	WordPress Add Expires Headers & Optimized Minify plugin <= 3.1.0 - Broken Access Control vulnerability	23.01.2026
CVE-2026-24634	WordPress Ultimate Reviews plugin <= 3.2.16 - Insecure Direct Object References (IDOR) vulnerability	23.01.2026
CVE-2026-24635	WordPress EduBlink Core plugin <= 2.0.7 - Local File Inclusion vulnerability	23.01.2026
CVE-2026-24636	WordPress Sugar Calendar (Lite) plugin <= 3.10.1 - Broken Access Control vulnerability	23.01.2026
CVE-2025-71146	netfilter: nf_conncount: fix leaked ct in error paths	23.01.2026
CVE-2025-71147	KEYS: trusted: Fix a memory leak in tpm2_load_cmd	23.01.2026
CVE-2025-71148	net/handshake: restore destructor on submit failure	23.01.2026
CVE-2025-71149	io_uring/poll: correctly handle io_poll_add() return value on update	23.01.2026
CVE-2025-71150	ksmbd: Fix refcount leak when invalid session is found on session lookup	23.01.2026
CVE-2025-71151	cifs: Fix memory and information leak in smb3_reconfigure()	23.01.2026
CVE-2025-71152	net: dsa: properly keep track of conduit reference	23.01.2026
CVE-2025-71153	ksmbd: Fix memory leak in get_file_all_info()	23.01.2026
CVE-2025-71154	net: usb: rtl8150: fix memory leak on usb_submit_urb() failure	23.01.2026
CVE-2025-71155	KVM: s390: Fix gmap_helper_zap_one_page() again	23.01.2026
CVE-2025-71156	gve: defer interrupt enabling until NAPI registration	23.01.2026
CVE-2025-71157	RDMA/core: always drop device refcount in ib_del_sub_device_and_put()	23.01.2026
CVE-2025-71145	usb: phy: isp1301: fix non-OF device reference imbalance	23.01.2026
CVE-2025-13921	weDocs <= 2.1.16 - Missing Authorization to Authenticated (Subscriber+) Documentation Post Update	23.01.2026	4.3
CVE-2025-14866	Melapress Role Editor <= 1.1.1 - Improper Authorization to Authenticated (Subscriber+) Privilege Escalation via Secondary Role Assignment	23.01.2026	8.8
CVE-2025-4319	Improper Access Control in Birebirsoft's Sufirmam	23.01.2026	9.4
CVE-2025-4320	Information Disclosure in Birebirsoft's Sufirmam	23.01.2026	10
CVE-2026-0914	WP DSGVO Tools (GDPR) <= 3.1.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'lw_content_block' Shortcode	23.01.2026	6.4