CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-48137 Untrusted pointer dereference in NI grpc-device sideband streaming API 19.06.2026 9.3
CVE-2026-9142 Insecure Default Credentials vulnerability in NI grpc-device when TLS configuration is not present 19.06.2026 9.3
CVE-2026-44939 Command injection through unsanitized YAML parameter in Rancher 19.06.2026 9.4
CVE-2026-50242 19.06.2026 10
CVE-2026-56141 19.06.2026 9.8
CVE-2026-56142 19.06.2026 9.6
CVE-2026-54414 FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover 19.06.2026 9.3
CVE-2026-7515 BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion via doc_style 19.06.2026 9.8
CVE-2026-8713 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value 19.06.2026 9.1
CVE-2026-12045 pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution 18.06.2026 9.4
CVE-2026-12046 pgAdmin 4: Unauthenticated pickle deserialization in SQL Editor close / update_connection routes enables remote code execution 18.06.2026 9.5
CVE-2026-12048 pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser 18.06.2026 9.3
CVE-2026-40624 AVer PTC cameras Files or Directories Accessible to External Parties 18.06.2026 9.3
CVE-2026-47647 Dynamics 365 Elevation of Privilege Vulnerability 18.06.2026 9.9
CVE-2026-54130 M365 Copilot Information Disclosure Vulnerability 18.06.2026 9.8
CVE-2026-49257 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind 18.06.2026 10
CVE-2026-49454 Relyra SAML SignatureValue not cryptographically verified -> authentication bypass 18.06.2026 9.1
CVE-2026-49252 deepstream is vulnerable to prototype pollution 18.06.2026 9.9
CVE-2026-47846 18.06.2026 9.8
CVE-2026-54390 JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer 18.06.2026 9.3
CVE-2026-54103 U.S. GAO EPDS and CBCA EDS unauthenticated password change 19.06.2026 9.3
CVE-2026-55203 HAProxy - Integer Overflow in FCGI Demux Record Length Field 18.06.2026 9
CVE-2026-56020 Webmin HTTP header authentication bypass 19.06.2026 9.2
CVE-2026-11717 18.06.2026 9.3
CVE-2026-11718 18.06.2026 9.3
CVE-2026-54419 PIAF-HMS multiple unauthenticated SQL injection vulnerabilities via mysql_query 18.06.2026 9.3
CVE-2026-8024 Deserialization vulnerability in ibaPDA and ibaDatCoordinator 18.06.2026 9.3
CVE-2025-10560 Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources 18.06.2026 9.3
CVE-2026-28573 18.06.2026 10
CVE-2026-55742 Cotonti CSRF in admin.rights.php allows privilege escalation 18.06.2026 9.4
CVE-2026-55740 SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter 18.06.2026 9.3
CVE-2026-12569 Remote Code Execution (RCE) vulnerability in Windchill PDMlink 18.06.2026 9.3
CVE-2026-48768 TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized fileName 18.06.2026 9.3
CVE-2026-48814 Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701) 18.06.2026 9.1
CVE-2026-54387 Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization 18.06.2026 9.3
CVE-2026-54388 Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers 18.06.2026 9.3
CVE-2026-55200 libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c 18.06.2026 9.2
CVE-2026-55196 Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass 17.06.2026 9.1
CVE-2026-20266 OS Command Injection in the btool Configuration Helper in Splunk AI Toolkit 17.06.2026 9.1
CVE-2026-53805 NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserialization in Inference API 17.06.2026 9.3
CVE-2025-71320 picklescan - Remote Code Execution via Incomplete Disallowed Inputs 17.06.2026 9.3
CVE-2025-71321 picklescan - Arbitrary File Writing via distutils Module Bypass 17.06.2026 9.3
CVE-2025-71323 picklescan - Remote Code Execution via Unblocked ctypes Module 17.06.2026 9.3
CVE-2025-71325 picklescan - Detection Bypass via STACK_GLOBAL Opcode Parsing Logic Flaw 17.06.2026 9.3
CVE-2026-20181 Cisco Identity Services Engine Remote Code Execution Vulnerability 18.06.2026 9.1
CVE-2026-3490 picklescan - Universal Blocklist Bypass via pkgutil.resolve_name 18.06.2026 10
CVE-2026-53873 picklescan - Arbitrary Code Execution via profile.run() Blocklist Bypass 17.06.2026 9.3
CVE-2026-53874 picklescan - Arbitrary Code Execution via Obfuscated eval Call 17.06.2026 9.3
CVE-2026-42055 NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability 18.06.2026 9.2
CVE-2026-42530 NGINX Open-Source ngx_http_v3_module vulnerability 18.06.2026 9.2
CVE-2026-47103 Python StateMachine 3.0.0 < 3.2.0 RCE via SCXML eval() Injection 18.06.2026 9.3
CVE-2026-54812 WordPress Motors plugin <= 1.4.109 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-55743 OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution 17.06.2026 9.4
CVE-2025-59554 WordPress Advanced Ads – Tracking plugin < 3.0.7 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2025-60229 WordPress Lagom theme <= 2.0 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60230 WordPress The Barber Shop theme <= 1.9 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60231 WordPress The Hospital theme <= 1.8.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60236 WordPress Creatify theme <= 1.5 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69111 WordPress Reisen theme <= 1.4.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69127 WordPress Plumbing theme <= 1.6 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49108 WordPress Moderno theme < 1.43 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54808 WordPress WP Travel Gutenberg Blocks plugin <= 3.9.4 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54809 WordPress GIFT4U plugin <= 1.0.10 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54815 WordPress Cargo Shipping Location for WooCommerce plugin <= 5.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54819 WordPress Listdom plugin <= 5.4.0 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2024-52488 WordPress Grip theme <= 1.0.9 - Arbitrary Plugin Activation/Deactivation to RCE vulnerability 17.06.2026 9.9
CVE-2025-60205 WordPress ThemeREX Addons plugin <= 2.36.1.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60218 WordPress PT Luxa Addons Plugin <= 1.2.2 - Arbitrary File Upload Vulnerability 17.06.2026 9.9
CVE-2025-69129 WordPress WordPress & WooCommerce Scraper Plugin, Import Data from Any Site plugin <= 1.0.7 - Arbitrary File Upload vulnerability 17.06.2026 10
CVE-2025-69179 WordPress Support Ticket Management System plugin <= 1.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-22327 WordPress Restaurt theme <= 1.0.4 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-22332 WordPress Tutor LMS Pro plugin <= 3.9.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-22340 WordPress WPJobster theme <= 6.3.5 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-24611 WordPress MetForm Pro plugin <= 3.9.1 - Broken Access Control vulnerability 17.06.2026 9.1
CVE-2026-25446 WordPress WishList Member X plugin <= 3.29.0 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-27041 WordPress Unlimited Elements for Elementor (Premium) plugin <= 2.0.6 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-39589 WordPress Webenvo theme <= 0.0.6 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-39596 WordPress Blocksy Companion Pro plugin < 2.1.29 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-40725 WordPress WooCommerce Product Filters plugin < 2.0.6 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-40746 WordPress Restaurant Zone theme <= 0.7.8 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40747 WordPress Ecommerce Zone theme <= 0.9.7 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40748 WordPress Kids Gift Shop theme <= 0.5.4 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40749 WordPress Charity Zone theme <= 1.1.1 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40783 WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability 17.06.2026 9.9
CVE-2026-42380 WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-48875 WordPress JetSmartFilters plugin <= 3.8.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49058 WordPress LoginPress Pro plugin <= 6.2.2 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-49075 WordPress JetEngine plugin <= 3.8.9.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49076 WordPress JetEngine plugin <= 3.8.9.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49079 WordPress JetSearch plugin <= 3.5.17 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49084 WordPress JetEngine plugin < 3.8.9.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49107 WordPress Thrive Apprentice plugin < 10.8.10.2 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49767 WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability 17.06.2026 9.8
CVE-2026-52705 WordPress SigmaForms Pro – AI Generated Forms plugin <= 1.4.5 - Arbitrary File Upload vulnerability 17.06.2026 9
CVE-2026-52706 WordPress JetEngine plugin <= 3.8.10 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54186 WordPress JobSearch plugin <= 3.2.9 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54187 WordPress JetEngine plugin <= 3.8.10.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54803 WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-54806 WordPress WP Activity Log plugin <= 5.6.3.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54807 WordPress Registration Form for WooCommerce plugin <= 1.0.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-54811 WordPress WP eMember plugin < v10.9.4 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-0063 18.06.2026 10
CVE-2026-0064 17.06.2026 10
CVE-2026-0068 18.06.2026 10
CVE-2026-0071 18.06.2026 10
CVE-2026-0081 18.06.2026 10
CVE-2026-0082 18.06.2026 10
CVE-2026-0083 18.06.2026 10
CVE-2026-0092 18.06.2026 10
CVE-2026-10094 Path Traversal vulnerability affecting SOLIDWORKS Visualize from SOLIDWORKS Desktop Release 2024 through SOLIDWORKS Desktop Release 2026 17.06.2026 9.8
CVE-2026-28575 17.06.2026 10
CVE-2026-28576 17.06.2026 10
CVE-2026-28587 17.06.2026 10
CVE-2026-28615 18.06.2026 10
CVE-2026-48797 Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication 18.06.2026 9.3
CVE-2026-48616 17.06.2026 9.3
CVE-2026-48745 Traccar Client: silent configuration hijack via unverified deep link redirects all GPS telemetry 17.06.2026 9.3
CVE-2025-69108 WordPress Hot Coffee theme <= 1.7 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69122 WordPress SeaFood Company theme <= 1.4 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-25470 WordPress ACPT (Pro) - Custom Post Types plugin for WordPress plugin <= 2.0.47 - Remote Code Execution (RCE) vulnerability 17.06.2026 10
CVE-2026-27395 WordPress Support Board plugin < 3.8.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-27429 WordPress Nifty theme <= 1.4.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-39438 WordPress ListingPro plugin <= 2.9.10 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-39529 WordPress Elementra theme <= 1.0.9 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-48055 Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction 17.06.2026 10
CVE-2026-48781 Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery 18.06.2026 9.9
CVE-2026-49080 WordPress wpDataTables plugin <= 7.3.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54194 WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-35263 18.06.2026 9.9
CVE-2026-35268 18.06.2026 9.9
CVE-2026-35270 18.06.2026 9.1
CVE-2026-35278 18.06.2026 9.8
CVE-2026-35280 17.06.2026 9.9
CVE-2026-35281 17.06.2026 9.9
CVE-2026-35282 17.06.2026 9.9
CVE-2026-35283 17.06.2026 9.9
CVE-2026-35284 17.06.2026 9.9
CVE-2026-35285 17.06.2026 9.9
CVE-2026-35286 18.06.2026 9.8
CVE-2026-35292 18.06.2026 10
CVE-2026-35293 17.06.2026 9.8
CVE-2026-35294 17.06.2026 9.9
CVE-2026-35296 17.06.2026 9.8
CVE-2026-35298 18.06.2026 9.1
CVE-2026-35300 18.06.2026 9.8
CVE-2026-35301 18.06.2026 10
CVE-2026-35304 19.06.2026 9.8
CVE-2026-35305 17.06.2026 9.3
CVE-2026-35306 17.06.2026 9.3
CVE-2026-35307 19.06.2026 10
CVE-2026-35308 19.06.2026 10
CVE-2026-35309 19.06.2026 9.8
CVE-2026-35310 19.06.2026 9.8
CVE-2026-35312 19.06.2026 9.8
CVE-2026-35313 17.06.2026 9.9
CVE-2026-35316 19.06.2026 9.9
CVE-2026-35319 19.06.2026 9.8
CVE-2026-35320 19.06.2026 9
CVE-2026-35321 19.06.2026 9.9
CVE-2026-35323 19.06.2026 9.9
CVE-2026-46765 19.06.2026 9.9
CVE-2026-46766 19.06.2026 9.8
CVE-2026-46767 19.06.2026 9.9
CVE-2026-46773 19.06.2026 9.8
CVE-2026-46774 19.06.2026 9.8
CVE-2026-46777 19.06.2026 9.1
CVE-2026-46778 17.06.2026 10
CVE-2026-46779 17.06.2026 9.9
CVE-2026-46781 17.06.2026 10
CVE-2026-46782 17.06.2026 9.9
CVE-2026-46783 17.06.2026 9.8
CVE-2026-46784 17.06.2026 9.1
CVE-2026-46785 19.06.2026 9.3
CVE-2026-46786 19.06.2026 9.6
CVE-2026-46789 19.06.2026 9.6
CVE-2026-46792 17.06.2026 9.9
CVE-2026-46793 17.06.2026 9.9
CVE-2026-46794 17.06.2026 9.9
CVE-2026-46795 19.06.2026 9.3
CVE-2026-46797 17.06.2026 9.8
CVE-2026-46798 17.06.2026 10
CVE-2026-46799 17.06.2026 9.8
CVE-2026-46800 17.06.2026 10
CVE-2026-46801 17.06.2026 9.8
CVE-2026-46802 19.06.2026 9.9
CVE-2026-46803 19.06.2026 10
CVE-2026-46805 19.06.2026 9.3
CVE-2026-46807 19.06.2026 9.8
CVE-2026-46809 17.06.2026 9.1
CVE-2026-46813 17.06.2026 9.8
CVE-2026-46814 17.06.2026 9.9
CVE-2026-46832 18.06.2026 9.9
CVE-2026-46838 17.06.2026 9.9
CVE-2026-46844 17.06.2026 9.9
CVE-2026-46845 17.06.2026 9.8
CVE-2026-46846 17.06.2026 10
CVE-2026-46847 18.06.2026 9.9
CVE-2026-46850 18.06.2026 9.9
CVE-2026-46852 18.06.2026 9.9
CVE-2026-46853 18.06.2026 9.6
CVE-2026-46854 18.06.2026 9.9
CVE-2026-46855 18.06.2026 9.9
CVE-2026-46856 18.06.2026 9.6
CVE-2026-46857 18.06.2026 9.8
CVE-2026-46858 17.06.2026 9.1
CVE-2026-46859 18.06.2026 9.8
CVE-2026-46860 18.06.2026 9.8
CVE-2026-46861 18.06.2026 9.6
CVE-2026-46872 17.06.2026 9
CVE-2026-46875 18.06.2026 9.1
CVE-2026-46878 18.06.2026 9.8
CVE-2026-46879 18.06.2026 9.8
CVE-2026-46880 18.06.2026 9.8
CVE-2026-46881 18.06.2026 9.8
CVE-2026-46882 18.06.2026 9.8
CVE-2026-46883 18.06.2026 9.8
CVE-2026-46884 18.06.2026 9.8
CVE-2026-46887 18.06.2026 9.8
CVE-2026-46889 18.06.2026 9.8
CVE-2026-46890 18.06.2026 9.8
CVE-2026-46892 18.06.2026 9.1
CVE-2026-46893 18.06.2026 9.9
CVE-2026-46895 18.06.2026 9.9
CVE-2026-46896 18.06.2026 9.1
CVE-2026-46897 18.06.2026 9.9
CVE-2026-46899 18.06.2026 9.6
CVE-2026-46900 18.06.2026 9.9
CVE-2026-46901 18.06.2026 9.9
CVE-2026-46902 18.06.2026 9.8
CVE-2026-46904 18.06.2026 9.8
CVE-2026-46905 18.06.2026 9.8
CVE-2026-46906 18.06.2026 9.6
CVE-2026-46907 18.06.2026 9.9
CVE-2026-46908 18.06.2026 9.9
CVE-2026-46909 18.06.2026 9.8
CVE-2026-46910 17.06.2026 9.1
CVE-2026-46911 18.06.2026 9.6
CVE-2026-46912 17.06.2026 9.3
CVE-2026-46913 18.06.2026 9.3
CVE-2026-46918 17.06.2026 9.9
CVE-2026-46919 18.06.2026 9.8
CVE-2026-46930 17.06.2026 9.1
CVE-2026-46933 18.06.2026 9.9
CVE-2026-46944 18.06.2026 9.1
CVE-2026-46945 17.06.2026 9.1
CVE-2026-46946 18.06.2026 9.1
CVE-2026-46949 17.06.2026 9.1
CVE-2026-46963 17.06.2026 9.9
CVE-2026-46964 17.06.2026 9.9
CVE-2026-46978 18.06.2026 10
CVE-2026-22313 OS Commands Executed with Administrative Permissions in Radiflow iSAP Smart Collector 17.06.2026 9.1
CVE-2026-48777 FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory 17.06.2026 9.3
CVE-2026-53776 Perry < 0.5.1166 JWT Expiration Bypass via verify_decode 16.06.2026 9.3
CVE-2025-13036 Rockwell Automation FactoryTalk Historian Site Edition - Authentication Bypass 16.06.2026 9.2
CVE-2026-40750 WordPress Kids Online Store theme <= 0.8.9 - Arbitrary File Upload vulnerability 16.06.2026 9.9
CVE-2026-39574 WordPress InPost Gallery plugin <= 2.1.4.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49772 WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49774 WordPress RD Station plugin <= 5.6.0 - Remote Code Execution (RCE) vulnerability 16.06.2026 9.9
CVE-2026-52715 WordPress GEO my WordPress plugin <= 4.5.5 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-48853 Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc 17.06.2026 9.2
CVE-2026-48713 i18next-fs-backend: Prototype pollution via crafted missing-key string 16.06.2026 9.1
CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names 16.06.2026 9.1
CVE-2026-27053 WordPress Broadcast Live Video plugin < 7.1.3 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-34901 WordPress iControlWP plugin <= 5.5.3 - Privilege Escalation vulnerability 16.06.2026 9.8
CVE-2026-39441 WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39465 WordPress Responsive Slider by MetaSlider plugin <= 3.106.0 - Remote Code Execution (RCE) vulnerability 16.06.2026 9.1
CVE-2026-39492 WordPress WP Maps plugin <= 4.9.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39493 WordPress Simply Schedule Appointments plugin <= 1.6.9.27 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39502 WordPress Form Maker by 10Web plugin <= 1.15.38 - SQL Injection vulnerability 15.06.2026 9.3
CVE-2026-39511 WordPress WP Photo Album Plus plugin <= 9.1.08.001 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39512 WordPress GeoDirectory plugin <= 2.8.152 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39519 WordPress GeekyBot plugin <= 1.2.0 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39530 WordPress SpeakOut! Email Petitions plugin <= 4.6.5 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39583 WordPress Datalogics Ecommerce Delivery plugin <= 2.6.62 - Privilege Escalation vulnerability 16.06.2026 9.8
CVE-2026-39591 WordPress WP-BusinessDirectory plugin <= 4.0.0 - Arbitrary File Upload vulnerability 16.06.2026 9.9
CVE-2026-40771 WordPress Contest Gallery plugin <= 28.1.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-40772 WordPress GeekyBot plugin <= 1.2.2 - Arbitrary File Upload vulnerability 16.06.2026 10
CVE-2026-40798 WordPress wpForo Forum plugin <= 3.0.4 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42381 WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42386 WordPress Order Delivery Date for WooCommerce plugin <= 4.5.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42639 WordPress GD Rating System plugin <= 3.6.2 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42665 WordPress WP Data Access plugin <= 5.5.70 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-45439 WordPress Realtyna Organic IDX plugin plugin <= 5.1.0 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-48836 WordPress Easy Invoice plugin <= 2.1.19 - Remote Code Execution (RCE) vulnerability 16.06.2026 10
CVE-2026-48881 WordPress TrueBooker plugin <= 1.1.9 - Broken Access Control vulnerability 16.06.2026 9.1
CVE-2026-48886 WordPress JS Help Desk plugin <= 3.0.9 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49067 WordPress Advanced 301 and 302 Redirect plugin <= 1.6.9 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49085 WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49104 WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.2.1 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49105 WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability 15.06.2026 9.8
CVE-2026-49106 WordPress Integration for Contact Form 7 and Constant Contact plugin <= 1.1.6 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49109 WordPress Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.4.3 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49763 WordPress Integration for Contact Form 7 HubSpot plugin <= 1.3.7 - PHP Object Injection vulnerability 15.06.2026 9.8
CVE-2026-49764 WordPress RegistrationMagic plugin <= 6.0.8.6 - Broken Authentication vulnerability 15.06.2026 9.8
CVE-2026-49765 WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.8 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49766 WordPress WP User Manager plugin <= 2.9.16 - Arbitrary File Deletion vulnerability 16.06.2026 9.9
CVE-2026-49768 WordPress Happyforms plugin <= 1.26.13 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49769 WordPress wpForo Forum plugin <= 3.1.0 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49770 WordPress WP Travel Engine plugin <= 6.7.12 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49776 WordPress GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin <= 2.32.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49781 WordPress OttoKit plugin <= 1.1.27 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-52693 WordPress eCommerce Product Catalog plugin <= 3.5.5 - SQL Injection vulnerability 15.06.2026 9.3
CVE-2026-52703 WordPress FastDup plugin <= 2.7.2 - Path Traversal vulnerability 16.06.2026 9.6
CVE-2026-9691 WordPress Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.1 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-48114 Metacat has an unauthenticated SQL injection vulnerability 15.06.2026 9.8
CVE-2026-49952 Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle 16.06.2026 9.3
CVE-2026-9862 Core Privileged Access Manager (BoKS) autoregistration service command injection vulnerability 15.06.2026 9.8
CVE-2018-25436 WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload 15.06.2026 9.3
CVE-2026-52704 WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Remote Code Execution (RCE) vulnerability 15.06.2026 10
CVE-2026-49757 OAuth2/OIDC account takeover in AshAuthentication via email-based user matching 15.06.2026 9.2
CVE-2026-5482 Remote Code Execution via Unrestricted File Upload in Responsive FileManager 15.06.2026 9.3
CVE-2026-12183 17.06.2026 9.3
CVE-2026-11624 15.06.2026 9.4
CVE-2026-46716 Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron 15.06.2026 9.9
CVE-2026-53519 Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key 15.06.2026 9.1
CVE-2026-53609 Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass 15.06.2026 9.1
CVE-2026-44990 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` 15.06.2026 9.3
CVE-2026-28742 Naxclow IoT Platform Use of hard-coded cryptographic key 12.06.2026 9.2
CVE-2026-50101 Naxclow IoT Platform Not using password aging 12.06.2026 9.2

Latest Updates

CVE Title Updated Score
CVE-2016-20085 Realtek High Definition Audio Driver 6.0.1.6730 Privilege Escalation 19.06.2026
CVE-2016-20086 Vembu StoreGrid 4.0 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2016-20087 Fortitude HTTP 1.0.4.0 Unquoted Service Path Elevation of Privilege 19.06.2026
CVE-2016-20088 Comodo Chromodo Browser 52.15.25.664 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2016-20089 Iperius Remote 1.7.0 Unquoted Service Path Elevation of Privilege 19.06.2026
CVE-2016-20090 Comodo Dragon Browser 52.15.25.663 Privilege Escalation via Unquoted Service Path 19.06.2026
CVE-2016-20091 Windows Firewall Control 4.8.6.0 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2016-20092 NetDrive 2.6.12 Unquoted Service Path Elevation of Privilege 19.06.2026
CVE-2016-20093 Wise Care 365 4.27 and Wise Disk Cleaner 9.29 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2016-20094 AnyDesk 2.5.0 Unquoted Service Path Elevation of Privilege 19.06.2026
CVE-2016-20095 Matrix42 Remote Control Host 3.20.0031 Unquoted Path Privilege Escalation 19.06.2026
CVE-2019-25747 Network Inventory Advisor 5.0.26.0 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2020-37250 TFTP Broadband 4.3.0.1465 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2020-37251 RealTimes Desktop Service 18.1.4 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2020-37252 Realtek Audio Service 1.0.0.55 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2020-37253 Winstep 18.06.0096 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2020-37254 Wondershare PDFelement 5.2.9 Privilege Escalation via Unquoted Service Path 19.06.2026
CVE-2021-47985 Brother SAPSprint 7.60 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2022-50971 Malwarebytes 4.5 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2023-54353 Chromacam 4.0.3.0 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2025-71326 AVAST Antivirus 25.11 Unquoted Service Path Privilege Escalation 19.06.2026
CVE-2026-21768 HCL Verse for Android is susceptible to an injection vulnerability 19.06.2026 6.3
CVE-2026-49358 PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles 19.06.2026 3
CVE-2026-52908 RDMA: During rereg_mr ensure that REREG_ACCESS is compatible 19.06.2026
CVE-2026-52909 ip6_vti: set netns_immutable on the fallback device. 19.06.2026
CVE-2026-52910 bpf: Free reuseport cBPF prog after RCU grace period. 19.06.2026
CVE-2025-62821 19.06.2026
CVE-2026-12104 Authenticated OS Command Injection in Bondix 19.06.2026
CVE-2026-39998 Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup 19.06.2026
CVE-2026-39999 Apache APISIX: JWT Algorithm Confusion allows authentication bypass 19.06.2026
CVE-2026-44046 Apache APISIX: wolf-rbac plugin Identity Spoofing 19.06.2026
CVE-2026-44087 Apache APISIX: Openid-connect plugin Identity Header Spoofing 19.06.2026
CVE-2026-44915 Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value 19.06.2026
CVE-2026-47339 Apache APISIX: authz-casdoor incorrect session sharing 19.06.2026
CVE-2026-47341 Apache APISIX: Session replay issue in hmac-auth 19.06.2026
CVE-2026-48137 Untrusted pointer dereference in NI grpc-device sideband streaming API 19.06.2026 9.1
CVE-2026-48138 Out-of-bounds read vulnerability in the NI grpc-device streaming API 19.06.2026 7.5
CVE-2026-48139 NULL pointer dereference vulnerability in NI grpc-device data moniker service 19.06.2026 7.5
CVE-2026-48140 Unchecked enum cast vulnerability in NI grpc-device in BeginSidebandStream 19.06.2026 6.5
CVE-2026-48141 Memory leak in NI grpc-device BeginSidebandStream 19.06.2026 5.3
CVE-2026-48895 Apache APISIX: Cas-auth Host header influence on CAS service URL 19.06.2026
CVE-2026-49230 Apache APISIX: Authentication bypass in jwe-decrypt 19.06.2026
CVE-2026-49231 Apache APISIX: Identity spoofing issue in APISIX opa plugin 19.06.2026
CVE-2026-49357 Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication 19.06.2026
CVE-2026-49871 Apache APISIX: cas-auth login CSRF / session injection issue 19.06.2026
CVE-2026-49872 Apache APISIX: Improper authentication in cas-auth plugin 19.06.2026
CVE-2026-4026 FlexNet Manager Suite Privilege Escalation Vulnerability 19.06.2026
CVE-2026-4027 FlexNet Manager Suite Attachment File Disclosure 19.06.2026
CVE-2026-9142 Insecure Default Credentials vulnerability in NI grpc-device when TLS configuration is not present 19.06.2026 9.1
CVE-2026-9143 Incorrect Conversion between Numeric Types in NI grpc-device due to missing range checks in CodeGen 19.06.2026 3.7
CVE-2026-44939 Command injection through unsanitized YAML parameter in Rancher 19.06.2026
CVE-2026-50242 19.06.2026 10
CVE-2026-53915 19.06.2026 7.1
CVE-2026-56141 19.06.2026 9.8
CVE-2026-56142 19.06.2026 9.6
CVE-2026-11941 Use-after-free in connection ID iterator and FFI functions 19.06.2026 5.6
CVE-2026-12706 Ffmpeg: ffmpeg: heap use-after-free read in rasc decoder decode_move() 19.06.2026
CVE-2026-11576 19.06.2026 7.5
CVE-2026-34192 GPU DDK - _MMU_AllocLevel error recovery paths leave dangling page table entries 19.06.2026
CVE-2026-41156 GPU DDK - kernel<->fw CCB contains SYNC_PRIMITIVE_BLOCK firmware address without holding reference 19.06.2026
CVE-2026-56138 Authenticated Path Traversal in AIL framework /objects/item/diff Allows Reading Gzip-Compressed Files 19.06.2026
CVE-2026-8296 19.06.2026
CVE-2026-3640 STRABL <= 4.5 - Unauthenticated Arbitrary Webhook Creation via REST API Endpoint 19.06.2026 5.3
CVE-2026-46461 19.06.2026 7.8
CVE-2026-6798 2Download Connector for 2DL Hosted Checkout <= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure via 'ToDownload_email' Parameter 19.06.2026 5.3
CVE-2025-7737 DoS Vulnerability in 10G iSCSI Interface of Hitachi Virtual Storage Platform 19.06.2026 8.6
CVE-2026-10034 WP DSGVO Tools (GDPR) <= 3.1.39 - Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure via subject-access-request AJAX Endpoint (process_now/is_ajax Parameters) 19.06.2026 5.3
CVE-2026-10720 MicroCeph path traversal issue in the remote-import API 19.06.2026
CVE-2026-11752 19.06.2026
CVE-2026-11989 Bit integrations <= 2.8.7 - Unauthenticated Server-Side Request Forgery via Form Field Upload Mapping 19.06.2026 6.5
CVE-2026-12157 BetterDocs <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'blockId' Block Attribute 19.06.2026 6.4
CVE-2026-12430 Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter 19.06.2026 4.4
CVE-2026-12644 19.06.2026 5.3
CVE-2026-1856 Appointment Booking Calendar <= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Booking Field Label 19.06.2026 6.4
CVE-2026-4328 Advanced Import: One-Click Demo Import for WordPress <= 1.4.6 - Authenticated (Author+) Server-Side Request Forgery via 'demo_file' Parameter 19.06.2026 6.4
CVE-2026-54414 FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover 19.06.2026 9.8
CVE-2026-7515 BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion via doc_style 19.06.2026 9.8
CVE-2026-7547 Woosa <= 2.0.5 - Authenticated (Administrator+) Arbitrary File Read via 'log_file' Parameter 19.06.2026 4.9
CVE-2026-8118 Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1058 - 1.7.1059 - Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source 19.06.2026 6.5
CVE-2026-8713 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value 19.06.2026 9.1
CVE-2026-9013 Bogo <= 3.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via REST API 19.06.2026 4.3
CVE-2026-9822 WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers 19.06.2026
CVE-2026-10779 Classified Listing <= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification via Multiple AJAX Handlers ('listingId'/'id' Parameters) 19.06.2026 4.3
CVE-2026-56131 19.06.2026 4.9
CVE-2026-56132 19.06.2026 6.9
CVE-2026-11775 User Admin Simplifier <= 3.0.0 - Cross-Site Request Forgery 19.06.2026 4.3
CVE-2026-8805 Denial-of-service (DoS) vulnerability in MELSEC iQ-F Series EtherNet/IP module 19.06.2026
CVE-2026-8806 Denial-of-service (DoS) vulnerability in MELSEC iQ-F Series FX5-ENET/IP Ethernet module 19.06.2026
CVE-2026-12044 pgAdmin 4: SQL injection in COMMENT ON ... IS '<description>' rendering across dialog templates 18.06.2026 8.8
CVE-2026-12045 pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution 18.06.2026 9
CVE-2026-12046 pgAdmin 4: Unauthenticated pickle deserialization in SQL Editor close / update_connection routes enables remote code execution 18.06.2026 9
CVE-2026-12047 pgAdmin 4: HTML injection in cloud verify_credentials / deploy endpoints via unsanitised SDK exception text 18.06.2026 3.5
CVE-2026-12048 pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser 18.06.2026 9.3
CVE-2026-12049 pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter 18.06.2026 4.3
CVE-2026-12050 pgAdmin 4: SQL injection in named restore point endpoint 18.06.2026 4.3
CVE-2026-40624 AVer PTC cameras Files or Directories Accessible to External Parties 18.06.2026 9.8
CVE-2026-50034 Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT Cleartext Transmission of Sensitive Information 18.06.2026 6.5
CVE-2026-52866 Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT Missing Authorization 18.06.2026 6.5
CVE-2026-10746 18.06.2026
CVE-2026-56074 PraisonAI - Tool Approval Cache Bypass via Coarse-Grained Caching 18.06.2026
CVE-2026-56075 PraisonAI - Arbitrary Shell Command Execution via Hardcoded Approval Mode Override 18.06.2026
CVE-2026-56076 PraisonAI - Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint 18.06.2026
CVE-2026-56077 PraisonAI - Information Disclosure via Shared MultiAgentLedger State 18.06.2026
CVE-2026-56078 PraisonAI - Arbitrary File Read and Write via Path Traversal in MultiAgentMonitor 18.06.2026
CVE-2026-6716 18.06.2026
CVE-2026-22674 Hashgraph Guardian Stored XSS via branding companyName field 18.06.2026
CVE-2026-32174 Azure Bot Service Elevation of Privilege Vulnerability 18.06.2026 7.7
CVE-2026-47633 Microsoft Cost Management Information Disclosure Vulnerability 18.06.2026 7.5
CVE-2026-47647 Dynamics 365 Elevation of Privilege Vulnerability 18.06.2026 9.9
CVE-2026-49205 phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix) 18.06.2026 6.5
CVE-2026-54017 Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal 18.06.2026 7.7
CVE-2026-54130 M365 Copilot Information Disclosure Vulnerability 18.06.2026 9.8
CVE-2026-8100 18.06.2026
CVE-2026-8668 Hardcoded credentials in embedded content 18.06.2026
CVE-2026-45696 OpenEXR HTJ2K decoder heap buffer over-read in ht_undo_impl() (DoS) 18.06.2026
CVE-2026-46699 conda-smithy vulnerable to misrouted repository invitation by conda-forge-webservices[bot] due to GitHub username takeover leading to unintended write access in conda-forge feedstock repository 18.06.2026 7.6
CVE-2026-49257 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind 18.06.2026 10
CVE-2026-49454 Relyra SAML SignatureValue not cryptographically verified -> authentication bypass 18.06.2026 9.1
CVE-2025-15661 libssh2 - Heap Buffer Over-read via sftp_symlink() in sftp.c 18.06.2026
CVE-2026-43994 Coturn: Stack buffer overflow in decode_oauth_token_gcm() 18.06.2026 8.1
CVE-2026-44663 OpenEXR: Integer overflow in the HTJ2K decoder leads to heap-buffer-overflow 18.06.2026 6.1
CVE-2026-49248 OneDev: RCE through absolute-path symlink following allows low-privileged users to overwrite arbitrary server via TarUtils.untar 18.06.2026
CVE-2026-49252 deepstream is vulnerable to prototype pollution 18.06.2026 9.9
CVE-2026-25865 Punto Switcher 4.5.0.583 Unquoted Search Path via WinExec 18.06.2026
CVE-2026-2842 18.06.2026
CVE-2026-43915 Coturn: Stored Cross-Site Scripting (XSS) in web-admin interface via TURN username 18.06.2026 5.4
CVE-2026-47846 18.06.2026 9.8
CVE-2026-47847 18.06.2026 5.3
CVE-2026-48716 nanobot: Path traversal via unsanitized WhatsApp document fileName enables arbitrary file write 18.06.2026 8.7
CVE-2026-48980 pam_usb: getenv() used in PAM context allows environment variable injection into local-check logic 18.06.2026 6.3
CVE-2026-48981 pam_usb: xmlReadFile flags=0 permits XXE network entity fetching in conf.c 18.06.2026 6.7
CVE-2026-48982 pam_usb: Missing O_EXCL on pad temp file creation allows concurrent update race 18.06.2026 5.8
CVE-2026-48983 pam_usb: TOCTOU race condition in pad directory creation allows symlink substitution 18.06.2026 5.8
CVE-2026-56099 OpenBSD mpls_do_error Kernel Stack Memory Disclosure via MPLS Input 18.06.2026
CVE-2026-12390 Access of resource using incompatible type ('type confusion') in AzeoTech DAQFactory 18.06.2026
CVE-2026-47833 18.06.2026 6.1
CVE-2026-48937 18.06.2026
CVE-2026-55392 NILFS utilities - Undefined Behavior and Out-of-Memory via Unvalidated s_log_block_size 18.06.2026
CVE-2026-9692 Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely 18.06.2026
CVE-2026-48985 pam_usb: NULL Dereference Crash in pusb_is_loginctl_local when loginctl Returns Empty Remote Field 18.06.2026 5.5
CVE-2026-48986 pam_usb: Infinite loop DoS in process-tree walk when parent process exits during authentication 18.06.2026 4.7
CVE-2026-54390 JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer 18.06.2026