| CVE-2026-25738 |
Indico has Server-Side Request Forgery (SSRF) in multiple places |
19.02.2026 |
|
| CVE-2026-25940 |
jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property) |
19.02.2026 |
8.1 |
| CVE-2026-26223 |
SPIP < 4.4.8 Cross-Site Scripting via Iframe Tags in Private Area |
19.02.2026 |
|
| CVE-2026-26345 |
SPIP < 4.4.8 Cross-Site Scripting in Public Area |
19.02.2026 |
|
| CVE-2026-2274 |
Arbitrary File Read and SSRF in Google AppSheet |
19.02.2026 |
|
| CVE-2025-71240 |
SPIP < 4.2.15 Cross-Site Scripting via Code Tags |
19.02.2026 |
|
| CVE-2025-71241 |
SPIP < 4.3.6 Cross-Site Scripting in Private Area |
19.02.2026 |
|
| CVE-2025-71242 |
SPIP < 4.3.6 Authorization Bypass Leading to Content Disclosure |
19.02.2026 |
|
| CVE-2025-71243 |
SPIP Saisies Plugin < 5.11.1 Remote Code Execution |
19.02.2026 |
|
| CVE-2025-71244 |
SPIP < 4.4.5 Open Redirect via Login Form |
19.02.2026 |
|
| CVE-2025-71245 |
|
19.02.2026 |
|
| CVE-2025-71246 |
|
19.02.2026 |
|
| CVE-2025-71247 |
SPIP < 4.4.9 Blind Server-Side Request Forgery via Syndicated Sites |
19.02.2026 |
|
| CVE-2025-71248 |
SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites |
19.02.2026 |
|
| CVE-2025-71249 |
SPIP < 4.4.9 Cross-Site Scripting in Private Area (Incomplete Fix) |
19.02.2026 |
|
| CVE-2025-71250 |
SPIP < 4.4.9 Insecure Deserialization |
19.02.2026 |
|
| CVE-2026-25535 |
jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions |
19.02.2026 |
|
| CVE-2026-25755 |
jsPDF has PDF Object Injection via Unsanitized Input in addJS Method |
19.02.2026 |
8.1 |
| CVE-2025-55853 |
|
19.02.2026 |
|
| CVE-2026-25527 |
changedetection.io vulnerable to unauthenticated static path traversal |
19.02.2026 |
5.3 |
| CVE-2026-2744 |
|
19.02.2026 |
|
| CVE-2019-25402 |
Comodo Dome Firewall 2.7.0 Cross-Site Scripting via login |
19.02.2026 |
|
| CVE-2019-25403 |
Comodo Dome Firewall 2.7.0 Stored Cross-Site Scripting via admin_profiles |
19.02.2026 |
|
| CVE-2019-25404 |
Comodo Dome Firewall 2.7.0 Stored Cross-Site Scripting via admins |
19.02.2026 |
|
| CVE-2019-25405 |
Comodo Dome Firewall 2.7.0 Stored Cross-Site Scripting via license_activation |
19.02.2026 |
|
| CVE-2019-25406 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via organization Parameter |
19.02.2026 |
|
| CVE-2019-25407 |
Comodo Dome Firewall 2.7.0 Cross-Site Scripting via backupschedule |
19.02.2026 |
|
| CVE-2019-25408 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via netwizard2 |
19.02.2026 |
|
| CVE-2019-25409 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via routing |
19.02.2026 |
|
| CVE-2019-25410 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via policy_routing |
19.02.2026 |
|
| CVE-2019-25411 |
Comodo Dome Firewall 2.7.0 Cross-Site Scripting via DHCP |
19.02.2026 |
|
| CVE-2019-25412 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via NTP_SERVER_LIST |
19.02.2026 |
|
| CVE-2019-25413 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via ID Parameter |
19.02.2026 |
|
| CVE-2019-25414 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via ID Parameter Appid |
19.02.2026 |
|
| CVE-2019-25415 |
Comodo Dome Firewall 2.7.0 Cross-Site Scripting via hotspot_permanent_users |
19.02.2026 |
|
| CVE-2019-25416 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via device Parameter |
19.02.2026 |
|
| CVE-2019-25417 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via QoS Rules |
19.02.2026 |
|
| CVE-2019-25418 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via fwgroups |
19.02.2026 |
|
| CVE-2019-25419 |
Comodo Dome Firewall 2.7.0 Stored Cross-Site Scripting via schedule |
19.02.2026 |
|
| CVE-2019-25420 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via snat |
19.02.2026 |
|
| CVE-2019-25421 |
Comodo Dome Firewall 2.7.0 Cross-Site Scripting via policyfw |
19.02.2026 |
|
| CVE-2019-25422 |
Comodo Dome Firewall 2.7.0 Cross-Site Scripting via vpnfw |
19.02.2026 |
|
| CVE-2019-25423 |
Comodo Dome Firewall 2.7.0 Cross-Site Scripting via proxyconfig |
19.02.2026 |
|
| CVE-2019-25424 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via https_exceptions |
19.02.2026 |
|
| CVE-2019-25425 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via smtpconfig |
19.02.2026 |
|
| CVE-2019-25426 |
Comodo Dome Firewall 2.7.0 Cross-Site Scripting via dnsmasq |
19.02.2026 |
|
| CVE-2019-25427 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via antispyware |
19.02.2026 |
|
| CVE-2019-25428 |
Comodo Dome Firewall 2.7.0 Cross-Site Scripting via openvpn_users |
19.02.2026 |
|
| CVE-2019-25429 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via openvpn_advanced |
19.02.2026 |
|
| CVE-2019-25430 |
Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via vpn_users |
19.02.2026 |
|
| CVE-2025-9953 |
SQLi in Database Software's Databank Accreditation Software |
19.02.2026 |
9.8 |
| CVE-2025-8350 |
Authentication Bypass with Redirect in BiEticaret Software's BiEticaret CMS |
19.02.2026 |
9.8 |
| CVE-2025-15559 |
Unauthenticated OS Command Injection in NesterSoft WorkTime |
19.02.2026 |
|
| CVE-2025-15560 |
SQL Injection in NesterSoft WorkTime |
19.02.2026 |
|
| CVE-2025-15561 |
Local Privilege Escalation in NesterSoft WorkTime |
19.02.2026 |
|
| CVE-2025-15562 |
Reflected Cross-Site Scripting in NesterSoft WorkTime |
19.02.2026 |
|
| CVE-2025-15563 |
Broken Access Control results in Denial of Service in NesterSoft WorkTime |
19.02.2026 |
|
| CVE-2025-9062 |
IDOR in MeCODE Informatics' Envanty |
19.02.2026 |
7.3 |
| CVE-2025-12107 |
Potential authenticated Server-Side Template Injection (SSTI) vulnerability. |
19.02.2026 |
10 |
| CVE-2025-13590 |
Authenticated arbitrary file upload via a System REST API requiring administrator permission. |
19.02.2026 |
9.1 |
| CVE-2026-1219 |
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure |
19.02.2026 |
5.3 |
| CVE-2026-1461 |
Simple Membership <= 4.7.0 - Unauthenticated Improper Handling of Missing Values |
19.02.2026 |
6.5 |
| CVE-2026-2716 |
Client Testimonial Slider <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Testimonial Heading' Setting |
19.02.2026 |
4.4 |
| CVE-2026-2718 |
Dealia <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutenberg Block Attributes |
19.02.2026 |
6.4 |
| CVE-2026-22266 |
|
19.02.2026 |
4.7 |
| CVE-2026-22267 |
|
19.02.2026 |
8.1 |
| CVE-2026-22268 |
|
19.02.2026 |
6.3 |
| CVE-2025-40697 |
Reflected Cross-Site Scripting (XSS) in Lewe WebMeasure |
19.02.2026 |
|
| CVE-2025-41023 |
Authentication bypass in AutoGPT de Thesamur |
19.02.2026 |
|
| CVE-2026-22269 |
|
19.02.2026 |
4.7 |
| CVE-2026-26358 |
|
19.02.2026 |
8.8 |
| CVE-2026-22333 |
WordPress YITH WooCommerce Compare plugin <= 3.6.0 - Deserialization of untrusted data vulnerability |
19.02.2026 |
|
| CVE-2026-22422 |
WordPress Everest Forms plugin <= 3.4.1 - Arbitrary Shortcode Execution vulnerability |
19.02.2026 |
|
| CVE-2026-23541 |
WordPress Mail Mint plugin <= 1.19.4 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-23542 |
WordPress Grand Restaurant theme <= 7.0.10 - PHP Object Injection vulnerability |
19.02.2026 |
|
| CVE-2026-23543 |
WordPress Essential Addons for Elementor plugin <= 6.5.5 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-23544 |
WordPress Valenti theme <= 5.6.3.5 - PHP Object Injection vulnerability |
19.02.2026 |
|
| CVE-2026-23545 |
WordPress Aruba HiSpeed Cache plugin <= 3.0.4 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-23547 |
WordPress CMSMasters Content Composer plugin <= 2.5.8 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-23548 |
WordPress DirectoryPress plugin <= 3.6.25 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-23549 |
WordPress WpEvently plugin <= 5.1.1 - PHP Object Injection vulnerability |
19.02.2026 |
|
| CVE-2026-23803 |
WordPress Smart Auto Upload Images plugin <= 1.2.2 - Server Side Request Forgery (SSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-23804 |
WordPress Better Business Reviews plugin <= 0.1.1 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-23805 |
WordPress Media Search Enhanced plugin <= 0.9.1 - SQL Injection vulnerability |
19.02.2026 |
|
| CVE-2026-24375 |
WordPress Ultimate Gift Cards For WooCommerce plugin <= 3.2.4 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-24392 |
WordPress HurryTimer plugin <= 2.14.2 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-24999 |
WordPress Alma plugin <= 5.16.1 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25000 |
WordPress Wheel of Life plugin <= 1.2.0 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25003 |
WordPress Client Portal plugin <= 1.2.1 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25004 |
WordPress CM Business Directory plugin <= 1.5.3 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25005 |
WordPress Frontend File Manager plugin <= 23.5 - Insecure Direct Object References (IDOR) vulnerability |
19.02.2026 |
|
| CVE-2026-25006 |
WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability |
19.02.2026 |
|
| CVE-2026-25008 |
WordPress Ninja Tables plugin <= 5.2.5 - Sensitive Data Exposure vulnerability |
19.02.2026 |
|
| CVE-2026-25305 |
WordPress XStore theme <= 9.6.4 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25307 |
WordPress XStore Core plugin < 5.7 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25308 |
WordPress Simple Membership plugin <= 4.6.9 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25310 |
WordPress Extend Link plugin <= 2.0.0 - Server Side Request Forgery (SSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-25311 |
WordPress Autoshare for Twitter plugin <= 2.3.1 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25313 |
WordPress FluentForm plugin <= 6.1.14 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25314 |
WordPress TOP Table Of Contents plugin <= 1.3.31 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25315 |
WordPress hCaptcha for WP plugin <= 4.22.0 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25316 |
WordPress CartFlows plugin <= 2.1.19 - PHP Object Injection vulnerability |
19.02.2026 |
|
| CVE-2026-25318 |
WordPress WiserReview Product Reviews for WooCommerce plugin <= 2.9 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25319 |
WordPress Zita Elementor Site Library plugin <= 1.6.6 - Cross Site Request Forgery (CSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-25320 |
WordPress Elementor Contact Form DB plugin <= 2.1.3 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25321 |
WordPress SupportCandy plugin <= 3.4.4 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25322 |
WordPress PublishPress Revisions plugin <= 3.7.22 - Cross Site Request Forgery (CSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-25323 |
WordPress OSM plugin <= 6.1.12 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25324 |
WordPress Quiz And Survey Master plugin <= 10.3.4 - Insecure Direct Object References (IDOR) vulnerability |
19.02.2026 |
|
| CVE-2026-25325 |
WordPress rtMedia for WordPress, BuddyPress and bbPress plugin <= 4.7.8 - Sensitive Data Exposure vulnerability |
19.02.2026 |
|
| CVE-2026-25326 |
WordPress CMSMasters Content Composer plugin <= 1.4.5 - Local File Inclusion vulnerability |
19.02.2026 |
|
| CVE-2026-25329 |
WordPress Quiz And Survey Master plugin <= 10.3.4 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25330 |
WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25331 |
WordPress WP Activity Log plugin <= 5.5.4 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25332 |
WordPress Endless Posts Navigation plugin <= 2.2.9 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25333 |
WordPress Shopwell theme <= 1.0.11 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25335 |
WordPress Secure Copy Content Protection and Content Locking plugin <= 5.0.0 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25336 |
WordPress Coachify theme <= 1.1.5 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25337 |
WordPress Coachify theme <= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-25338 |
WordPress AI ChatBot with ChatGPT and Content Generator by AYS plugin <= 2.7.4 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25343 |
WordPress WP SMS plugin <= 7.1 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25348 |
WordPress Download Alt Text AI plugin <= 1.10.15 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25362 |
WordPress FooGallery plugin <= 3.1.11 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25363 |
WordPress FooGallery plugin <= 3.1.11 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25364 |
WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.8 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25367 |
WordPress CitiLights theme < 3.7.2 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25368 |
WordPress Calculated Fields Form plugin <= 5.4.4.1 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25370 |
WordPress WP Compress plugin <= 6.60.28 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25372 |
WordPress Academy LMS plugin <= 3.5.3 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25374 |
WordPress Spa and Salon theme <= 1.3.2 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25375 |
WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.10 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25378 |
WordPress Nelio AB Testing plugin <= 8.2.4 - SQL Injection vulnerability |
19.02.2026 |
|
| CVE-2026-25384 |
WordPress WP-Lister Lite for eBay plugin <= 3.8.5 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25385 |
WordPress URL Shortify plugin <= 1.12.3 - Server Side Request Forgery (SSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-25386 |
WordPress Ally plugin <= 4.0.2 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25387 |
WordPress Image Optimizer by Elementor plugin <= 1.7.1 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25388 |
WordPress Ads Pro plugin <= 5.0 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25389 |
WordPress EventPrime plugin <= 4.2.8.3 - Sensitive Data Exposure vulnerability |
19.02.2026 |
|
| CVE-2026-25391 |
WordPress WP Wand plugin <= 1.3.07 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25392 |
WordPress Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress plugin <= 1.4.0 - Open Redirection vulnerability |
19.02.2026 |
|
| CVE-2026-25393 |
WordPress Hello FSE theme <= 1.0.6 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25394 |
WordPress Fitness FSE theme <= 1.0.6 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25395 |
WordPress Business Roy theme <= 1.1.4 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25399 |
WordPress Serious Slider plugin <= 1.2.7 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25402 |
WordPress Knowledge Base for Documentation, FAQs with AI Assistance plugin <= 16.011.0 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25404 |
WordPress WP Job Manager plugin <= 2.4.0 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25407 |
WordPress Cookiebot plugin <= 4.6.4 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25408 |
WordPress Broken Link Notifier plugin <= 1.3.5 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25409 |
WordPress JAMstack Deployments plugin <= 1.1.1 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25410 |
WordPress WP-CORS plugin <= 0.2.2 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25411 |
WordPress Revision Manager TMC plugin <= 2.8.22 - Cross Site Request Forgery (CSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-25412 |
WordPress Advanced iFrame plugin <= 2025.10 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25415 |
WordPress WPBookit Pro plugin <= 1.6.18 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25416 |
WordPress News Kit Elementor Addons plugin <= 1.4.2 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25418 |
WordPress Bit Form plugin <= 2.21.10 - SQL Injection vulnerability |
19.02.2026 |
|
| CVE-2026-25419 |
WordPress UpsellWP plugin <= 2.2.3 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25420 |
WordPress MailerLite plugin <= 1.7.18 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25422 |
WordPress Popularis Extra plugin <= 1.2.10 - Cross Site Request Forgery (CSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-25423 |
WordPress Real 3D FlipBook plugin <= 4.16.4 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25428 |
WordPress TS Poll plugin <= 2.5.5 - Server Side Request Forgery (SSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-25432 |
WordPress Omnipress plugin <= 1.6.7 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25441 |
WordPress LeadConnector plugin <= 3.0.21 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25451 |
WordPress Bold Page Builder plugin <= 5.6.4 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25453 |
WordPress Advanced iFrame plugin <= 2025.10 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25459 |
WordPress Sober theme <= 3.5.12 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-25463 |
WordPress Wpresidence Core plugin <= 5.4.0 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25472 |
WordPress Fusion Builder plugin <= 3.14.3 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-25473 |
WordPress WZone plugin <= 14.0.31 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-26359 |
|
19.02.2026 |
8.8 |
| CVE-2026-26360 |
|
19.02.2026 |
8.1 |
| CVE-2026-27042 |
WordPress NotificationX plugin <= 3.2.1 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-27050 |
WordPress RealPress plugin <= 1.1.0 - Cross Site Request Forgery (CSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-27052 |
WordPress Sales Countdown Timer for WooCommerce and WordPress plugin <= 1.1.8.1 - Local File Inclusion vulnerability |
19.02.2026 |
|
| CVE-2026-27055 |
WordPress Penci AI SmartContent Creator plugin <= 2.0 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-27057 |
WordPress Penci Filter Everything plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-27058 |
WordPress Penci Podcast plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-27059 |
WordPress Penci Recipe plugin <= 4.1 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-27066 |
WordPress Live sales notification for WooCommerce plugin <= 2.3.46 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-27069 |
WordPress Soledad theme <= 8.7.2 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-27074 |
WordPress Shortcoder plugin <= 6.5.1 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-27090 |
WordPress Kenta Companion plugin <= 1.3.3 - Cross Site Request Forgery (CSRF) vulnerability |
19.02.2026 |
|
| CVE-2026-27092 |
WordPress WPAdverts plugin <= 2.2.11 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-27094 |
WordPress CoBlocks plugin <= 3.1.16 - Cross Site Scripting (XSS) vulnerability |
19.02.2026 |
|
| CVE-2026-2735 |
Stored Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms |
19.02.2026 |
|
| CVE-2026-2736 |
Reflected Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms |
19.02.2026 |
|
| CVE-2026-26361 |
|
19.02.2026 |
6.5 |
| CVE-2026-26362 |
|
19.02.2026 |
8.1 |
| CVE-2026-27056 |
WordPress iThemes Sync plugin <= 3.2.8 - Broken Access Control vulnerability |
19.02.2026 |
|
| CVE-2026-2733 |
Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol |
19.02.2026 |
|
| CVE-2026-2711 |
zhutoutoutousan worldquant-miner URL ssrf_proxy.py server-side request forgery |
19.02.2026 |
|
| CVE-2026-1994 |
s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover |
19.02.2026 |
9.8 |
| CVE-2026-2681 |
Github.com/supranational/blst: blst cryptographic library: denial of service via out-of-bounds stack write in key generation |
19.02.2026 |
|
| CVE-2026-2731 |
Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8 |
19.02.2026 |
|
| CVE-2026-2709 |
busy Callback app.js redirect |
19.02.2026 |
|
| CVE-2026-2706 |
code-projects Patient Record Management System fecalysis_not.php sql injection |
19.02.2026 |
|
| CVE-2026-2705 |
Open Babel MOL2 File atom.h SetFormalCharge out-of-bounds |
19.02.2026 |
|
| CVE-2025-12975 |
CTX Feed – WooCommerce Product Feed Manager <= 6.6.11 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Plugin Installation |
19.02.2026 |
7.2 |
| CVE-2025-13091 |
Shopire <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install |
19.02.2026 |
4.3 |
| CVE-2025-13413 |
Country Blocker for AdSense <= 1.0 - Cross-Site Request Forgery to Settings Update |
19.02.2026 |
4.3 |
| CVE-2025-13438 |
Page Title, Description & Open Graph Updater <= 1.02 - Cross-Site Request Forgery to Arbitrary Page Title Modification |
19.02.2026 |
4.3 |
| CVE-2025-13563 |
Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation |
19.02.2026 |
9.8 |
| CVE-2025-13587 |
Two Factor (2FA) Authentication via Email <= 1.9.8 - Two-Factor Authentication Bypass via token |
19.02.2026 |
6.5 |
| CVE-2025-13603 |
WP AUDIO GALLERY <= 2.0 - Authenticated (Subscriber+) Arbitrary File Read via .htaccess Manipulation |
19.02.2026 |
8.8 |
| CVE-2025-13612 |
Album and Image Gallery Plus Lightbox <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode |
19.02.2026 |
6.4 |
| CVE-2025-13617 |
Apollo13 Framework Extension <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via `a13_alt_link` Parameter |
19.02.2026 |
6.4 |
| CVE-2025-13732 |
s2Member <= 251005 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
19.02.2026 |
6.4 |
| CVE-2025-13738 |
Easy Table of Contents <= 2.0.78 - Authenticated (Contributor+) Stored Cross-Site Scripting |
19.02.2026 |
6.4 |
| CVE-2025-13842 |
Breadcrumb NavXT <= 7.5.0 - Missing Authorization to Sensitive Information Exposure |
19.02.2026 |
5.3 |
| CVE-2025-13851 |
Buyent Theme (with Buyent Classified Plugin) <= 1.0.7 - Unauthenticated Privilege Escalation via User Registration |
19.02.2026 |
9.8 |
| CVE-2025-13864 |
Breeze – WordPress Cache Plugin <= 2.2.21 - Missing Authorization to Cache Deletion |
19.02.2026 |
5.3 |
| CVE-2025-13930 |
Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.5 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion |
19.02.2026 |
5.3 |
| CVE-2025-14076 |
iXML – Google XML sitemap generator <= 0.6 - Reflected Cross-Site Scripting via 'iXML_email' Parameter |
19.02.2026 |
6.1 |
| CVE-2025-14167 |
Remove Post Type Slug <= 1.0.2 - Cross-Site Request Forgery to Settings Update |
19.02.2026 |
4.3 |
| CVE-2025-14270 |
OneClick Chat to Order <= 1.0.9 - Missing Authorization to Authenticated (Editor+) Plugin Settings Update |
19.02.2026 |
2.7 |
| CVE-2025-14294 |
Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification |
19.02.2026 |
5.3 |
| CVE-2025-14342 |
SEO Plugin by Squirrly SEO <= 12.4.14 - Missing Authorization to Authenticated (Subscriber+) Cloud Service Disconnection |
19.02.2026 |
4.3 |
| CVE-2025-14357 |
Mega Store Woocommerce <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change |
19.02.2026 |
5.3 |
| CVE-2025-14427 |
Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update |
19.02.2026 |
4.3 |
| CVE-2025-14445 |
Image Hotspot by DevVN <= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Field Meta |
19.02.2026 |
6.4 |
| CVE-2025-14452 |
WP Customer Reviews <= 3.7.5 - Reflected Cross-Site Scripting via 'wpcr3_fname' Parameter |
19.02.2026 |
7.2 |
| CVE-2025-14851 |
YaMaps for WordPress <= 0.6.40 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Parameters |
19.02.2026 |
6.4 |
| CVE-2025-14864 |
Virusdie <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) API Key Disclosure |
19.02.2026 |
4.3 |
| CVE-2025-14983 |
Advanced Custom Fields: Font Awesome <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
19.02.2026 |
6.4 |
| CVE-2025-15041 |
BackWPup <= 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update |
19.02.2026 |
7.2 |
| CVE-2025-4521 |
IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_profile Function |
19.02.2026 |
8.8 |
| CVE-2026-0549 |
Groups <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'groups_group_info' Shortcode |
19.02.2026 |
6.4 |
| CVE-2026-0556 |
XO Event Calendar <= 3.2.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'xo_event_field' shortcode |
19.02.2026 |
6.4 |
| CVE-2026-0561 |
Shield Security <= 21.0.8 - Unauthenticated Reflected Cross-Site Scripting via 'message' Parameter |
19.02.2026 |
6.1 |
| CVE-2026-0722 |
Shield Security <= 21.0.8 - Cross-Site Request Forgery to SQL Injection |
19.02.2026 |
6.5 |
| CVE-2026-0912 |
Toret Manager <= 1.2.7 - Authenticated (Subscriber+) Arbitrary Options Update via AJAX actions |
19.02.2026 |
8.8 |
| CVE-2026-0926 |
Prodigy Commerce <= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name] |
19.02.2026 |
9.8 |
| CVE-2026-0974 |
Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation |
19.02.2026 |
8.8 |
| CVE-2026-1043 |
PostmarkApp Email Integrator <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings |
19.02.2026 |
4.4 |
| CVE-2026-1044 |
Tennis Court Bookings <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings and Calendar Parameters |
19.02.2026 |
4.4 |
| CVE-2026-1047 |
salavat counter Plugin <= 0.9.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'image_url' Parameter |
19.02.2026 |
4.4 |
| CVE-2026-1055 |
TalkJS <= 0.1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'welcomeMessage' Parameter |
19.02.2026 |
4.4 |
| CVE-2026-1373 |
Easy Author Image <= 1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Picture URL |
19.02.2026 |
6.4 |
| CVE-2026-1405 |
Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload |
19.02.2026 |
9.8 |
| CVE-2026-1455 |
Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action |
19.02.2026 |
4.3 |
| CVE-2026-1646 |
Advance Block Extend <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via TitleColor Block Attribute |
19.02.2026 |
6.4 |
| CVE-2026-2282 |
Slidorion <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Slidorion Settings |
19.02.2026 |
4.4 |
| CVE-2026-2284 |
News Element Elementor Blog Magazine <= 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Data Loss |
19.02.2026 |
5.4 |
| CVE-2026-2502 |
xmlrpc attacks blocker <= 1.0 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For' |
19.02.2026 |
6.1 |
| CVE-2026-2504 |
Dealia – Request a quote <= 1.0.6 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset |
19.02.2026 |
4.3 |
| CVE-2026-2704 |
Open Babel CIF File transform3d.cpp DescribeAsString out-of-bounds |
19.02.2026 |
|
| CVE-2025-11706 |
Aruba HiSpeed Cache <= 3.0.2 - Reflected Cross-Site Scripting |
19.02.2026 |
6.1 |
| CVE-2025-11725 |
Aruba HiSpeed Cache <= 3.0.2 - Missing Authorization to Unauthenticated Plugin's Settings Modification |
19.02.2026 |
6.5 |
| CVE-2025-11754 |
Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure |
19.02.2026 |
7.5 |
| CVE-2025-12027 |
Mesmerize Companion <= 1.6.158 - Missing Authorization Authenticated (Subscriber+) Settings Update |
19.02.2026 |
4.3 |
| CVE-2025-12081 |
ACF Photo Gallery Field <= 3.0 - Missing Authorization to Authenticated (Subscriber+) Attachment Metadata Modification |
19.02.2026 |
4.3 |
| CVE-2025-12116 |
Drift <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title |
19.02.2026 |
6.4 |
| CVE-2025-12117 |
Renden <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title |
19.02.2026 |
6.4 |
| CVE-2025-12172 |
Mailchimp List Subscribe Form <= 2.0.0 - Cross-Site Request Forgery to Mailchimp List Change |
19.02.2026 |
4.3 |
| CVE-2025-12375 |
Printful Integration for WooCommerce <= 2.2.11 - Authenticated (Contributor+) Server-Side Request Forgery |
19.02.2026 |
6.4 |
| CVE-2025-12448 |
Smartsupp – live chat, AI shopping assistant and chatbots <= 3.9.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting |
19.02.2026 |
6.4 |
| CVE-2025-12451 |
Easy SVG Support <= 4.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
19.02.2026 |
6.1 |
| CVE-2025-12500 |
Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.1 - Unauthenticated Limited File Upload |
19.02.2026 |
5.3 |
| CVE-2025-12707 |
Library Management System <= 3.2.1 - Unauthenticated SQL Injection |
19.02.2026 |
7.5 |
| CVE-2025-12821 |
NewsBlogger <= 0.2.5.6 - 0.2.6.1 - Cross-Site Request Forgery to Arbitrary Plugin Installation |
19.02.2026 |
8.8 |
| CVE-2025-12845 |
Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 - 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation |
19.02.2026 |
8.8 |
| CVE-2025-12882 |
Clasifico Listing <= 2.0 - Unauthenticated Privilege Escalation |
19.02.2026 |
9.8 |
| CVE-2025-12884 |
Advanced Ads – Ad Manager & AdSense <= 2.0.14 - Missing Authorization to Authenticated (Subscriber+) Ad Placements Update |
19.02.2026 |
4.3 |
| CVE-2025-13048 |
Official StatCounter Plugin <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nickname |
19.02.2026 |
6.4 |
| CVE-2025-13079 |
Popup Builder - Create highly converting, mobile friendly marketing popups. <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens |
19.02.2026 |
5.3 |
| CVE-2025-13113 |
Web Accessibility by accessiBe <= 2.11 - Unauthenticated Sensitive Information Exposure |
19.02.2026 |
5.3 |
| CVE-2025-15586 |
|
19.02.2026 |
|
| CVE-2026-2702 |
Beetel 777VR1 WPA2 PSK hard-coded credentials |
19.02.2026 |
|
| CVE-2026-2703 |
xlnt-community xlnt Encrypted XLSX File base64.cpp decode_base64 off-by-one |
19.02.2026 |
|
| CVE-2026-25229 |
Gogs Authorization Bypass Allows Cross-Repository Label Modification |
19.02.2026 |
|
| CVE-2026-25232 |
Gogs has a Protected Branch Deletion Bypass in Web Interface |
19.02.2026 |
|
| CVE-2026-25242 |
Gogs allows unauthenticated file uploads |
19.02.2026 |
|
| CVE-2026-25474 |
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass |
19.02.2026 |
7.5 |
| CVE-2026-2693 |
CoCoTeaNet CyreneAdmin System Info Endpoint getCount improper authorization |
19.02.2026 |
|
| CVE-2025-4960 |
macOS Local Privilege Escalation via Improper Authorization Handling in EPSON Printer Controller Installer |
19.02.2026 |
7.8 |
| CVE-2026-25120 |
Gogs Allows Cross-Repository Comment Deletion via DeleteComment |
19.02.2026 |
|
| CVE-2026-2691 |
itsourcecode Event Management System manage_register.php sql injection |
19.02.2026 |
|
| CVE-2026-2692 |
CoCoTeaNet CyreneAdmin Image getAvatar path traversal |
19.02.2026 |
|
| CVE-2026-24764 |
OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions |
19.02.2026 |
3.7 |
| CVE-2026-2690 |
itsourcecode Event Management System Admin Login ajax.php sql injection |
19.02.2026 |
|