| CVE-2026-58065 |
Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification |
13.07.2026 |
|
| CVE-2026-59245 |
Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision) |
13.07.2026 |
|
| CVE-2026-61692 |
|
13.07.2026 |
|
| CVE-2026-60121 |
Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via ping.php |
13.07.2026 |
|
| CVE-2026-61498 |
Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via gen_graphs.php |
13.07.2026 |
|
| CVE-2026-6847 |
Unauthenticated Remote Code Execution in ThemisNETPanel |
13.07.2026 |
|
| CVE-2026-15559 |
CodeAstro Simple Online Leave Management System POST accept.php sql injection |
13.07.2026 |
|
| CVE-2026-15584 |
Redhatinsights/incluster-checks: incluster-checks: privileged host-chroot debug pods created in shared default namespace enable privilege escalation to node root |
13.07.2026 |
|
| CVE-2026-40467 |
Use after free in gawk |
13.07.2026 |
|
| CVE-2026-40468 |
Heap buffer overflow in gawk |
13.07.2026 |
|
| CVE-2026-40469 |
Heap buffer overflow in gawk |
13.07.2026 |
|
| CVE-2026-40553 |
Stack-based buffer overflow in gawk |
13.07.2026 |
|
| CVE-2026-12257 |
Remote code execution in Mura Software’s CMS |
13.07.2026 |
|
| CVE-2026-15558 |
CodeAstro Simple Online Leave Management System deletemp.php sql injection |
13.07.2026 |
|
| CVE-2026-62147 |
Tempo-operator: tempo operator: query rbac bypass |
13.07.2026 |
|
| CVE-2026-14934 |
Cross-Tenant Repository Takeover via Improper Access Control in BigQuery, Dataform and Colab Enterprise |
13.07.2026 |
|
| CVE-2026-4765 |
Stored Cross-Site Scripting (XSS) in Tallos Chat by RD Station Conversas |
13.07.2026 |
|
| CVE-2026-6541 |
Unscoped updates to other playbooks' metric configuration |
13.07.2026 |
4.3 |
| CVE-2026-9820 |
Mattermost schemes teams endpoint exposes private team invite IDs |
13.07.2026 |
3.8 |
| CVE-2026-9824 |
Remote cluster metadata enumeration via /share-channel autocomplete |
13.07.2026 |
4.3 |
| CVE-2026-13014 |
Remote Code Execution vulnerability in "Suspicious" application |
13.07.2026 |
|
| CVE-2026-14846 |
Incorrect neutralisation in the PrestaShop firmware |
13.07.2026 |
|
| CVE-2026-15548 |
Shibby Tomato DNS List Rendering httpd sub_407220 stack-based overflow |
13.07.2026 |
|
| CVE-2026-15557 |
waooAI waoowaoo Internal Task Header api-auth.ts requireProjectAuthLight improper authentication |
13.07.2026 |
|
| CVE-2026-22093 |
Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app |
13.07.2026 |
|
| CVE-2026-22095 |
Command injection in diagnosis web endpoint |
13.07.2026 |
|
| CVE-2026-22096 |
Missing authentication for webserver endpoints |
13.07.2026 |
|
| CVE-2026-22097 |
Missing firmware validation allows remote code execution |
13.07.2026 |
|
| CVE-2026-22098 |
Sensitive information is written to logs |
13.07.2026 |
|
| CVE-2026-22099 |
Missing authentication for Bluetooth communication |
13.07.2026 |
|
| CVE-2026-22100 |
Comnand injection in OCPP ReserveLogin message |
13.07.2026 |
|
| CVE-2026-22102 |
Arbitrary file overwrite through certificate update functionality |
13.07.2026 |
|
| CVE-2026-22103 |
Command injection in NPC start web endpoint |
13.07.2026 |
|
| CVE-2026-41041 |
Apache Gravitino: URL path injection via unencoded user-supplied identifiers in MCP REST client f-string URL construction, enabling path traversal to unintended API endpoints. |
13.07.2026 |
|
| CVE-2026-49876 |
Apache Gravitino: Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs |
13.07.2026 |
|
| CVE-2026-57363 |
WordPress ChatBot plugin <= 8.3.7 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57364 |
WordPress Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More plugin <= 2.2.0 - Other Vulnerability Type vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57365 |
WordPress reCAPTCHA (v2 & v3) for Asgaros Forum plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57368 |
WordPress Jobmonster theme <= 4.8.5 - Reflected Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57369 |
WordPress Themify Builder plugin <= 7.7.4 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57371 |
WordPress WPJAM Basic plugin <= 7.0 - PHP Object Injection vulnerability |
13.07.2026 |
8.8 |
| CVE-2026-57372 |
WordPress WPJAM Basic plugin <= 7.0 - Server Side Request Forgery (SSRF) vulnerability |
13.07.2026 |
7.2 |
| CVE-2026-57375 |
WordPress MStore API plugin <= 4.18.4 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57376 |
WordPress ElementInvader Addons for Elementor plugin <= 1.4.3 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57377 |
WordPress WowAddons plugin <= 1.6.8 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57378 |
WordPress Advanced Forms plugin <= 1.9.3.7 - Broken Access Control vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57379 |
WordPress FormyChat plugin <= 2.15.3 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57380 |
WordPress Extensions for Leaflet Map plugin <= 5.1 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57381 |
WordPress PropertyHive plugin <= 2.2.3 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57382 |
WordPress Simple File List plugin <= 6.3.8 - Reflected Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57383 |
WordPress JobSearch plugin <= 3.2.9 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57385 |
WordPress Vitepos plugin <= 3.4.2 - SQL Injection vulnerability |
13.07.2026 |
8.5 |
| CVE-2026-57386 |
WordPress aBlocks plugin < 2.9.1 - Privilege Escalation vulnerability |
13.07.2026 |
8.8 |
| CVE-2026-57387 |
WordPress picu plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57388 |
WordPress Hydra Booking plugin <= 1.1.44 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57389 |
WordPress Groundhogg plugin <= 4.4.1 - Arbitrary File Deletion vulnerability |
13.07.2026 |
8.6 |
| CVE-2026-57390 |
WordPress Extra Product Options Builder for WooCommerce plugin <= 1.2.167 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57391 |
WordPress Loops & Logic plugin <= 4.2.3 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57392 |
WordPress Tourfic plugin <= 2.22.5 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57393 |
WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Sensitive Data Exposure vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57394 |
WordPress Newsletters plugin <= 4.14 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57395 |
WordPress Tourfic plugin <= 2.22.5 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57396 |
WordPress Free Gifts for WooCommerce plugin <= 13.1.0 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57398 |
WordPress Real Estate Manager Pro plugin <= 12.8.3 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57399 |
WordPress Proxy & VPN Blocker plugin <= 3.5.8 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57400 |
WordPress Event Tickets Manager for WooCommerce plugin <= 1.5.5 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57401 |
WordPress SureDash plugin <= 1.8.0 - Arbitrary File Deletion vulnerability |
13.07.2026 |
9.9 |
| CVE-2026-57402 |
WordPress Flexible Refund and Return Order for WooCommerce plugin <= 1.0.51 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57403 |
WordPress GD Security Headers plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57404 |
WordPress Booking and Rental Manager plugin <= 2.6.9 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57405 |
WordPress Open Shop theme <= 1.7.1 - Broken Access Control vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57406 |
WordPress FundEngine plugin <= 1.7.6 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57407 |
WordPress PDF Generator for WordPress plugin <= 1.6.2 - Server Side Request Forgery (SSRF) vulnerability |
13.07.2026 |
7.2 |
| CVE-2026-57408 |
WordPress Peach Payments Gateway plugin <= 4.0.2 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57409 |
WordPress Active Products Tables for WooCommerce plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57410 |
WordPress MailerPress plugin <= 2.0.2 - Privilege Escalation vulnerability |
13.07.2026 |
8.8 |
| CVE-2026-57411 |
WordPress CF7 Views – Complete Entry Management for Contact Form 7 plugin <= 3.2.2 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57412 |
WordPress Gift Vouchers plugin <= 4.6.9 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57413 |
WordPress Instant Image Generator plugin <= 2.1.4 - Server Side Request Forgery (SSRF) vulnerability |
13.07.2026 |
6.4 |
| CVE-2026-57414 |
WordPress ChatBot for eCommerce – WoowBot plugin <= 4.6.1 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57415 |
WordPress Gift Vouchers plugin <= 4.7.0 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57416 |
WordPress SiteGround Email Marketing plugin <= 1.7.5 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57417 |
WordPress Cart Lift plugin <= 3.1.57 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57418 |
WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.13 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57419 |
WordPress Stock Locations for WooCommerce plugin <= 3.1.8 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57420 |
WordPress Author Box WP Lens plugin <= 2.1.5 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57421 |
WordPress CRM Perks Forms plugin <= 1.1.7 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57422 |
WordPress Bopo – WooCommerce Product Bundle Builder plugin <= 1.2.0 - Reflected Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57423 |
WordPress Message Filter for Contact Form 7 plugin <= 1.6.3.8 - Reflected Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57424 |
WordPress Razorpay Payment Links for WooCommerce plugin <= 2.1.4 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57668 |
WordPress NEX-Forms plugin <= 9.2.2 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57691 |
WordPress Anti-Malware Security and Brute-Force Firewall plugin <= 4.23.89 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
5.8 |
| CVE-2026-57693 |
WordPress Ad Inserter plugin <= 2.8.11 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57694 |
WordPress Tutor LMS plugin <= 3.9.13 - Insecure Direct Object References (IDOR) vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57695 |
WordPress Document Gallery plugin <= 5.1.0 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57697 |
WordPress ProfileGrid plugin <= 5.9.9.6 - Broken Authentication vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57698 |
WordPress Abandoned Cart Recovery for WooCommerce plugin <= 1.1.12 - Broken Authentication vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57702 |
WordPress Amelia plugin <= 2.4.2 - SQL Injection vulnerability |
13.07.2026 |
9.3 |
| CVE-2026-57705 |
WordPress Event Tickets plugin <= 5.28.5 - Broken Access Control vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57706 |
WordPress Dokan plugin <= 5.0.6 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57707 |
WordPress Simple Business Directory Pro plugin <= 15.9.4 - SQL Injection vulnerability |
13.07.2026 |
9.3 |
| CVE-2026-57708 |
WordPress Contact Form Entries plugin <= 1.5.2 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57709 |
WordPress Membership For WooCommerce plugin <= 3.1.0 - Arbitrary File Deletion vulnerability |
13.07.2026 |
8.6 |
| CVE-2026-57710 |
WordPress WoowBot Pro Max plugin <= 14.1.7 - Arbitrary File Upload vulnerability |
13.07.2026 |
9.9 |
| CVE-2026-57711 |
WordPress SupportCandy plugin <= 3.4.8 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57712 |
WordPress WPZOOM Portfolio plugin <= 1.4.29 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57713 |
WordPress Events Manager plugin <= 7.3.6 - PHP Object Injection vulnerability |
13.07.2026 |
8.8 |
| CVE-2026-57714 |
WordPress LatePoint plugin <= 5.6.3 - SQL Injection vulnerability |
13.07.2026 |
9.3 |
| CVE-2026-57715 |
WordPress Fluent CRM plugin <= 3.1.7 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57718 |
WordPress Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin <= 2.0.12 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57719 |
WordPress Aimogen Pro plugin <= 2.8.3 - Arbitrary File Upload vulnerability |
13.07.2026 |
10 |
| CVE-2026-57724 |
WordPress Kirki plugin <= 6.0.12 - PHP Object Injection vulnerability |
13.07.2026 |
9.8 |
| CVE-2026-57725 |
WordPress Kirki plugin <= 6.0.11 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57726 |
WordPress Kirki plugin <= 6.0.12 - SQL Injection vulnerability |
13.07.2026 |
9.3 |
| CVE-2026-57727 |
WordPress Kirki plugin <= 6.0.13 - Broken Access Control vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57728 |
WordPress Flatsome theme <= 3.20.5 - Reflected Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57729 |
WordPress Flatsome theme <= 3.20.5 - Broken Access Control vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57732 |
WordPress tagDiv Opt-In Builder plugin <= 1.7.4 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57733 |
WordPress tagDiv Cloud Library plugin <= 3.9.4 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57734 |
WordPress tagDiv Composer plugin <= 5.4.3 - Reflected Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57738 |
WordPress 777 theme <= 1.13.0 - PHP Object Injection vulnerability |
13.07.2026 |
9.8 |
| CVE-2026-57739 |
WordPress AcyMailing SMTP Newsletter plugin <= 10.11.0 - SQL Injection vulnerability |
13.07.2026 |
9.3 |
| CVE-2026-57740 |
WordPress AcyMailing SMTP Newsletter plugin <= 10.11.1 - Broken Access Control vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57741 |
WordPress AcyMailing SMTP Newsletter plugin <= 10.11.0 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57743 |
WordPress RT-Theme 18 | Extensions plugin <= 2.5 - Local File Inclusion vulnerability |
13.07.2026 |
8.1 |
| CVE-2026-57744 |
WordPress RT-Theme 18 | Extensions plugin <= 2.5 - PHP Object Injection vulnerability |
13.07.2026 |
9.8 |
| CVE-2026-57745 |
WordPress RT-Theme 18 | Extensions plugin <= 2.5 - Reflected Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57768 |
WordPress Houzez Login Register plugin <= 3.3.3 - Privilege Escalation vulnerability |
13.07.2026 |
8.2 |
| CVE-2026-57770 |
WordPress Grand Photography theme <= 5.7.8 - PHP Object Injection vulnerability |
13.07.2026 |
9.8 |
| CVE-2026-57771 |
WordPress GD Rating System plugin <= 3.7 - SQL Injection vulnerability |
13.07.2026 |
8.5 |
| CVE-2026-57772 |
WordPress WP Inventory Manager plugin <= 2.4.0 - SQL Injection vulnerability |
13.07.2026 |
8.5 |
| CVE-2026-57773 |
WordPress Advanced Shipment Tracking for WooCommerce plugin <= 4.0 - SQL Injection vulnerability |
13.07.2026 |
7.6 |
| CVE-2026-57774 |
WordPress VW Food Corner theme <= 1.1.0 - Broken Access Control vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-57776 |
WordPress VW Wedding theme <= 1.3.7 - Broken Access Control vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-57778 |
WordPress Booking calendar, Appointment Booking System plugin <= 3.2.36 - Broken Access Control vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-57779 |
WordPress Fascinate theme <= 1.1.5 - Broken Access Control vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-57780 |
WordPress Envision Page Builder plugin <= 0.22 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57781 |
WordPress MeetingHub plugin <= 1.25.10 - Broken Access Control vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-57782 |
WordPress Universal Clocks plugin <= 1.2.0 - Broken Access Control vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-57783 |
WordPress Speaker plugin <= 4.1.13 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57786 |
WordPress WorkScout-Core plugin <= 1.7.08 - Cross Site Request Forgery (CSRF) to Broken Authentication vulnerability |
13.07.2026 |
8.8 |
| CVE-2026-57787 |
WordPress CWS SVGicons plugin <= 1.5.5 - SQL Injection vulnerability |
13.07.2026 |
8.5 |
| CVE-2026-57788 |
WordPress Aalto theme <= 1.8 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57789 |
WordPress Aqua theme <= 5.1.2 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57790 |
WordPress Billey theme <= 2.1.8 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57791 |
WordPress Brook theme <= 2.9.0 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57792 |
WordPress Dør theme <= 2.4.1 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57793 |
WordPress Flow theme <= 1.8 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57794 |
WordPress Golo Framework plugin <= 1.7.3 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57795 |
WordPress Kitchor theme <= 1.4.3 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57796 |
WordPress Leedo theme <= 3.0.0 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57797 |
WordPress EduMall theme <= 4.5.1 - Broken Access Control vulnerability |
13.07.2026 |
4.3 |
| CVE-2026-57798 |
WordPress NewsPlus Shortcodes plugin <= 4.2.0 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57799 |
WordPress Nuss theme <= 1.3.6 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57800 |
WordPress Overworld theme <= 1.5 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57801 |
WordPress SetSail theme <= 2.1 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57802 |
WordPress Struktur theme <= 2.5.1 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57803 |
WordPress Struktur Core plugin <= 2.5.1 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57804 |
WordPress TheGem theme Elements (for Elementor) plugin <= 5.11.1 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57805 |
WordPress Tonda theme <= 2.5 - Local File Inclusion vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57810 |
WordPress APIExperts Square for WooCommerce plugin <= 4.7.4 - SQL Injection vulnerability |
13.07.2026 |
8.5 |
| CVE-2026-57811 |
WordPress Realtyna Organic IDX plugin plugin <= 5.2.0 - Remote Code Execution (RCE) vulnerability |
13.07.2026 |
10 |
| CVE-2026-57812 |
WordPress Simply Schedule Appointments plugin <= 1.6.12.4 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-57813 |
WordPress MailOptin plugin <= 1.2.77.3 - Privilege Escalation vulnerability |
13.07.2026 |
9.8 |
| CVE-2026-57814 |
WordPress Forminator plugin <= 1.55.0.1 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-57815 |
WordPress Forminator plugin <= 1.55.0.2 - Arbitrary File Download vulnerability |
13.07.2026 |
7.5 |
| CVE-2026-57816 |
WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.8 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-59515 |
WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability |
13.07.2026 |
9.3 |
| CVE-2026-59516 |
WordPress ICS Calendar plugin <= 12.1.1 - Cross Site Scripting (XSS) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-59518 |
WordPress Directorist plugin <= 8.8.2 - PHP Object Injection vulnerability |
13.07.2026 |
9.8 |
| CVE-2026-59521 |
WordPress Real Testimonials plugin <= 3.1.15 - PHP Object Injection vulnerability |
13.07.2026 |
7.2 |
| CVE-2026-59523 |
WordPress Simply Schedule Appointments plugin <= 1.6.11.11 - Broken Access Control vulnerability |
13.07.2026 |
6.5 |
| CVE-2026-61952 |
WordPress WooCommerce Bulk Edit Products – WP Sheet Editor plugin <= 1.8.21 - Broken Access Control vulnerability |
13.07.2026 |
4.9 |
| CVE-2026-61955 |
WordPress گرویتی فرم فارسی plugin <= 3.0.2 - SQL Injection vulnerability |
13.07.2026 |
7.6 |
| CVE-2026-61956 |
WordPress ووسلام – همگام سازی ووکامرس و باسلام plugin <= 1.9.1 - Cross Site Request Forgery (CSRF) vulnerability |
13.07.2026 |
7.1 |
| CVE-2026-61958 |
WordPress License Manager for WooCommerce plugin <= 3.0.17 - Arbitrary Content Deletion vulnerability |
13.07.2026 |
5.4 |
| CVE-2026-61968 |
WordPress myCred plugin <= 3.1.2 - Broken Access Control vulnerability |
13.07.2026 |
5.4 |
| CVE-2026-61970 |
WordPress Auto Featured Image (Auto Post Thumbnail) plugin <= 5.0.4 - Server Side Request Forgery (SSRF) vulnerability |
13.07.2026 |
4.9 |
| CVE-2026-61971 |
WordPress User Profile Picture plugin <= 2.6.3 - Insecure Direct Object References (IDOR) vulnerability |
13.07.2026 |
2.7 |
| CVE-2026-61975 |
WordPress JetReviews plugin <= 3.0.1 - Sensitive Data Exposure vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-61976 |
WordPress JetBlocks For Elementor plugin <= 1.5.0 - Sensitive Data Exposure vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-61977 |
WordPress JetSearch plugin <= 3.6.1.2 - Sensitive Data Exposure vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-61983 |
WordPress Church Admin plugin <= 5.0.30 - Broken Access Control vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-61985 |
WordPress Car Rental Manager plugin <= 1.3.7 - Broken Access Control vulnerability |
13.07.2026 |
5.3 |
| CVE-2026-10085 |
Ordinary group/direct message member can enable group_constrained and remove all channel participants |
13.07.2026 |
5.4 |
| CVE-2026-10103 |
Authenticated remote cluster can modify or delete posts it does not own in Mattermost Connected Workspaces shared channels |
13.07.2026 |
4.3 |
| CVE-2026-10106 |
Unauthorized users can trigger interactive post actions in private channels via action cookie channel mismatch in Mattermost |
13.07.2026 |
6.5 |
| CVE-2026-14453 |
A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets |
13.07.2026 |
9.6 |
| CVE-2026-15545 |
Shibby Tomato apcupsd tomatodata.cgi main out-of-bounds write |
13.07.2026 |
|
| CVE-2026-15546 |
Shibby Tomato start_jffs2 sub_2D568 os command injection |
13.07.2026 |
|
| CVE-2026-15547 |
Shibby Tomato CIFS Mount sub_2D048 os command injection |
13.07.2026 |
|
| CVE-2026-15574 |
Vllm-orchestrator-gateway: vllm-orchestrator-gateway: authorization header and full chat payloads logged at hard-coded debug default |
13.07.2026 |
|
| CVE-2026-62143 |
Server-Side Request Forgery protection bypass in misp-modules html_to_markdown via IPv4-mapped IPv6 addresses |
13.07.2026 |
|
| CVE-2026-6850 |
Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost |
13.07.2026 |
6.5 |
| CVE-2026-9571 |
Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh token grant in Mattermost |
13.07.2026 |
5.9 |
| CVE-2026-9597 |
Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint |
13.07.2026 |
5.4 |
| CVE-2026-9708 |
Incoming webhook user attribution via unvalidated webhook owner |
13.07.2026 |
4.9 |
| CVE-2026-14165 |
Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 |
13.07.2026 |
7.5 |
| CVE-2026-15540 |
SourceCodester Online Book Store System Administrative index.php php file inclusion |
13.07.2026 |
|
| CVE-2026-15541 |
will-moss Isaiah Master Websocket server.go Server.Handle authorization |
13.07.2026 |
|
| CVE-2026-15542 |
will-moss Isaiah Websocket Connection Authentication main.go improper authentication |
13.07.2026 |
|
| CVE-2026-15543 |
Tenda CH22 CertListInfo formCertListInfo buffer overflow |
13.07.2026 |
|
| CVE-2026-15544 |
Shibby Tomato apcupsd tomatodata.cgi getupsvar stack-based overflow |
13.07.2026 |
|
| CVE-2026-4769 |
Unauthenticated Access to Internal Diagnostic Interface |
13.07.2026 |
|
| CVE-2026-57829 |
Joomla Extension - joomshaper.com - Unauthenticated stored XSS in Helix Ultimate < 2.2.7 |
13.07.2026 |
|
| CVE-2026-57830 |
Joomla Extension - joomshaper.com - Unauthenticated arbitrary file deletion < 2.2.7 |
13.07.2026 |
|
| CVE-2026-10551 |
Breeze Cache < 2.5.6 - Unauthenticated Stored XSS via Minify Library |
13.07.2026 |
|
| CVE-2026-11963 |
User Registration & Membership < 5.2.2 - Subscriber+ Cross-User Role and Membership Tier Modification via IDOR |
13.07.2026 |
|
| CVE-2026-11964 |
User Registration & Membership < 5.2.2 - Unauthenticated PayPal Webhook Signature Verification Bypass Leading to Membership Activation |
13.07.2026 |
|
| CVE-2026-12081 |
Database for Contact Form 7, WPforms, Elementor forms < 1.5.2 - Unauthenticated PHP Object Injection via Entry File Field |
13.07.2026 |
|
| CVE-2026-12271 |
Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Quiz Attempt Modification via IDOR |
13.07.2026 |
|
| CVE-2026-12273 |
Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation |
13.07.2026 |
|
| CVE-2026-12274 |
Tutor LMS < 3.9.13 - Instructor+ Arbitrary Post Overwrite via IDOR |
13.07.2026 |
|
| CVE-2026-12275 |
Tutor LMS < 3.9.13 - Subscriber+ Unauthorized Course Enrollment and Private Course Content Disclosure via Droip/Kirki Integration |
13.07.2026 |
|
| CVE-2026-12396 |
WP Job Portal < 2.5.5 - Subscriber+ Arbitrary Job Approval, Featuring and Rejection |
13.07.2026 |
|
| CVE-2026-12397 |
WP Job Portal < 2.5.5 - Subscriber+ Employer Email Disclosure via IDOR |
13.07.2026 |
|
| CVE-2026-12582 |
Library Management System < 3.5.8 - Unauthenticated SQL Injection via book_id |
13.07.2026 |
|
| CVE-2026-15536 |
itsourcecode Hospital Management System patviewprescription.php sql injection |
13.07.2026 |
|
| CVE-2026-15537 |
SourceCodester Online Book Store System login.php sql injection |
13.07.2026 |
|
| CVE-2026-15538 |
primefaces primereact API ObjectUtils.mutateFieldData prototype pollution |
13.07.2026 |
|
| CVE-2026-15539 |
SourceCodester Online Book Store System Book Image Upload Feature index.php books unrestricted upload |
13.07.2026 |
|
| CVE-2026-15530 |
WuzhiCMS Attachment API index.php listimage information disclosure |
13.07.2026 |
|
| CVE-2026-15531 |
yashbhalgat HashNeRF-pytorch Checkpoint File run_nerf.py torch.load deserialization |
13.07.2026 |
|
| CVE-2026-15532 |
SourceCodester Online Book Store System User Management cross site scripting |
13.07.2026 |
|
| CVE-2026-15533 |
DedeCMS Column Management search.php code injection |
13.07.2026 |
|
| CVE-2026-15535 |
AkariAsai self-rag retrieval_lm index.py Indexer.deserialize_from deserialization |
13.07.2026 |
|
| CVE-2026-15526 |
augmnt augments-mcp-server scan_project_deps scan-project-deps.ts scanProjectDeps path traversal |
13.07.2026 |
|
| CVE-2026-15527 |
better-auth better-icons scan_project_icons/sync_icon path traversal |
13.07.2026 |
|
| CVE-2026-15528 |
lamaalrajih kicad-mcp path_validator.py protection mechanism |
13.07.2026 |
|
| CVE-2026-15529 |
yzhao062 pyod persistence.py pyod.utils.persistence.load deserialization |
13.07.2026 |
|
| CVE-2026-15552 |
Ragic|Enterprise Cloud Database - Stored Cross-Site Scripting |
13.07.2026 |
|
| CVE-2026-15553 |
Ragic|Enterprise Cloud Database - Arbitrary File Upload |
13.07.2026 |
|
| CVE-2026-7162 |
|
13.07.2026 |
7.8 |
| CVE-2026-9492 |
GIGABYTE|Gigabyte Control Center - Improper Access Control |
13.07.2026 |
|
| CVE-2026-15522 |
tugcantopaloglu godot-mcp run_project index.js validatePath path traversal |
13.07.2026 |
|
| CVE-2026-15523 |
CodeAstro Simple Online Leave Management System dashboard.php sql injection |
13.07.2026 |
|
| CVE-2026-15524 |
alioshr memory-bank-mcp list-project-files-validation-factory.ts path traversal |
13.07.2026 |
|
| CVE-2026-15525 |
kLOsk adloop write.py _validate_urls server-side request forgery |
13.07.2026 |
|
| CVE-2026-15519 |
usestrix PyPI system_prompt.jinja inclusion of functionality from untrusted control sphere |
13.07.2026 |
|
| CVE-2026-15520 |
GNU LibreDWG R2004 Section Decompression decode.c decompress_R2004_section heap-based overflow |
13.07.2026 |
|
| CVE-2026-15521 |
makafeli n8n-workflow-builder update_node_from_file server.cjs path traversal |
13.07.2026 |
|
| CVE-2026-15517 |
Jinher OA PlanGiveOut.aspx sql injection |
13.07.2026 |
|
| CVE-2026-15518 |
AREA 17 Twill CMS Media Library Insert FileLibraryController.php storeFile unrestricted upload |
13.07.2026 |
|
| CVE-2026-15515 |
Tencent PC Manager QMUDisk Driver qmudisk64.sys uncontrolled search path |
13.07.2026 |
|
| CVE-2026-15516 |
MacCMS Pro Installation Index.php step5 authorization |
13.07.2026 |
|
| CVE-2026-15551 |
Samsung rlottie: Numeric truncation in gray_hline() leads to heap-based buffer overflow when rendering a crafted Lottie animation at native canvas size |
13.07.2026 |
5.5 |
| CVE-2026-15514 |
Metasoft 美特软件 MetaCRM PHPRPC Remote Call rpc.jsp RPCService.query sql injection |
12.07.2026 |
|
| CVE-2026-15512 |
pig-mesh Pig pig-codegen GeneratorServiceImpl.java code injection |
12.07.2026 |
|
| CVE-2026-15513 |
Wavlink WL-NU516U1 adm.cgi wlink_uci_set_value os command injection |
13.07.2026 |
|
| CVE-2026-15511 |
Comfast CF-WR631AX V3 FastCGI Backend webmgnt system_wl_upload_pic_file os command injection |
12.07.2026 |
|
| CVE-2026-15510 |
Leantime API saveSetting improper authorization |
12.07.2026 |
|
| CVE-2026-15509 |
Leantime JSON-RPC Endpoint addUser improper authorization |
12.07.2026 |
|