CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-56104 Chainlit < 2.10.1 Session Hijacking via WebSocket Session Restoration 22.06.2026 9.1
CVE-2026-7664 Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS 22.06.2026 9.8
CVE-2026-10561 Unauthenticated Remote Code Execution in Langflow OSS PythonREPLComponent via Builtins Injection 22.06.2026 10
CVE-2026-28381 Local File Read/Write to Potential Privilege Escalation via Snowflake GET/PUT 22.06.2026 9.6
CVE-2026-56423 MISP Core: Broken access control allows instance-wide unauthorized deletion of event reports and sharing groups via bulk deletion endpoints 22.06.2026 9.4
CVE-2026-56425 MISP AAD authentication plugin - Improper OAuth State Handling, Missing Session Rotation, Insecure Redirect URI Validation, and Log Injection 22.06.2026 9.3
CVE-2026-56447 MISP remote code execution via arbitrary rdkafka configuration path 22.06.2026 9.3
CVE-2026-7165 Multiple vulnerabilities in the Assassin game by Gaudire 22.06.2026 9.4
CVE-2026-7166 Multiple vulnerabilities in the Assassin game by Gaudire 22.06.2026 9.2
CVE-2026-56422 MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields 22.06.2026 9.4
CVE-2026-11746 22.06.2026 9.4
CVE-2026-56265 Crawl4AI - Authentication Bypass via Hardcoded JWT Signing Key 22.06.2026 9.3
CVE-2026-56395 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README 22.06.2026 9.4
CVE-2026-56397 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README 21.06.2026 9.4
CVE-2026-56345 AVideo - Arbitrary User Session Hijacking via Meet Plugin uploadRecordedVideo Endpoint 20.06.2026 9.2
CVE-2026-5366 Git Argument Injection in prefecthq/prefect 20.06.2026 9.9
CVE-2024-58351 Flowise - Remote Code Execution via overrideConfig Parameter 20.06.2026 9.3
CVE-2019-25763 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 Authentication Bypass 22.06.2026 9.3
CVE-2022-50972 WooCommerce 7.1.0 Remote Code Execution via class-wc-meta-box-product-images.php 22.06.2026 9.3
CVE-2026-48908 Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.2 21.06.2026 10
CVE-2026-48909 Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4 20.06.2026 9.5
CVE-2026-48939 Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15 22.06.2026 10
CVE-2026-11551 Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover 19.06.2026 9.8
CVE-2026-56073 Cap-go - OTP Bypass via Response Manipulation in Email Verification 22.06.2026 9.3
CVE-2026-56081 Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email 19.06.2026 9.3
CVE-2026-45480 Azure Active Directory Elevation of Privilege Vulnerability 19.06.2026 10
CVE-2026-48582 Microsoft Exchange Online Elevation of Privilege Vulnerability 22.06.2026 9.6
CVE-2026-48584 Microsoft Azure Synapse Elevation of Privilege Vulnerability 19.06.2026 9.9
CVE-2026-48772 ProxySQL: PROXY-Protocol-v1 UNKNOWN parses spoofed source IP, bypassing mysql_query_rules.client_addr ACL 22.06.2026 10
CVE-2026-48773 ProxySQL pre-auth heap overflow in MySQL and PostgreSQL first-packet handling 19.06.2026 9.8
CVE-2026-48137 Untrusted pointer dereference in NI grpc-device sideband streaming API 19.06.2026 9.3
CVE-2026-9142 Insecure Default Credentials vulnerability in NI grpc-device when TLS configuration is not present 19.06.2026 9.3
CVE-2026-44939 Command injection through unsanitized YAML parameter in Rancher 22.06.2026 9.4
CVE-2026-50242 22.06.2026 10
CVE-2026-56141 22.06.2026 9.8
CVE-2026-56142 22.06.2026 9.6
CVE-2026-54414 FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover 22.06.2026 9.3
CVE-2026-7515 BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion via doc_style 19.06.2026 9.8
CVE-2026-8713 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value 22.06.2026 9.1
CVE-2026-12045 pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution 18.06.2026 9.4
CVE-2026-12046 pgAdmin 4: Unauthenticated pickle deserialization in SQL Editor close / update_connection routes enables remote code execution 18.06.2026 9.5
CVE-2026-12048 pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser 18.06.2026 9.3
CVE-2026-40624 AVer PTC cameras Files or Directories Accessible to External Parties 22.06.2026 9.3
CVE-2026-47647 Dynamics 365 Elevation of Privilege Vulnerability 22.06.2026 9.9
CVE-2026-54130 M365 Copilot Information Disclosure Vulnerability 19.06.2026 9.8
CVE-2026-49257 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind 18.06.2026 10
CVE-2026-49454 Relyra SAML SignatureValue not cryptographically verified -> authentication bypass 18.06.2026 9.1
CVE-2026-49252 deepstream is vulnerable to prototype pollution 22.06.2026 9.9
CVE-2026-47846 18.06.2026 9.8
CVE-2026-54390 JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer 22.06.2026 9.3
CVE-2026-54103 U.S. GAO EPDS and CBCA EDS unauthenticated password change 22.06.2026 9.3
CVE-2026-55203 HAProxy - Integer Overflow in FCGI Demux Record Length Field 18.06.2026 9
CVE-2026-56020 Webmin HTTP header authentication bypass 22.06.2026 9.2
CVE-2026-11717 18.06.2026 9.3
CVE-2026-11718 18.06.2026 9.3
CVE-2026-54419 PIAF-HMS multiple unauthenticated SQL injection vulnerabilities via mysql_query 18.06.2026 9.3
CVE-2026-8024 Deserialization vulnerability in ibaPDA and ibaDatCoordinator 18.06.2026 9.3
CVE-2025-10560 Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources 21.06.2026 9.3
CVE-2026-28573 18.06.2026 10
CVE-2026-55742 Cotonti CSRF in admin.rights.php allows privilege escalation 18.06.2026 9.4
CVE-2026-55740 SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter 18.06.2026 9.3
CVE-2026-12569 Remote Code Execution (RCE) vulnerability in Windchill PDMlink 18.06.2026 9.3
CVE-2026-48768 TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized fileName 18.06.2026 9.3
CVE-2026-48814 Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701) 18.06.2026 9.1
CVE-2026-54387 Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization 18.06.2026 9.3
CVE-2026-54388 Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers 18.06.2026 9.3
CVE-2026-55200 libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c 18.06.2026 9.2
CVE-2026-55196 Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass 17.06.2026 9.1
CVE-2026-20266 OS Command Injection in the btool Configuration Helper in Splunk AI Toolkit 17.06.2026 9.1
CVE-2026-53805 NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserialization in Inference API 17.06.2026 9.3
CVE-2025-71320 picklescan - Remote Code Execution via Incomplete Disallowed Inputs 17.06.2026 9.3
CVE-2025-71321 picklescan - Arbitrary File Writing via distutils Module Bypass 17.06.2026 9.3
CVE-2025-71323 picklescan - Remote Code Execution via Unblocked ctypes Module 17.06.2026 9.3
CVE-2025-71325 picklescan - Detection Bypass via STACK_GLOBAL Opcode Parsing Logic Flaw 17.06.2026 9.3
CVE-2026-20181 Cisco Identity Services Engine Remote Code Execution Vulnerability 18.06.2026 9.1
CVE-2026-3490 picklescan - Universal Blocklist Bypass via pkgutil.resolve_name 18.06.2026 10
CVE-2026-53873 picklescan - Arbitrary Code Execution via profile.run() Blocklist Bypass 17.06.2026 9.3
CVE-2026-53874 picklescan - Arbitrary Code Execution via Obfuscated eval Call 17.06.2026 9.3
CVE-2026-42055 NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability 18.06.2026 9.2
CVE-2026-42530 NGINX Open-Source ngx_http_v3_module vulnerability 18.06.2026 9.2
CVE-2026-47103 Python StateMachine 3.0.0 < 3.2.0 RCE via SCXML eval() Injection 18.06.2026 9.3
CVE-2026-54812 WordPress Motors plugin <= 1.4.109 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-55743 OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution 17.06.2026 9.4
CVE-2025-59554 WordPress Advanced Ads – Tracking plugin < 3.0.7 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2025-60229 WordPress Lagom theme <= 2.0 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60230 WordPress The Barber Shop theme <= 1.9 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60231 WordPress The Hospital theme <= 1.8.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60236 WordPress Creatify theme <= 1.5 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69111 WordPress Reisen theme <= 1.4.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69127 WordPress Plumbing theme <= 1.6 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49108 WordPress Moderno theme < 1.43 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54808 WordPress WP Travel Gutenberg Blocks plugin <= 3.9.4 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54809 WordPress GIFT4U plugin <= 1.0.10 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54815 WordPress Cargo Shipping Location for WooCommerce plugin <= 5.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54819 WordPress Listdom plugin <= 5.4.0 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2024-52488 WordPress Grip theme <= 1.0.9 - Arbitrary Plugin Activation/Deactivation to RCE vulnerability 17.06.2026 9.9
CVE-2025-60205 WordPress ThemeREX Addons plugin <= 2.36.1.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60218 WordPress PT Luxa Addons Plugin <= 1.2.2 - Arbitrary File Upload Vulnerability 17.06.2026 9.9
CVE-2025-69129 WordPress WordPress & WooCommerce Scraper Plugin, Import Data from Any Site plugin <= 1.0.7 - Arbitrary File Upload vulnerability 17.06.2026 10
CVE-2025-69179 WordPress Support Ticket Management System plugin <= 1.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-22327 WordPress Restaurt theme <= 1.0.4 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-22332 WordPress Tutor LMS Pro plugin <= 3.9.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-22340 WordPress WPJobster theme <= 6.3.5 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-24611 WordPress MetForm Pro plugin <= 3.9.1 - Broken Access Control vulnerability 17.06.2026 9.1
CVE-2026-25446 WordPress WishList Member X plugin <= 3.29.0 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-27041 WordPress Unlimited Elements for Elementor (Premium) plugin <= 2.0.6 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-39589 WordPress Webenvo theme <= 0.0.6 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-39596 WordPress Blocksy Companion Pro plugin < 2.1.29 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-40725 WordPress WooCommerce Product Filters plugin < 2.0.6 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-40746 WordPress Restaurant Zone theme <= 0.7.8 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40747 WordPress Ecommerce Zone theme <= 0.9.7 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40748 WordPress Kids Gift Shop theme <= 0.5.4 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40749 WordPress Charity Zone theme <= 1.1.1 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40783 WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability 17.06.2026 9.9
CVE-2026-42380 WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-48875 WordPress JetSmartFilters plugin <= 3.8.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49058 WordPress LoginPress Pro plugin <= 6.2.2 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-49075 WordPress JetEngine plugin <= 3.8.9.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49076 WordPress JetEngine plugin <= 3.8.9.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49079 WordPress JetSearch plugin <= 3.5.17 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49084 WordPress JetEngine plugin < 3.8.9.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49107 WordPress Thrive Apprentice plugin < 10.8.10.2 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49767 WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability 17.06.2026 9.8
CVE-2026-52705 WordPress SigmaForms Pro – AI Generated Forms plugin <= 1.4.5 - Arbitrary File Upload vulnerability 17.06.2026 9
CVE-2026-52706 WordPress JetEngine plugin <= 3.8.10 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54186 WordPress JobSearch plugin <= 3.2.9 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54187 WordPress JetEngine plugin <= 3.8.10.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54803 WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-54806 WordPress WP Activity Log plugin <= 5.6.3.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54807 WordPress Registration Form for WooCommerce plugin <= 1.0.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-54811 WordPress WP eMember plugin < v10.9.4 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-0063 18.06.2026 10
CVE-2026-0064 17.06.2026 10
CVE-2026-0068 18.06.2026 10
CVE-2026-0071 18.06.2026 10
CVE-2026-0081 18.06.2026 10
CVE-2026-0082 18.06.2026 10
CVE-2026-0083 18.06.2026 10
CVE-2026-0092 18.06.2026 10
CVE-2026-10094 Path Traversal vulnerability affecting SOLIDWORKS Visualize from SOLIDWORKS Desktop Release 2024 through SOLIDWORKS Desktop Release 2026 17.06.2026 9.8
CVE-2026-28575 17.06.2026 10
CVE-2026-28576 17.06.2026 10
CVE-2026-28587 17.06.2026 10
CVE-2026-28615 18.06.2026 10
CVE-2026-48797 Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication 18.06.2026 9.3
CVE-2026-48616 17.06.2026 9.3
CVE-2026-48745 Traccar Client: silent configuration hijack via unverified deep link redirects all GPS telemetry 17.06.2026 9.3
CVE-2025-69108 WordPress Hot Coffee theme <= 1.7 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69122 WordPress SeaFood Company theme <= 1.4 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-25470 WordPress ACPT (Pro) - Custom Post Types plugin for WordPress plugin <= 2.0.47 - Remote Code Execution (RCE) vulnerability 17.06.2026 10
CVE-2026-27395 WordPress Support Board plugin < 3.8.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-27429 WordPress Nifty theme <= 1.4.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-39438 WordPress ListingPro plugin <= 2.9.10 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-39529 WordPress Elementra theme <= 1.0.9 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-48055 Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction 17.06.2026 10
CVE-2026-48781 Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery 18.06.2026 9.9
CVE-2026-49080 WordPress wpDataTables plugin <= 7.3.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54194 WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-35263 18.06.2026 9.9
CVE-2026-35268 18.06.2026 9.9
CVE-2026-35270 18.06.2026 9.1
CVE-2026-35278 18.06.2026 9.8
CVE-2026-35280 17.06.2026 9.9
CVE-2026-35281 17.06.2026 9.9
CVE-2026-35282 17.06.2026 9.9
CVE-2026-35283 17.06.2026 9.9
CVE-2026-35284 17.06.2026 9.9
CVE-2026-35285 17.06.2026 9.9
CVE-2026-35286 18.06.2026 9.8
CVE-2026-35292 18.06.2026 10
CVE-2026-35293 17.06.2026 9.8
CVE-2026-35294 17.06.2026 9.9
CVE-2026-35296 17.06.2026 9.8
CVE-2026-35298 18.06.2026 9.1
CVE-2026-35300 18.06.2026 9.8
CVE-2026-35301 18.06.2026 10
CVE-2026-35304 19.06.2026 9.8
CVE-2026-35305 17.06.2026 9.3
CVE-2026-35306 17.06.2026 9.3
CVE-2026-35307 19.06.2026 10
CVE-2026-35308 19.06.2026 10
CVE-2026-35309 19.06.2026 9.8
CVE-2026-35310 19.06.2026 9.8
CVE-2026-35312 19.06.2026 9.8
CVE-2026-35313 17.06.2026 9.9
CVE-2026-35316 19.06.2026 9.9
CVE-2026-35319 19.06.2026 9.8
CVE-2026-35320 19.06.2026 9
CVE-2026-35321 19.06.2026 9.9
CVE-2026-35323 19.06.2026 9.9
CVE-2026-46765 19.06.2026 9.9
CVE-2026-46766 19.06.2026 9.8
CVE-2026-46767 19.06.2026 9.9
CVE-2026-46773 19.06.2026 9.8
CVE-2026-46774 19.06.2026 9.8
CVE-2026-46777 19.06.2026 9.1
CVE-2026-46778 17.06.2026 10
CVE-2026-46779 17.06.2026 9.9
CVE-2026-46781 17.06.2026 10
CVE-2026-46782 17.06.2026 9.9
CVE-2026-46783 17.06.2026 9.8
CVE-2026-46784 17.06.2026 9.1
CVE-2026-46785 19.06.2026 9.3
CVE-2026-46786 19.06.2026 9.6
CVE-2026-46789 19.06.2026 9.6
CVE-2026-46792 17.06.2026 9.9
CVE-2026-46793 17.06.2026 9.9
CVE-2026-46794 17.06.2026 9.9
CVE-2026-46795 19.06.2026 9.3
CVE-2026-46797 17.06.2026 9.8
CVE-2026-46798 17.06.2026 10
CVE-2026-46799 17.06.2026 9.8
CVE-2026-46800 17.06.2026 10
CVE-2026-46801 17.06.2026 9.8
CVE-2026-46802 19.06.2026 9.9
CVE-2026-46803 19.06.2026 10
CVE-2026-46805 19.06.2026 9.3
CVE-2026-46807 19.06.2026 9.8
CVE-2026-46809 17.06.2026 9.1
CVE-2026-46813 17.06.2026 9.8
CVE-2026-46814 17.06.2026 9.9
CVE-2026-46832 18.06.2026 9.9
CVE-2026-46838 17.06.2026 9.9
CVE-2026-46844 17.06.2026 9.9
CVE-2026-46845 17.06.2026 9.8
CVE-2026-46846 17.06.2026 10
CVE-2026-46847 18.06.2026 9.9
CVE-2026-46850 18.06.2026 9.9
CVE-2026-46852 18.06.2026 9.9
CVE-2026-46853 18.06.2026 9.6
CVE-2026-46854 18.06.2026 9.9
CVE-2026-46855 18.06.2026 9.9
CVE-2026-46856 18.06.2026 9.6
CVE-2026-46857 18.06.2026 9.8
CVE-2026-46858 17.06.2026 9.1
CVE-2026-46859 18.06.2026 9.8
CVE-2026-46860 18.06.2026 9.8
CVE-2026-46861 18.06.2026 9.6
CVE-2026-46872 17.06.2026 9
CVE-2026-46875 18.06.2026 9.1
CVE-2026-46878 18.06.2026 9.8
CVE-2026-46879 18.06.2026 9.8
CVE-2026-46880 18.06.2026 9.8
CVE-2026-46881 18.06.2026 9.8
CVE-2026-46882 18.06.2026 9.8
CVE-2026-46883 18.06.2026 9.8
CVE-2026-46884 18.06.2026 9.8
CVE-2026-46887 18.06.2026 9.8
CVE-2026-46889 18.06.2026 9.8
CVE-2026-46890 18.06.2026 9.8
CVE-2026-46892 18.06.2026 9.1
CVE-2026-46893 18.06.2026 9.9
CVE-2026-46895 18.06.2026 9.9
CVE-2026-46896 18.06.2026 9.1
CVE-2026-46897 18.06.2026 9.9
CVE-2026-46899 18.06.2026 9.6
CVE-2026-46900 18.06.2026 9.9
CVE-2026-46901 18.06.2026 9.9
CVE-2026-46902 18.06.2026 9.8
CVE-2026-46904 18.06.2026 9.8
CVE-2026-46905 18.06.2026 9.8
CVE-2026-46906 18.06.2026 9.6
CVE-2026-46907 18.06.2026 9.9
CVE-2026-46908 18.06.2026 9.9
CVE-2026-46909 18.06.2026 9.8
CVE-2026-46910 17.06.2026 9.1
CVE-2026-46911 18.06.2026 9.6
CVE-2026-46912 17.06.2026 9.3
CVE-2026-46913 18.06.2026 9.3
CVE-2026-46918 17.06.2026 9.9
CVE-2026-46919 18.06.2026 9.8
CVE-2026-46930 17.06.2026 9.1
CVE-2026-46933 18.06.2026 9.9
CVE-2026-46944 18.06.2026 9.1
CVE-2026-46945 17.06.2026 9.1
CVE-2026-46946 18.06.2026 9.1
CVE-2026-46949 17.06.2026 9.1
CVE-2026-46963 17.06.2026 9.9
CVE-2026-46964 17.06.2026 9.9
CVE-2026-46978 18.06.2026 10
CVE-2026-22313 OS Commands Executed with Administrative Permissions in Radiflow iSAP Smart Collector 17.06.2026 9.1
CVE-2026-48777 FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory 17.06.2026 9.3
CVE-2026-53776 Perry < 0.5.1166 JWT Expiration Bypass via verify_decode 16.06.2026 9.3
CVE-2025-13036 Rockwell Automation FactoryTalk Historian Site Edition - Authentication Bypass 16.06.2026 9.2
CVE-2026-40750 WordPress Kids Online Store theme <= 0.8.9 - Arbitrary File Upload vulnerability 16.06.2026 9.9
CVE-2026-39574 WordPress InPost Gallery plugin <= 2.1.4.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49772 WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49774 WordPress RD Station plugin <= 5.6.0 - Remote Code Execution (RCE) vulnerability 16.06.2026 9.9
CVE-2026-52715 WordPress GEO my WordPress plugin <= 4.5.5 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-48853 Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc 17.06.2026 9.2
CVE-2026-48713 i18next-fs-backend: Prototype pollution via crafted missing-key string 16.06.2026 9.1
CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names 16.06.2026 9.1
CVE-2026-27053 WordPress Broadcast Live Video plugin < 7.1.3 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-34901 WordPress iControlWP plugin <= 5.5.3 - Privilege Escalation vulnerability 16.06.2026 9.8
CVE-2026-39441 WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39465 WordPress Responsive Slider by MetaSlider plugin <= 3.106.0 - Remote Code Execution (RCE) vulnerability 16.06.2026 9.1
CVE-2026-39492 WordPress WP Maps plugin <= 4.9.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39493 WordPress Simply Schedule Appointments plugin <= 1.6.9.27 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39502 WordPress Form Maker by 10Web plugin <= 1.15.38 - SQL Injection vulnerability 15.06.2026 9.3
CVE-2026-39511 WordPress WP Photo Album Plus plugin <= 9.1.08.001 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39512 WordPress GeoDirectory plugin <= 2.8.152 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39519 WordPress GeekyBot plugin <= 1.2.0 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39530 WordPress SpeakOut! Email Petitions plugin <= 4.6.5 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39583 WordPress Datalogics Ecommerce Delivery plugin <= 2.6.62 - Privilege Escalation vulnerability 16.06.2026 9.8
CVE-2026-39591 WordPress WP-BusinessDirectory plugin <= 4.0.0 - Arbitrary File Upload vulnerability 16.06.2026 9.9
CVE-2026-40771 WordPress Contest Gallery plugin <= 28.1.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-40772 WordPress GeekyBot plugin <= 1.2.2 - Arbitrary File Upload vulnerability 16.06.2026 10
CVE-2026-40798 WordPress wpForo Forum plugin <= 3.0.4 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42381 WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42386 WordPress Order Delivery Date for WooCommerce plugin <= 4.5.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42639 WordPress GD Rating System plugin <= 3.6.2 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42665 WordPress WP Data Access plugin <= 5.5.70 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-45439 WordPress Realtyna Organic IDX plugin plugin <= 5.1.0 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-48836 WordPress Easy Invoice plugin <= 2.1.19 - Remote Code Execution (RCE) vulnerability 16.06.2026 10
CVE-2026-48881 WordPress TrueBooker plugin <= 1.1.9 - Broken Access Control vulnerability 16.06.2026 9.1
CVE-2026-48886 WordPress JS Help Desk plugin <= 3.0.9 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49067 WordPress Advanced 301 and 302 Redirect plugin <= 1.6.9 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49085 WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49104 WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.2.1 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49105 WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability 15.06.2026 9.8
CVE-2026-49106 WordPress Integration for Contact Form 7 and Constant Contact plugin <= 1.1.6 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49109 WordPress Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.4.3 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49763 WordPress Integration for Contact Form 7 HubSpot plugin <= 1.3.7 - PHP Object Injection vulnerability 15.06.2026 9.8
CVE-2026-49764 WordPress RegistrationMagic plugin <= 6.0.8.6 - Broken Authentication vulnerability 15.06.2026 9.8
CVE-2026-49765 WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.8 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49766 WordPress WP User Manager plugin <= 2.9.16 - Arbitrary File Deletion vulnerability 16.06.2026 9.9
CVE-2026-49768 WordPress Happyforms plugin <= 1.26.13 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49769 WordPress wpForo Forum plugin <= 3.1.0 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49770 WordPress WP Travel Engine plugin <= 6.7.12 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49776 WordPress GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin <= 2.32.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49781 WordPress OttoKit plugin <= 1.1.27 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-52693 WordPress eCommerce Product Catalog plugin <= 3.5.5 - SQL Injection vulnerability 15.06.2026 9.3
CVE-2026-52703 WordPress FastDup plugin <= 2.7.2 - Path Traversal vulnerability 16.06.2026 9.6
CVE-2026-9691 WordPress Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.1 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-48114 Metacat has an unauthenticated SQL injection vulnerability 15.06.2026 9.8
CVE-2026-49952 Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle 16.06.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2023-33854 Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data. 22.06.2026 5.3
CVE-2024-51454 IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities Host Header Injection observed 22.06.2026 6.5
CVE-2026-10845 IBM WebSphere Application Server is affected by an authentication bypass vulnerability 22.06.2026
CVE-2026-11372 IBM TRIRIGA Cross-Site Scripting Vulnerability 22.06.2026 5.4
CVE-2026-11942 Akaunting 3.1.21 - Stored XSS in delete confirmation modal 22.06.2026
CVE-2026-11943 Akaunting 3.1.21 - Authenticated stored XSS in document timeline 22.06.2026
CVE-2026-12479 Path Traversal in keras-team/keras 22.06.2026
CVE-2026-12549 Libsoup: incomplete fix for cve-2026-2443: range suffix overflow in libsoup soupserver 22.06.2026
CVE-2026-12628 Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system 22.06.2026 8.1
CVE-2026-12725 Dnsmasq: dnsmasq: heap buffer overflow in log_query() when logging unsupported ds/dnskey replies 22.06.2026
CVE-2026-41045 Weak polkit authentication check in qSnapper 22.06.2026 8.1
CVE-2026-41046 path traversal via `config` parameter in qSnapper 22.06.2026 7.3
CVE-2026-41047 Information leak via “diff” methods in qSnapper 22.06.2026
CVE-2026-41048 Caching of Authentication allows Authentication Bypass in qSnapper 22.06.2026
CVE-2026-41049 Caching of Authentication allows Authentication Bypass between users in qSnapper 22.06.2026
CVE-2026-49241 Angular: Multiple Remote Code Execution Vulnerabilities in Angular Language Service VS Code Extension 22.06.2026
CVE-2026-50178 Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension 22.06.2026
CVE-2026-50557 Angular: Template and Attribute Namespace Sanitization Bypass (XSS) 22.06.2026
CVE-2026-52725 Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS) 22.06.2026
CVE-2026-53550 js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases 22.06.2026 5.3
CVE-2026-53655 node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling) 22.06.2026
CVE-2026-54264 Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker 22.06.2026
CVE-2026-54265 Angular: Two-Way Property Binding Sanitization Bypass (XSS) 22.06.2026
CVE-2026-54266 Angular: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning 22.06.2026
CVE-2026-54267 Angular Client Hydration DOM Clobbering & Response-Cache Poisoning 22.06.2026
CVE-2026-54268 Angular: Denial of Service (DoS) via OOM in Date Formatting (formatDate) 22.06.2026
CVE-2026-56104 Chainlit < 2.10.1 Session Hijacking via WebSocket Session Restoration 22.06.2026
CVE-2026-7253 IBM Watson Speech Services Cartridge is vulnerable to Server-Side Request Forgery (SSRF) in Sterling File Gateway 22.06.2026 5.3
CVE-2026-7664 Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS 22.06.2026 9.8
CVE-2026-8059 Multiple Vulnerabilities in IBM Datacap 22.06.2026 6.1
CVE-2026-8636 Multiple Vulnerabilities in IBM Datacap 22.06.2026 5.5
CVE-2026-8646 IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities 22.06.2026 7.4
CVE-2026-8823 User Manager can demote bot accounts to guest without bot-management permission 22.06.2026 3.8
CVE-2026-8858 IBM i is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ] 22.06.2026 7.5
CVE-2026-8934 Cross-Project Information Leakage in Google App Engine UI 22.06.2026
CVE-2026-9006 IBM WebSphere Application Server is affected by server-side request forgery 22.06.2026 7.4
CVE-2026-9071 IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by Uncontrolled Resource Consumption 22.06.2026 7.5
CVE-2026-9072 IBM i is Affected By Denial of Service, HTTP Request Smuggling, and Remote Code Execution Vulnerabilities in IBM WebSphere Application Server Liberty [, , , , ] 22.06.2026 8.1
CVE-2026-9320 IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities 22.06.2026 5.9
CVE-2026-9610 Multiple Vulnerabilities in IBM Datacap 22.06.2026 2.3
CVE-2024-54178 Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data. 22.06.2026 6.5
CVE-2025-2669 Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data. 22.06.2026 6
CVE-2025-33128 IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities HTML / XSS Injection observed 22.06.2026 5.4
CVE-2025-66389 22.06.2026
CVE-2026-10561 Unauthenticated Remote Code Execution in Langflow OSS PythonREPLComponent via Builtins Injection 22.06.2026 10
CVE-2026-10601 Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access 22.06.2026 5.4
CVE-2026-12602 Incorrect permissions in ArubaSign by Aruba 22.06.2026
CVE-2026-12888 HTML injection in the Canarytoken Google Chat notification 22.06.2026
CVE-2026-28381 Local File Read/Write to Potential Privilege Escalation via Snowflake GET/PUT 22.06.2026 9.6
CVE-2026-42129 Path Traversal in Loki Datasource leads to Internal Information Disclosure 22.06.2026 7.7
CVE-2026-54099 Windows-machine-config-operator: windows-machine-config-operator: wicd csr extra-organization allows privilege escalation to system:masters 22.06.2026
CVE-2026-54100 Windows-machine-config-operator: windows-machine-config-operator: ssh host key not verified enables credential theft 22.06.2026
CVE-2026-56423 MISP Core: Broken access control allows instance-wide unauthorized deletion of event reports and sharing groups via bulk deletion endpoints 22.06.2026
CVE-2026-56424 Broken access control in MISP core allows cross-organization unauthorized modification or deletion of analyst data, event reports, collections, templates, and decaying models 22.06.2026
CVE-2026-56425 MISP AAD authentication plugin - Improper OAuth State Handling, Missing Session Rotation, Insecure Redirect URI Validation, and Log Injection 22.06.2026
CVE-2026-56446 Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path in MISP 22.06.2026
CVE-2026-56447 MISP remote code execution via arbitrary rdkafka configuration path 22.06.2026
CVE-2026-56448 Authenticated Path Traversal in AIL Framework Investigation Downloads Allows Arbitrary File Read 22.06.2026
CVE-2026-56450 AIL Framework - Missing Rate Limiting Enables Brute-Force Attacks Against Two-Factor Authentication Codes 22.06.2026
CVE-2026-5139 GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration 22.06.2026 5.4
CVE-2026-6062 IDOR in Jira plugin subscription edit endpoint 22.06.2026 6.4
CVE-2026-6653 libxml2: Use after free in xmlParseInternalSubset via improper entity resolution handling 22.06.2026
CVE-2026-6673 Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install 22.06.2026 6.4
CVE-2026-7165 Multiple vulnerabilities in the Assassin game by Gaudire 22.06.2026
CVE-2026-7166 Multiple vulnerabilities in the Assassin game by Gaudire 22.06.2026
CVE-2026-7167 Multiple vulnerabilities in the Assassin game by Gaudire 22.06.2026
CVE-2026-8074 Improper Permission Check Allows User Manager to Deactivate Bot Accounts 22.06.2026 3.8
CVE-2026-9029 Stored XSS via Geomap Panel Template Variable Attribution Injection 22.06.2026 7.3
CVE-2026-9162 Global session revocation does not invalidate active WebSocket connections 22.06.2026 4.3
CVE-2026-11373 Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections 22.06.2026
CVE-2026-56422 MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields 22.06.2026
CVE-2023-45795 Pilz: XSS vulnerability in Pilz PASvisu and PMI v8xx 22.06.2026 7.8
CVE-2023-45796 XSS vulnerability in Pilz PASvisu and PMI v8xx 22.06.2026 8.1
CVE-2025-4994 Authentication Bypass for SafeLine SL6 and SL6+ 22.06.2026
CVE-2026-12580 Digiwin|EasyFlow .NET - Stored Cross-Site Scripting 22.06.2026
CVE-2026-12581 Digiwin|EasyFlow .NET - Session Fixation 22.06.2026
CVE-2026-12862 XLSX formula injection in exports 22.06.2026
CVE-2026-12863 Open redirect 22.06.2026
CVE-2025-62198 Apache Atlas: Stored XSS in Create Entity page 22.06.2026
CVE-2025-66336 Apache Doris MCP Server: SQL injection leading the authentication bypass 22.06.2026
CVE-2026-44911 Apache NiFi: Incorrect Authorization for Configuration Verification Requests 22.06.2026
CVE-2026-44913 Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL 22.06.2026
CVE-2026-44914 Apache NiFi: Missing Authorization of Restricted Permissions when Replacing Flow Contents 22.06.2026
CVE-2026-54665 Apache NiFi: Missing Validation for Proxy Host Headers 22.06.2026
CVE-2026-10530 Pie Register < 3.8.4.10 - Unauthenticated Email Verification Bypass via Predictable Token 22.06.2026
CVE-2026-4110 Ultimate WooCommerce Auction Pro <= 2.4.5 - Reflected XSS via uwa_auctions_bids_list 22.06.2026
CVE-2026-4259 Ultimate WooCommerce Auction Pro <= 2.4.5 - Reflected XSS via uwa_manage_auctions 22.06.2026
CVE-2026-6858 Transbank Webpay < 1.14.0 - Unauthenticated Stored XSS 22.06.2026
CVE-2026-7859 Motors Car Dealership & Classified Listings < 1.4.110 - Unauthenticated Post-Meta Write via stm_ajax_add_a_car_media 22.06.2026
CVE-2026-8157 Vitepos < 3.4.2 - Outlet Manager+ Privilege Escalation 22.06.2026
CVE-2026-6645 Insecure Search Path Vulnerability in PaperCut Print Deploy Client for Windows 22.06.2026
CVE-2026-11745 22.06.2026
CVE-2026-11746 22.06.2026
CVE-2026-11748 22.06.2026
CVE-2026-8918 22.06.2026
CVE-2026-12822 langflow-ai langflow Bundle URL Loader code injection 21.06.2026
CVE-2026-12823 Browserbase Autobrowse Trace Artifact default permission 21.06.2026
CVE-2026-12815 coollabsio coolify Image Name os command injection 21.06.2026
CVE-2026-12821 FlowiseAI Flowise S3 Document Loader S3.ts path traversal 22.06.2026
CVE-2026-12813 activepieces File URL file.ts handleUrlFile server-side request forgery 22.06.2026
CVE-2026-12814 Comfast CF-WR631AX V3 API Endpoint mbox-config system os command injection 22.06.2026
CVE-2026-12845 21.06.2026
CVE-2026-12811 kortix-ai suna Auth Endpoint page.tsx router.push cross site scripting 21.06.2026
CVE-2026-12812 Radware Cyber Controller HTML Report Generation HTML injection 21.06.2026
CVE-2026-12809 Edimax BR-6478AC V2 POST Request wiz_5in1_redirect command injection 21.06.2026
CVE-2026-12810 Edimax BR-6478AC V2 POST Request mp command injection 22.06.2026
CVE-2026-12808 Edimax BR-6478AC V2 POST Request stainfo command injection 22.06.2026
CVE-2026-12807 Edimax BR-6478AC V2 POST Request setWAN command injection 22.06.2026
CVE-2026-12805 OFFIS DCMTK ofxml.cc parseFile heap-based overflow 21.06.2026
CVE-2026-12806 Edimax BR-6478AC V2 POST Request formWlSiteSurvey buffer overflow 21.06.2026
CVE-2026-12804 lemonldap-ng SAML Common Domain Cookie Endpoint CDC.pm redirect 22.06.2026