CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2019-25568	Memu Play 6.0.7 Privilege Escalation via Insecure File Permissions	21.03.2026	9.3
CVE-2026-24060	Automated Logic WebCTRL Premium Server Cleartext Transmission of Sensitive Information	20.03.2026	9.1
CVE-2026-29796	IGL-Technologies eParking.fi Missing Authentication for Critical Function	20.03.2026	9.3
CVE-2026-25192	CTEK Chargeportal Missing Authentication for Critical Function	20.03.2026	9.3
CVE-2026-33186	gRPC-Go has an authorization bypass via missing leading slash in :path	20.03.2026	9.1
CVE-2026-3584	Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process	20.03.2026	9.8
CVE-2026-22898	QVR Pro	20.03.2026	9.3
CVE-2026-22172	OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections	20.03.2026	9.4
CVE-2026-33134	WeGIA has Authenticated Time-Based Blind SQL Injection in `restaurar_produto.php` via `id_produto` parameter	20.03.2026	9.3
CVE-2026-33135	WeGIA has Reflected Cross-Site Scripting (XSS) in `novo_memorandoo.php` via `sccs` parameter	20.03.2026	9.3
CVE-2026-33136	WeGIA has Reflected Cross-Site Scripting (XSS) in `listar_memorandos_ativos.php` via `sccd` parameter	20.03.2026	9.3
CVE-2026-33075	FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml	20.03.2026	9.4
CVE-2026-33057	Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py	20.03.2026	9.8
CVE-2026-33054	Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion	20.03.2026	10
CVE-2026-4478	Yi Technology YI Home Camera HTTP Firmware Update ipc signature verification	20.03.2026	9.2
CVE-2026-33017	Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint	21.03.2026	9.3
CVE-2026-33024	AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator	20.03.2026	9.3
CVE-2026-32938	SiYuan has an Arbitrary File Read in its Desktop Publish Service	20.03.2026	9.9
CVE-2026-32940	SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)	20.03.2026	9.3
CVE-2026-4038	Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call	20.03.2026	9.8
CVE-2026-21992		20.03.2026	9.8
CVE-2026-32890	Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config	20.03.2026	9.7
CVE-2026-32891	Anchorr Privilege Escalation: Jellyseerr User → Anchorr Admin via Stored XSS	20.03.2026	9.1
CVE-2026-32817	Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion	20.03.2026	9.1
CVE-2026-32767	SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API	20.03.2026	9.8
CVE-2026-32985	Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution	20.03.2026	9.3
CVE-2026-32760	File Browser Self Registration Grants Any User Admin Access When Default Permissions Include Admin	19.03.2026	10
CVE-2026-22732	Under Some Conditions Spring Security HTTP Headers Are not Written	21.03.2026	9.1
CVE-2026-29103	SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass	20.03.2026	9.1
CVE-2026-32038	OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter	20.03.2026	9.3
CVE-2026-30872	OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup	20.03.2026	9.5
CVE-2026-30871	OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query	20.03.2026	9.5
CVE-2026-32754	FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!})	20.03.2026	9.3
CVE-2026-32194	Microsoft Bing Images Remote Code Execution Vulnerability	21.03.2026	9.8
CVE-2026-32169	Azure Cloud Shell Elevation of Privilege Vulnerability	21.03.2026	10
CVE-2026-32191	Microsoft Bing Images Remote Code Execution Vulnerability	21.03.2026	9.8
CVE-2026-30924	qui CORS Misconfiguration: Arbitrary Origins Trusted	20.03.2026	9
CVE-2026-4428	CRL Distribution Point Scope Check Logic Error in AWS-LC	19.03.2026	9.1
CVE-2026-30836	Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)	19.03.2026	10
CVE-2026-32238	OpenEMR has Remote Code Execution in backup functionality	20.03.2026	9.1
CVE-2026-32865	OPEXUS eComplaint and eCase insecure password reset	19.03.2026	9.2
CVE-2026-22557		19.03.2026	10
CVE-2026-27065	WordPress BuilderPress plugin <= 2.0.1 - Local File Inclusion vulnerability	19.03.2026	9.8
CVE-2026-27067	WordPress Mobile App Editor plugin <= 1.3.1 - Arbitrary File Upload vulnerability	19.03.2026	9.1
CVE-2025-60233	WordPress Zuut theme <= 1.4.2 - PHP Object Injection vulnerability	19.03.2026	9.8
CVE-2025-60237	WordPress Finag theme <= 1.5.0 - PHP Object Injection vulnerability	19.03.2026	9.8
CVE-2026-27413	WordPress Profile Builder Pro plugin <= 3.13.9 - SQL Injection vulnerability	19.03.2026	9.3
CVE-2026-27540	WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Arbitrary File Upload vulnerability	19.03.2026	9
CVE-2026-27542	WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Privilege Escalation vulnerability	19.03.2026	9.8
CVE-2026-32731	ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction	19.03.2026	10
CVE-2026-32698	OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution	19.03.2026	9.1
CVE-2026-32703	OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy	19.03.2026	9.1
CVE-2026-25873	OmniGen2-RL Reward Server Unsafe Deserialization RCE	19.03.2026	9.3
CVE-2026-32633	Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`	18.03.2026	9.1
CVE-2026-2991	KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token	18.03.2026	9.8
CVE-2026-25449	WordPress Traveler theme < 3.2.8.1 - PHP Object Injection vulnerability	18.03.2026	9.8
CVE-2026-30884	mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key	18.03.2026	9.6
CVE-2026-31938	jsPDF has HTML Injection in New Window paths	18.03.2026	9.6
CVE-2026-21994		18.03.2026	9.8
CVE-2026-32841	Edimax GS-5008PL <= 1.00.54 Global Authentication State Across All Clients	18.03.2026	9.2
CVE-2026-25769	Wazuh Cluster vulnerable to Remote Code Execution via Insecure Deserialization	18.03.2026	9.1
CVE-2026-25770	Wazuh has Privilege Escalation to Root via Cluster Protocol File Write	18.03.2026	9.1
CVE-2026-25534	Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames	17.03.2026	9.1
CVE-2026-32292	GL-iNet Comet (GL-RM1) KVM insufficient login rate-limiting	17.03.2026	9.3
CVE-2026-32295	JetKVM insufficient login rate limiting	17.03.2026	9.3
CVE-2026-32297	Angeet ES3 KVM unauthenticated arbitrary file write	17.03.2026	9.3
CVE-2026-3564	ScreenConnect Instance Level Cryptographic Material Exposure	18.03.2026	9
CVE-2026-4312	DrangSoft｜GCB/FCB Audit Software - Missing Authentication	17.03.2026	9.3
CVE-2026-28430	Chamilo LMS Vulnerable to Unauthenticated SQL Injection in chamiko-lms model.ajax.php	17.03.2026	9.3
CVE-2026-27962	Authlib JWS JWK Header Injection: Signature Verification Bypass	18.03.2026	9.1
CVE-2026-4254	Tenda AC8 HTTP Endpoint SysToolChangePwd doSystemCmd stack-based overflow	16.03.2026	9.3
CVE-2026-23489	Fields GLPI plugin vulnerable to RCE in dropdown generation	16.03.2026	9.1
CVE-2026-4252	Tenda AC8 IPv6 check_is_ipv6 ip address for authentication	16.03.2026	9.3
CVE-2025-62319	Boolean-Based SQL Injection in Multiple Unica Components	17.03.2026	9.8
CVE-2017-20223	Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference	16.03.2026	9.3
CVE-2017-20224	Telesquare SKT LTE Router SDT-CS3B1 WebDAV Arbitrary File Upload	16.03.2026	9.3
CVE-2026-4184	D-Link DIR-816 goahead form2Wl5BasicSetup.cgi stack-based overflow	16.03.2026	9.3
CVE-2026-4183	D-Link DIR-816 goahead form2WlanBasicSetup.cgi stack-based overflow	16.03.2026	9.3
CVE-2026-4181	D-Link DIR-816 goahead form2RepeaterStep2.cgi stack-based overflow	16.03.2026	9.3
CVE-2026-4182	D-Link DIR-816 goahead form2Wl5RepeaterStep2.cgi stack-based overflow	16.03.2026	9.3
CVE-2016-20024	ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions Privilege Escalation	16.03.2026	9.3
CVE-2016-20026	ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution	16.03.2026	9.3
CVE-2016-20030	ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction	16.03.2026	9.3
CVE-2026-4170	Topsec TopACM HTTP Request nmc_sync.php os command injection	16.03.2026	9.3
CVE-2026-4164	Wavlink WL-WN578W2 POST Request wireless.cgi GuestWifi command injection	17.03.2026	9.3
CVE-2026-4163	Wavlink WL-WN579A3 POST Request wireless.cgi GuestWifi command injection	17.03.2026	9.3

Latest Updates

CVE	Title	Updated	Score
CVE-2019-25573	Green CMS 2.x SQL Injection via cat Parameter	21.03.2026
CVE-2019-25574	Green CMS 2.x Path Traversal Arbitrary File Download	21.03.2026
CVE-2019-25575	SimplePress CMS 1.0.7 SQL Injection via p and s Parameters	21.03.2026
CVE-2019-25576	Kepler Wallpaper Script 1.1 SQL Injection via category	21.03.2026
CVE-2019-25577	SeoToaster Ecommerce 3.0.0 Local File Inclusion via backend_theme	21.03.2026
CVE-2019-25578	phpTransformer 2016.9 SQL Injection via GeneratePDF.php	21.03.2026
CVE-2019-25579	phpTransformer 2016.9 Directory Traversal via jQueryFileUpload	21.03.2026
CVE-2019-25580	ownDMS 4.7 SQL Injection via pdfstream.php imagestream.php	21.03.2026
CVE-2019-25581	i-doit CMDB 1.12 SQL Injection via objGroupID Parameter	21.03.2026
CVE-2019-25582	i-doit CMDB 1.12 Arbitrary File Download via file_manager Parameter	21.03.2026
CVE-2026-4516	Foundation Agents MetaGPT DataInterpreter write_analysis_code.py injection	21.03.2026
CVE-2019-25544	Pidgin 2.13.0 Denial of Service via Malformed Username	21.03.2026
CVE-2019-25545	Terminal Services Manager 3.2.1 Local Buffer Overflow Denial of Service	21.03.2026
CVE-2019-25546	NetAware 1.20 Share Name Denial of Service	21.03.2026
CVE-2019-25547	NetAware 1.20 Denial of Service via Add Block Buffer Overflow	21.03.2026
CVE-2019-25548	BlueStacks 4.80.0.1060 Denial of Service via Search Field	21.03.2026
CVE-2019-25549	VeryPDF PCL Converter 2.7 Denial of Service via PDF Security	21.03.2026
CVE-2019-25550	Encrypt PDF 2.3 Denial of Service via Buffer Overflow	21.03.2026
CVE-2019-25551	Sandboxie 5.30 Denial of Service via Program Alerts Buffer Overflow	21.03.2026
CVE-2019-25552	CEWE PHOTO SHOW 6.4.3 Denial of Service via Password Field	21.03.2026
CVE-2019-25553	CEWE PHOTO IMPORTER 6.4.3 Denial of Service via Malformed Image	21.03.2026
CVE-2019-25554	Tomabo MP4 Converter 3.25.22 Denial of Service via Name Field	21.03.2026
CVE-2019-25555	TwistedBrush Pro Studio 24.06 Script Recorder Denial of Service	21.03.2026
CVE-2019-25556	TwistedBrush Pro Studio 24.06 Resize Image Denial of Service	21.03.2026
CVE-2019-25557	TwistedBrush Pro Studio 24.06 Denial of Service via srp File	21.03.2026
CVE-2019-25558	Selfie Studio 2.17 Denial of Service via Resize Image	21.03.2026
CVE-2019-25559	SpotPaltalk 1.1.5 Name/Key Field Denial of Service	21.03.2026
CVE-2019-25560	Lyric Video Creator 2.1 Denial of Service via MP3 File	21.03.2026
CVE-2019-25561	Lyric Maker 2.0.1.0 Denial of Service via Buffer Overflow	21.03.2026
CVE-2019-25562	jetAudio 8.1.7 Denial of Service via File Naming Buffer Overflow	21.03.2026
CVE-2019-25563	PCHelpWareV2 1.0.0.5 Denial of Service via SC Creation	21.03.2026
CVE-2019-25564	PCHelpWareV2 1.0.0.5 Denial of Service via Group Field	21.03.2026
CVE-2019-25565	Magic Iso Maker 5.5 Buffer Overflow Denial of Service	21.03.2026
CVE-2019-25566	TransMac 12.3 Denial of Service via Volume Name Field	21.03.2026
CVE-2019-25567	Valentina Studio 9.0.5 Linux Buffer Overflow via Host Field	21.03.2026
CVE-2019-25568	Memu Play 6.0.7 Privilege Escalation via Insecure File Permissions	21.03.2026
CVE-2019-25569	RealTerm Serial Terminal 2.0.0.70 SEH Overflow Crash	21.03.2026
CVE-2019-25570	RealTerm Serial Terminal 2.0.0.70 Denial of Service via Port Field	21.03.2026
CVE-2019-25571	MediaMonkey 4.1.23 Denial of Service via Malformed URL	21.03.2026
CVE-2019-25572	NordVPN 6.19.6 Denial of Service via Email Field Buffer Overflow	21.03.2026
CVE-2026-4515	Foundation Agents MetaGPT operator.py code_generate code injection	21.03.2026
CVE-2026-4514	PbootCMS Backend UserController.php access control	21.03.2026
CVE-2026-4513	vanna-ai vanna base.py ask sql injection	21.03.2026
CVE-2026-4511	vanna-ai vanna legacy exec injection	21.03.2026
CVE-2026-4373	JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field	21.03.2026	7.5
CVE-2026-4510	PbootCMS Parameter MemberController.php alert_location cross site scripting	21.03.2026
CVE-2026-4509	PbootCMS File Upload file.php incomplete blacklist	21.03.2026
CVE-2024-13785	Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution	21.03.2026	5.6
CVE-2025-13910	WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting	21.03.2026	6.1
CVE-2025-14037	Invelity Products Feeds <= 1.2.6 - Cross-Site Request Forgery to Arbitrary File Deletion	21.03.2026	8.1
CVE-2026-0609	Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode	21.03.2026	6.4
CVE-2026-1093	WPFAQBlock– FAQ & Accordion Plugin For Gutenberg <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute	21.03.2026	6.4
CVE-2026-1247	Survey <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings	21.03.2026	4.4
CVE-2026-1253	Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update	21.03.2026	5.3
CVE-2026-1275	Multi Post Carousel by Category <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slides' Shortcode Attribute	21.03.2026	6.4
CVE-2026-1278	Mandatory Field <= 1.6.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Fields	21.03.2026	4.4
CVE-2026-1313	MimeTypes Link Icons <= 3.2.20 - Authenticated (Contributor+) Server-Side Request Forgery via Crafted Links in Post Content	21.03.2026	8.3
CVE-2026-1378	WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update	21.03.2026	4.3
CVE-2026-1390	Redirect countdown <= 1.0 - Cross-Site Request Forgery to Settings Update	21.03.2026	4.3
CVE-2026-1392	SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update	21.03.2026	4.3
CVE-2026-1393	Add Google Social Profiles to Knowledge Graph Box <= 1.0 - Cross-Site Request Forgery to Settings Update	21.03.2026	4.3
CVE-2026-1397	PQ Addons – Creative Elementor Widgets <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Attributes	21.03.2026	6.4
CVE-2026-1503	login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting	21.03.2026	4.3
CVE-2026-1575	Schema Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	21.03.2026	6.4
CVE-2026-1647	Comment Genius <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']	21.03.2026	6.1
CVE-2026-1648	Performance Monitor <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter	21.03.2026	7.2
CVE-2026-1800	Fonts Manager \| Custom Fonts <= 1.2 - Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter	21.03.2026	7.5
CVE-2026-1806	Tour & Activity Operator Plugin for TourCMS <= 1.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	21.03.2026	6.4
CVE-2026-1822	WP NG Weather <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	21.03.2026	6.4
CVE-2026-1851	iVysilani Shortcode <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute	21.03.2026	6.4
CVE-2026-1854	Post Flagger <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slug' Shortcode Attribute	21.03.2026	6.4
CVE-2026-1886	Go Night Pro \| WordPress Dark Mode Plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'margin' Shortcode Attribute	21.03.2026	6.4
CVE-2026-1889	Outgrow <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute	21.03.2026	6.4
CVE-2026-1891	Simple Football Scoreboard <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	21.03.2026	6.4
CVE-2026-1899	Any Post Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute	21.03.2026	6.4
CVE-2026-1908	Integration with Hubspot Forms <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	21.03.2026	6.4
CVE-2026-1911	Twitter Feeds <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'tweet_title' Shortcode Attribute	21.03.2026	6.4
CVE-2026-1914	FuseDesk <= 6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute	21.03.2026	6.4
CVE-2026-1935	Company Posts for LinkedIn <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary LinkedIn Post Data Deletion	21.03.2026	4.3
CVE-2026-2121	Weaver Show Posts <= 1.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Additional Classes to Wrap Posts' Widget Setting	21.03.2026	4.4
CVE-2026-2277	rexCrawler <= 1.0.15 - Reflected Cross-Site Scripting via 'url' and 'regex' Parameters	21.03.2026	6.1
CVE-2026-2279	myLinksDump <= 1.6 - Authenticated (Administrator+) SQL Injection via 'sort_by' and 'sort_order' Parameters	21.03.2026	7.2
CVE-2026-2290	Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field	21.03.2026	6.5
CVE-2026-2294	UiPress lite \| Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update	21.03.2026	4.3
CVE-2026-2351	Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Read	21.03.2026	6.5
CVE-2026-2375	App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter	21.03.2026	6.5
CVE-2026-2424	Reward Video Ad for WordPress <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings	21.03.2026	4.4
CVE-2026-2427	itsukaita <= 0.1.2 - Reflected Cross-Site Scripting via 'day_from' Parameter	21.03.2026	6.1
CVE-2026-2440	SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting	21.03.2026	7.2
CVE-2026-2468	Quentn WP <= 1.2.12 - Unauthenticated SQL Injection via 'qntn_wp_access' Cookie	21.03.2026	7.5
CVE-2026-2496	Ed's Font Awesome <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	21.03.2026	6.4
CVE-2026-2501	Ed's Social Share <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	21.03.2026	6.4
CVE-2026-2503	ElementCamp <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter	21.03.2026	6.5
CVE-2026-2720	Hr Press Lite <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Employee Information Exposure	21.03.2026	6.5
CVE-2026-2723	Post Snippits <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update	21.03.2026	6.1
CVE-2026-2837	Ricerca – advanced search <= 1.1.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin's Settings	21.03.2026	4.4
CVE-2026-2941	Linksy Search and Replace <= 1.0.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Update via linksy_search_and_replace_item_details	21.03.2026	8.8
CVE-2026-3003	Vagaro Booking Widget <= 0.3 - Unauthenticated Stored Cross-Site Scripting via 'vagaro_code'	21.03.2026	7.2
CVE-2026-3331	Lobot Slider Administrator <= 0.6.0 - Cross-Site Request Forgery to Settings Update	21.03.2026	4.3
CVE-2026-3332	Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update	21.03.2026	4.3
CVE-2026-3333	MinhNhut Link Gateway <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	21.03.2026	6.4
CVE-2026-3334	CMS Commander <= 2.288 - Authenticated (Custom+) SQL Injection via 'or_blogname' Parameter	21.03.2026	8.8
CVE-2026-3335	Canto <= 3.1.1 - Missing Authorization to Unauthenticated File Upload	21.03.2026	5.3
CVE-2026-3347	Multi Functional Flexi Lightbox <= 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via 'message' Parameter	21.03.2026	5.5
CVE-2026-3353	Comment SPAM Wiper <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting	21.03.2026	4.4
CVE-2026-3354	Wikilookup <= 1.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Popup Width' Setting	21.03.2026	4.4
CVE-2026-3460	REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter	21.03.2026	5.3
CVE-2026-3478	Content Syndication Toolkit <= 1.3 - Unauthenticated Server-Side Request Forgery via 'url' Parameter	21.03.2026	7.2
CVE-2026-3506	WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover	21.03.2026	5.3
CVE-2026-3546	e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action	21.03.2026	5.3
CVE-2026-3554	Sherk Custom Post Type Displays <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute	21.03.2026	6.4
CVE-2026-3570	Smarter Analytics <= 2.0 - Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter	21.03.2026	5.3
CVE-2026-3617	Paypal Shortcodes <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' and 'name' Shortcode Attributes	21.03.2026	6.4
CVE-2026-3619	Sheets2Table <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titles' Shortcode Attribute	21.03.2026	6.4
CVE-2026-3641	Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint	21.03.2026	5.3
CVE-2026-3645	Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action	21.03.2026	5.3
CVE-2026-3651	Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action	21.03.2026	5.3
CVE-2026-3996	WP Games Embed <= 0.1beta - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	21.03.2026	6.4
CVE-2026-3997	Text Toggle <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute	21.03.2026	6.4
CVE-2026-4004	Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'task_id' Parameter	21.03.2026	6.5
CVE-2026-4022	Show Posts list <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	21.03.2026	6.4
CVE-2026-4067	Ad Short <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'client' Shortcode Attribute	21.03.2026	6.4
CVE-2026-4069	Alfie – Feed Plugin <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'naam' Parameter	21.03.2026	6.1
CVE-2026-4072	WordPress PayPal Donation <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' Shortcode Attribute	21.03.2026	6.4
CVE-2026-4077	Ecover Builder For Dummies <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute	21.03.2026	6.4
CVE-2026-4084	fyyd podcast shortcodes <= 0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute	21.03.2026	6.4
CVE-2026-4086	WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute	21.03.2026	6.4
CVE-2026-4087	Pre* Party Resource Hints <= 1.8.20 - Authenticated (Subscriber+) SQL Injection via 'hint_ids' Parameter	21.03.2026	6.5
CVE-2026-4127	Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'speedup01_enabled' AJAX Action	21.03.2026	5.3
CVE-2026-4143	Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update	21.03.2026	4.3
CVE-2026-4161	Review Map by RevuKangaroo <= 1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings	21.03.2026	4.4
CVE-2026-4261	Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields	21.03.2026	8.8
CVE-2026-4302	WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API	21.03.2026	7.2
CVE-2026-32042	OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication	21.03.2026
CVE-2026-32043	OpenClaw < 2026.2.25 - Time-of-Check-Time-of-Use via Mutable Symlink in system.run cwd Parameter	21.03.2026
CVE-2026-32044	OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation	21.03.2026
CVE-2026-32045	OpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth	21.03.2026
CVE-2026-32046	OpenClaw < 2026.2.21 - OS-level Sandbox Bypass via --no-sandbox Flag	21.03.2026
CVE-2026-32048	OpenClaw < 2026.3.1 - Sandbox Escape via Cross-Agent sessions_spawn	21.03.2026
CVE-2026-32049	OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass	21.03.2026
CVE-2026-32050	OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass	21.03.2026
CVE-2026-32051	OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access	21.03.2026
CVE-2026-32052	OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers	21.03.2026
CVE-2026-32053	OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization	21.03.2026
CVE-2026-32054	OpenClaw < 2026.2.25 - Symlink Traversal in Browser Trace/Download Path Handling	21.03.2026
CVE-2026-32055	OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink	21.03.2026
CVE-2026-32056	OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run	21.03.2026
CVE-2026-32057	OpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id Parameter	21.03.2026
CVE-2026-32058	OpenClaw < 2026.2.26 - Approval Context-Binding Weakness in system.run via host=node	21.03.2026
CVE-2026-32064	OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer	21.03.2026
CVE-2026-32065	OpenClaw < 2026.2.25 - Approval Identity Mismatch in system.run Command Execution	21.03.2026
CVE-2026-32067	OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store	21.03.2026
CVE-2026-32895	OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers	21.03.2026
CVE-2026-32896	OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin	21.03.2026
CVE-2026-32897	OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback	21.03.2026
CVE-2026-32898	OpenClaw < 2026.2.23 - ACP Permission Auto-Approval Bypass via Untrusted Tool Metadata	21.03.2026
CVE-2026-32899	OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers	21.03.2026
CVE-2026-24060	Automated Logic WebCTRL Premium Server Cleartext Transmission of Sensitive Information	20.03.2026	9.1
CVE-2026-2352	Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ao_post_preload' Meta Value	20.03.2026	6.4
CVE-2026-2430	Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes	20.03.2026	6.4
CVE-2026-33237	AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation	20.03.2026	5.5
CVE-2026-33238	AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration	20.03.2026	4.3
CVE-2026-33427	Discourse Authorization Page Displays Unvalidated Redirect Domain	20.03.2026
CVE-2026-33428	Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership	20.03.2026
CVE-2026-3339	Keep Backup Daily <= 2.1.1 - Authenticated (Admin+) Limited Path Traversal via 'kbd_path' Parameter	20.03.2026	2.7
CVE-2026-3350	Image Alt Text Manager <= 1.8.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Title	20.03.2026	6.4
CVE-2026-3368	Injection Guard <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name	20.03.2026	7.2
CVE-2026-3474	EmailKit <= 1.6.3 - Authenticated (Administrator+) Path Traversal via 'emailkit-editor-template' REST API Parameter	20.03.2026	4.9
CVE-2026-3516	Contact List <= 3.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_cl_map_iframe' Parameter	20.03.2026	6.4
CVE-2026-3567	RepairBuddy <= 4.1132 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via wc_rep_shop_settings_submission AJAX Action	20.03.2026	5.3
CVE-2026-3572	iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field	20.03.2026	6.1
CVE-2026-3577	Keep Backup Daily <= 2.1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Backup Title	20.03.2026	4.4
CVE-2026-4083	Scoreboard for HTML5 Games Lite <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	20.03.2026	6.4
CVE-2026-25086	Automated Logic WebCTRL Premium Server Multiple Binds to the Same Port	20.03.2026	7.7
CVE-2026-32666	Automated Logic WebCTRL Premium Server Authentication Bypass by Spoofing	20.03.2026	7.5
CVE-2026-33424	PM access granted through invites after access revocation	20.03.2026	5.9
CVE-2026-33425	Discourse has inferable private group membership or existence via exclude_groups parameter	20.03.2026
CVE-2026-33426	Discourse users can edit or synonymize hidden tags they can't see	20.03.2026	3.5
CVE-2026-31926	IGL-Technologies eParking.fi Insufficiently Protected Credentials	20.03.2026	6.5
CVE-2026-32663	IGL-Technologies eParking.fi Insufficient Session Expiration	20.03.2026	7.3
CVE-2026-33210	Ruby JSON has a format string injection vulnerability	20.03.2026
CVE-2026-33221	Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload	20.03.2026
CVE-2026-33226	Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview	20.03.2026	8.7
CVE-2026-33228	flatted: Prototype Pollution via parse()	20.03.2026
CVE-2026-33411	Discourse's solved topic stream has potential stored XSS in topic title	20.03.2026	5.4
CVE-2026-33422	Discourse exposes ip_address of flagged user	20.03.2026	3.5
CVE-2026-33423	Discourse staff can modify any user's group notification level	20.03.2026
CVE-2026-21732	GPU DDK - libusc OOB write at ConvertSwitchToArrayLookupBP during WebGPU shader compilation	20.03.2026
CVE-2026-22163	GPU DDK - Unsafe writing of MMU PT entries on systems with 32-bit host CPU	20.03.2026
CVE-2026-27649	CTEK Chargeportal Insufficient Session Expiration	20.03.2026	7.3
CVE-2026-28204	CTEK Chargeportal Insufficiently Protected Credentials	20.03.2026	6.5
CVE-2026-29796	IGL-Technologies eParking.fi Missing Authentication for Critical Function	20.03.2026	9.4
CVE-2026-31903	IGL-Technologies eParking.fi Improper Restriction of Excessive Authentication Attempts	20.03.2026	7.5
CVE-2026-31904	CTEK Chargeportal Improper Restriction of Excessive Authentication Attempts	20.03.2026	7.5
CVE-2026-33231	NLTK has unauthenticated remote shutdown in nltk.app.wordnet_app	20.03.2026	7.5
CVE-2026-33236	NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite	20.03.2026	8.1
CVE-2026-33243	barebox: FIT Signature Verification Bypass Vulnerability	20.03.2026	8.3
CVE-2026-33251	Discourse has a Hidden Solved topics permission bypass	20.03.2026	5.4
CVE-2026-33291	Discourse user can create Zendesk tickets even when it does not have access to topic	20.03.2026
CVE-2026-25192	CTEK Chargeportal Missing Authentication for Critical Function	20.03.2026	9.4
CVE-2026-32733	Halloy has a file transfer path traveral vulnerability	20.03.2026
CVE-2026-32810	Halloy has insecure file permissions on credential files	20.03.2026
CVE-2026-33194	SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home	20.03.2026	6.8
CVE-2026-33203	SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass	20.03.2026	7.5
CVE-2026-33204	SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering	20.03.2026	7.5
CVE-2026-33209	Avo has a XSS vulnerability on `return_to` param	20.03.2026
CVE-2026-33230	nltk Vulnerable to Cross-site Scripting	20.03.2026	6.1
CVE-2026-33476	SiYuan has an Unauthenticated Arbitrary File Read via Path Traversal	20.03.2026	7.5
CVE-2026-4508	PbootCMS Member Login MemberController.php checkUsername sql injection	20.03.2026
CVE-2026-2598		20.03.2026
CVE-2026-33180	HAPI FHIR HTTP authentication leak in redirects	20.03.2026	7.5
CVE-2026-33186	gRPC-Go has an authorization bypass via missing leading slash in :path	20.03.2026	9.1
CVE-2026-3864	CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS server	20.03.2026	6.5
CVE-2026-23536	Feast: unauthenticated arbitrary file read	20.03.2026
CVE-2026-4506	Mindinventory MindSQL mindsql_core.py ask_db code injection	20.03.2026
CVE-2026-4507	Mindinventory MindSQL mindsql_core.py ask_db sql injection	20.03.2026
CVE-2026-32887	Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC	20.03.2026	7.4
CVE-2026-33166	Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)	20.03.2026	8.6
CVE-2026-33171	Statamic has a path traversal in file dictionary fieldtype	20.03.2026	4.3
CVE-2026-33172	Statamic has Stored XSS via SVG Sanitization Bypass	20.03.2026	8.7
CVE-2026-33177	Statamic is missing authorization check on taxonomy term creation via fieldtype	20.03.2026	4.3
CVE-2026-2378	Address bar spoofing risk in ArcSearch on Android	20.03.2026	7.4
CVE-2026-3584	Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process	20.03.2026	9.8
CVE-2025-55988		20.03.2026
CVE-2026-33164	NULL Pointer Dereference in libde265	20.03.2026
CVE-2026-33165	heap out-of-bounds write in libde265 1.0.16	20.03.2026	5.5
CVE-2026-33150	Use After Free in libfuse	20.03.2026	7.8
CVE-2026-33154	dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver	20.03.2026	7.5
CVE-2026-33155	DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT	20.03.2026
CVE-2026-33156	DLL Sideloading in ScreenToGif	20.03.2026	7.8
CVE-2026-33179	libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization	20.03.2026	5.5
CVE-2025-63261		20.03.2026
CVE-2026-33142	OneUptime: ClickHouse SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters	20.03.2026	8.1
CVE-2026-33143	OneUptime: WhatsApp Webhook Missing Signature Verification	20.03.2026
CVE-2026-33144	GPAC MP4Box Heap Buffer Overflow Write in gf_xml_parse_bit_sequence_bs (NHML BS Parsing)	20.03.2026	5.8
CVE-2026-33147	GMT: Stack-based Buffer Overflow in gmt_remote_dataset_id	20.03.2026	7.3
CVE-2026-33151	socket.io allows an unbounded number of binary attachments	20.03.2026
CVE-2026-33126	Frigate has SSRF vulnerability in /ffprobe endpoint	20.03.2026	5
CVE-2026-33139	PySpector: Plugin Sandbox Bypass leads to Arbitrary Code Execution	20.03.2026
CVE-2026-33140	PySpector: Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution	20.03.2026
CVE-2026-4437	gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response	20.03.2026
CVE-2026-4438	gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames	20.03.2026
CVE-2026-4504	eosphoros-ai db-gpt Incomplete Fix editor sql injection	20.03.2026
CVE-2026-4505	eosphoros-ai DB-GPT FastAPI Endpoint controller.py module_plugin.refresh_plugins unrestricted upload	20.03.2026
CVE-2025-63260		20.03.2026
CVE-2026-4499	D-Link DIR-820LW SSDP ssdpcgi_main os command injection	20.03.2026
CVE-2026-4500	bagofwords1 bagofwords code_execution.py generate_df injection	20.03.2026
CVE-2026-4497	Totolink WA300 cstecgi.cgi recvUpgradeNewFw os command injection	20.03.2026
CVE-2026-32317	Cryptomator for Android: Tampered vault configuration allows MITM attack on Hub API	20.03.2026	7.6
CVE-2026-32318	Cryptomator for IOS: Tampered vault configuration allows MITM attack on Hub API	20.03.2026	7.6
CVE-2026-32710	Heap-based Buffer Overflow in MariaDB	20.03.2026	8.6
CVE-2026-33010	mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft	20.03.2026	8.1
CVE-2026-4496	sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection	20.03.2026