CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2024-58351 Flowise - Remote Code Execution via overrideConfig Parameter 20.06.2026 9.3
CVE-2019-25763 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 Authentication Bypass 20.06.2026 9.3
CVE-2022-50972 WooCommerce 7.1.0 Remote Code Execution via class-wc-meta-box-product-images.php 20.06.2026 9.3
CVE-2026-48908 Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.12 20.06.2026 10
CVE-2026-48909 Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4 20.06.2026 9.5
CVE-2026-48939 Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15 20.06.2026 10
CVE-2026-11551 Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover 19.06.2026 9.8
CVE-2026-56073 Cap-go - OTP Bypass via Response Manipulation in Email Verification 19.06.2026 9.3
CVE-2026-56081 Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email 19.06.2026 9.3
CVE-2026-45480 Azure Active Directory Elevation of Privilege Vulnerability 19.06.2026 10
CVE-2026-48582 Microsoft Exchange Online Elevation of Privilege Vulnerability 19.06.2026 9.6
CVE-2026-48584 Microsoft Azure Synapse Elevation of Privilege Vulnerability 19.06.2026 9.9
CVE-2026-48772 ProxySQL: PROXY-Protocol-v1 UNKNOWN parses spoofed source IP, bypassing mysql_query_rules.client_addr ACL 19.06.2026 10
CVE-2026-48773 ProxySQL pre-auth heap overflow in MySQL and PostgreSQL first-packet handling 19.06.2026 9.8
CVE-2026-48137 Untrusted pointer dereference in NI grpc-device sideband streaming API 19.06.2026 9.3
CVE-2026-9142 Insecure Default Credentials vulnerability in NI grpc-device when TLS configuration is not present 19.06.2026 9.3
CVE-2026-44939 Command injection through unsanitized YAML parameter in Rancher 19.06.2026 9.4
CVE-2026-50242 19.06.2026 10
CVE-2026-56141 19.06.2026 9.8
CVE-2026-56142 19.06.2026 9.6
CVE-2026-54414 FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover 19.06.2026 9.3
CVE-2026-7515 BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion via doc_style 19.06.2026 9.8
CVE-2026-8713 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value 19.06.2026 9.1
CVE-2026-12045 pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution 18.06.2026 9.4
CVE-2026-12046 pgAdmin 4: Unauthenticated pickle deserialization in SQL Editor close / update_connection routes enables remote code execution 18.06.2026 9.5
CVE-2026-12048 pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser 18.06.2026 9.3
CVE-2026-40624 AVer PTC cameras Files or Directories Accessible to External Parties 18.06.2026 9.3
CVE-2026-47647 Dynamics 365 Elevation of Privilege Vulnerability 19.06.2026 9.9
CVE-2026-54130 M365 Copilot Information Disclosure Vulnerability 19.06.2026 9.8
CVE-2026-49257 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind 18.06.2026 10
CVE-2026-49454 Relyra SAML SignatureValue not cryptographically verified -> authentication bypass 18.06.2026 9.1
CVE-2026-49252 deepstream is vulnerable to prototype pollution 18.06.2026 9.9
CVE-2026-47846 18.06.2026 9.8
CVE-2026-54390 JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer 18.06.2026 9.3
CVE-2026-54103 U.S. GAO EPDS and CBCA EDS unauthenticated password change 19.06.2026 9.3
CVE-2026-55203 HAProxy - Integer Overflow in FCGI Demux Record Length Field 18.06.2026 9
CVE-2026-56020 Webmin HTTP header authentication bypass 19.06.2026 9.2
CVE-2026-11717 18.06.2026 9.3
CVE-2026-11718 18.06.2026 9.3
CVE-2026-54419 PIAF-HMS multiple unauthenticated SQL injection vulnerabilities via mysql_query 18.06.2026 9.3
CVE-2026-8024 Deserialization vulnerability in ibaPDA and ibaDatCoordinator 18.06.2026 9.3
CVE-2025-10560 Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources 18.06.2026 9.3
CVE-2026-28573 18.06.2026 10
CVE-2026-55742 Cotonti CSRF in admin.rights.php allows privilege escalation 18.06.2026 9.4
CVE-2026-55740 SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter 18.06.2026 9.3
CVE-2026-12569 Remote Code Execution (RCE) vulnerability in Windchill PDMlink 18.06.2026 9.3
CVE-2026-48768 TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized fileName 18.06.2026 9.3
CVE-2026-48814 Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701) 18.06.2026 9.1
CVE-2026-54387 Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization 18.06.2026 9.3
CVE-2026-54388 Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers 18.06.2026 9.3
CVE-2026-55200 libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c 18.06.2026 9.2
CVE-2026-55196 Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass 17.06.2026 9.1
CVE-2026-20266 OS Command Injection in the btool Configuration Helper in Splunk AI Toolkit 17.06.2026 9.1
CVE-2026-53805 NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserialization in Inference API 17.06.2026 9.3
CVE-2025-71320 picklescan - Remote Code Execution via Incomplete Disallowed Inputs 17.06.2026 9.3
CVE-2025-71321 picklescan - Arbitrary File Writing via distutils Module Bypass 17.06.2026 9.3
CVE-2025-71323 picklescan - Remote Code Execution via Unblocked ctypes Module 17.06.2026 9.3
CVE-2025-71325 picklescan - Detection Bypass via STACK_GLOBAL Opcode Parsing Logic Flaw 17.06.2026 9.3
CVE-2026-20181 Cisco Identity Services Engine Remote Code Execution Vulnerability 18.06.2026 9.1
CVE-2026-3490 picklescan - Universal Blocklist Bypass via pkgutil.resolve_name 18.06.2026 10
CVE-2026-53873 picklescan - Arbitrary Code Execution via profile.run() Blocklist Bypass 17.06.2026 9.3
CVE-2026-53874 picklescan - Arbitrary Code Execution via Obfuscated eval Call 17.06.2026 9.3
CVE-2026-42055 NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability 18.06.2026 9.2
CVE-2026-42530 NGINX Open-Source ngx_http_v3_module vulnerability 18.06.2026 9.2
CVE-2026-47103 Python StateMachine 3.0.0 < 3.2.0 RCE via SCXML eval() Injection 18.06.2026 9.3
CVE-2026-54812 WordPress Motors plugin <= 1.4.109 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-55743 OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution 17.06.2026 9.4
CVE-2025-59554 WordPress Advanced Ads – Tracking plugin < 3.0.7 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2025-60229 WordPress Lagom theme <= 2.0 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60230 WordPress The Barber Shop theme <= 1.9 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60231 WordPress The Hospital theme <= 1.8.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60236 WordPress Creatify theme <= 1.5 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69111 WordPress Reisen theme <= 1.4.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69127 WordPress Plumbing theme <= 1.6 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49108 WordPress Moderno theme < 1.43 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54808 WordPress WP Travel Gutenberg Blocks plugin <= 3.9.4 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54809 WordPress GIFT4U plugin <= 1.0.10 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54815 WordPress Cargo Shipping Location for WooCommerce plugin <= 5.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54819 WordPress Listdom plugin <= 5.4.0 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2024-52488 WordPress Grip theme <= 1.0.9 - Arbitrary Plugin Activation/Deactivation to RCE vulnerability 17.06.2026 9.9
CVE-2025-60205 WordPress ThemeREX Addons plugin <= 2.36.1.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-60218 WordPress PT Luxa Addons Plugin <= 1.2.2 - Arbitrary File Upload Vulnerability 17.06.2026 9.9
CVE-2025-69129 WordPress WordPress & WooCommerce Scraper Plugin, Import Data from Any Site plugin <= 1.0.7 - Arbitrary File Upload vulnerability 17.06.2026 10
CVE-2025-69179 WordPress Support Ticket Management System plugin <= 1.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-22327 WordPress Restaurt theme <= 1.0.4 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-22332 WordPress Tutor LMS Pro plugin <= 3.9.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-22340 WordPress WPJobster theme <= 6.3.5 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-24611 WordPress MetForm Pro plugin <= 3.9.1 - Broken Access Control vulnerability 17.06.2026 9.1
CVE-2026-25446 WordPress WishList Member X plugin <= 3.29.0 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-27041 WordPress Unlimited Elements for Elementor (Premium) plugin <= 2.0.6 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-39589 WordPress Webenvo theme <= 0.0.6 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-39596 WordPress Blocksy Companion Pro plugin < 2.1.29 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-40725 WordPress WooCommerce Product Filters plugin < 2.0.6 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-40746 WordPress Restaurant Zone theme <= 0.7.8 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40747 WordPress Ecommerce Zone theme <= 0.9.7 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40748 WordPress Kids Gift Shop theme <= 0.5.4 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40749 WordPress Charity Zone theme <= 1.1.1 - Arbitrary File Upload vulnerability 17.06.2026 9.9
CVE-2026-40783 WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability 17.06.2026 9.9
CVE-2026-42380 WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-48875 WordPress JetSmartFilters plugin <= 3.8.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49058 WordPress LoginPress Pro plugin <= 6.2.2 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-49075 WordPress JetEngine plugin <= 3.8.9.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49076 WordPress JetEngine plugin <= 3.8.9.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49079 WordPress JetSearch plugin <= 3.5.17 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49084 WordPress JetEngine plugin < 3.8.9.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-49107 WordPress Thrive Apprentice plugin < 10.8.10.2 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-49767 WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability 17.06.2026 9.8
CVE-2026-52705 WordPress SigmaForms Pro – AI Generated Forms plugin <= 1.4.5 - Arbitrary File Upload vulnerability 17.06.2026 9
CVE-2026-52706 WordPress JetEngine plugin <= 3.8.10 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54186 WordPress JobSearch plugin <= 3.2.9 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54187 WordPress JetEngine plugin <= 3.8.10.1 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54803 WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-54806 WordPress WP Activity Log plugin <= 5.6.3.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-54807 WordPress Registration Form for WooCommerce plugin <= 1.0.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-54811 WordPress WP eMember plugin < v10.9.4 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-0063 18.06.2026 10
CVE-2026-0064 17.06.2026 10
CVE-2026-0068 18.06.2026 10
CVE-2026-0071 18.06.2026 10
CVE-2026-0081 18.06.2026 10
CVE-2026-0082 18.06.2026 10
CVE-2026-0083 18.06.2026 10
CVE-2026-0092 18.06.2026 10
CVE-2026-10094 Path Traversal vulnerability affecting SOLIDWORKS Visualize from SOLIDWORKS Desktop Release 2024 through SOLIDWORKS Desktop Release 2026 17.06.2026 9.8
CVE-2026-28575 17.06.2026 10
CVE-2026-28576 17.06.2026 10
CVE-2026-28587 17.06.2026 10
CVE-2026-28615 18.06.2026 10
CVE-2026-48797 Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication 18.06.2026 9.3
CVE-2026-48616 17.06.2026 9.3
CVE-2026-48745 Traccar Client: silent configuration hijack via unverified deep link redirects all GPS telemetry 17.06.2026 9.3
CVE-2025-69108 WordPress Hot Coffee theme <= 1.7 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2025-69122 WordPress SeaFood Company theme <= 1.4 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-25470 WordPress ACPT (Pro) - Custom Post Types plugin for WordPress plugin <= 2.0.47 - Remote Code Execution (RCE) vulnerability 17.06.2026 10
CVE-2026-27395 WordPress Support Board plugin < 3.8.9 - Privilege Escalation vulnerability 17.06.2026 9.8
CVE-2026-27429 WordPress Nifty theme <= 1.4.1 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-39438 WordPress ListingPro plugin <= 2.9.10 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-39529 WordPress Elementra theme <= 1.0.9 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-48055 Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction 17.06.2026 10
CVE-2026-48781 Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery 18.06.2026 9.9
CVE-2026-49080 WordPress wpDataTables plugin <= 7.3.6 - SQL Injection vulnerability 17.06.2026 9.3
CVE-2026-54194 WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability 17.06.2026 9.8
CVE-2026-35263 18.06.2026 9.9
CVE-2026-35268 18.06.2026 9.9
CVE-2026-35270 18.06.2026 9.1
CVE-2026-35278 18.06.2026 9.8
CVE-2026-35280 17.06.2026 9.9
CVE-2026-35281 17.06.2026 9.9
CVE-2026-35282 17.06.2026 9.9
CVE-2026-35283 17.06.2026 9.9
CVE-2026-35284 17.06.2026 9.9
CVE-2026-35285 17.06.2026 9.9
CVE-2026-35286 18.06.2026 9.8
CVE-2026-35292 18.06.2026 10
CVE-2026-35293 17.06.2026 9.8
CVE-2026-35294 17.06.2026 9.9
CVE-2026-35296 17.06.2026 9.8
CVE-2026-35298 18.06.2026 9.1
CVE-2026-35300 18.06.2026 9.8
CVE-2026-35301 18.06.2026 10
CVE-2026-35304 19.06.2026 9.8
CVE-2026-35305 17.06.2026 9.3
CVE-2026-35306 17.06.2026 9.3
CVE-2026-35307 19.06.2026 10
CVE-2026-35308 19.06.2026 10
CVE-2026-35309 19.06.2026 9.8
CVE-2026-35310 19.06.2026 9.8
CVE-2026-35312 19.06.2026 9.8
CVE-2026-35313 17.06.2026 9.9
CVE-2026-35316 19.06.2026 9.9
CVE-2026-35319 19.06.2026 9.8
CVE-2026-35320 19.06.2026 9
CVE-2026-35321 19.06.2026 9.9
CVE-2026-35323 19.06.2026 9.9
CVE-2026-46765 19.06.2026 9.9
CVE-2026-46766 19.06.2026 9.8
CVE-2026-46767 19.06.2026 9.9
CVE-2026-46773 19.06.2026 9.8
CVE-2026-46774 19.06.2026 9.8
CVE-2026-46777 19.06.2026 9.1
CVE-2026-46778 17.06.2026 10
CVE-2026-46779 17.06.2026 9.9
CVE-2026-46781 17.06.2026 10
CVE-2026-46782 17.06.2026 9.9
CVE-2026-46783 17.06.2026 9.8
CVE-2026-46784 17.06.2026 9.1
CVE-2026-46785 19.06.2026 9.3
CVE-2026-46786 19.06.2026 9.6
CVE-2026-46789 19.06.2026 9.6
CVE-2026-46792 17.06.2026 9.9
CVE-2026-46793 17.06.2026 9.9
CVE-2026-46794 17.06.2026 9.9
CVE-2026-46795 19.06.2026 9.3
CVE-2026-46797 17.06.2026 9.8
CVE-2026-46798 17.06.2026 10
CVE-2026-46799 17.06.2026 9.8
CVE-2026-46800 17.06.2026 10
CVE-2026-46801 17.06.2026 9.8
CVE-2026-46802 19.06.2026 9.9
CVE-2026-46803 19.06.2026 10
CVE-2026-46805 19.06.2026 9.3
CVE-2026-46807 19.06.2026 9.8
CVE-2026-46809 17.06.2026 9.1
CVE-2026-46813 17.06.2026 9.8
CVE-2026-46814 17.06.2026 9.9
CVE-2026-46832 18.06.2026 9.9
CVE-2026-46838 17.06.2026 9.9
CVE-2026-46844 17.06.2026 9.9
CVE-2026-46845 17.06.2026 9.8
CVE-2026-46846 17.06.2026 10
CVE-2026-46847 18.06.2026 9.9
CVE-2026-46850 18.06.2026 9.9
CVE-2026-46852 18.06.2026 9.9
CVE-2026-46853 18.06.2026 9.6
CVE-2026-46854 18.06.2026 9.9
CVE-2026-46855 18.06.2026 9.9
CVE-2026-46856 18.06.2026 9.6
CVE-2026-46857 18.06.2026 9.8
CVE-2026-46858 17.06.2026 9.1
CVE-2026-46859 18.06.2026 9.8
CVE-2026-46860 18.06.2026 9.8
CVE-2026-46861 18.06.2026 9.6
CVE-2026-46872 17.06.2026 9
CVE-2026-46875 18.06.2026 9.1
CVE-2026-46878 18.06.2026 9.8
CVE-2026-46879 18.06.2026 9.8
CVE-2026-46880 18.06.2026 9.8
CVE-2026-46881 18.06.2026 9.8
CVE-2026-46882 18.06.2026 9.8
CVE-2026-46883 18.06.2026 9.8
CVE-2026-46884 18.06.2026 9.8
CVE-2026-46887 18.06.2026 9.8
CVE-2026-46889 18.06.2026 9.8
CVE-2026-46890 18.06.2026 9.8
CVE-2026-46892 18.06.2026 9.1
CVE-2026-46893 18.06.2026 9.9
CVE-2026-46895 18.06.2026 9.9
CVE-2026-46896 18.06.2026 9.1
CVE-2026-46897 18.06.2026 9.9
CVE-2026-46899 18.06.2026 9.6
CVE-2026-46900 18.06.2026 9.9
CVE-2026-46901 18.06.2026 9.9
CVE-2026-46902 18.06.2026 9.8
CVE-2026-46904 18.06.2026 9.8
CVE-2026-46905 18.06.2026 9.8
CVE-2026-46906 18.06.2026 9.6
CVE-2026-46907 18.06.2026 9.9
CVE-2026-46908 18.06.2026 9.9
CVE-2026-46909 18.06.2026 9.8
CVE-2026-46910 17.06.2026 9.1
CVE-2026-46911 18.06.2026 9.6
CVE-2026-46912 17.06.2026 9.3
CVE-2026-46913 18.06.2026 9.3
CVE-2026-46918 17.06.2026 9.9
CVE-2026-46919 18.06.2026 9.8
CVE-2026-46930 17.06.2026 9.1
CVE-2026-46933 18.06.2026 9.9
CVE-2026-46944 18.06.2026 9.1
CVE-2026-46945 17.06.2026 9.1
CVE-2026-46946 18.06.2026 9.1
CVE-2026-46949 17.06.2026 9.1
CVE-2026-46963 17.06.2026 9.9
CVE-2026-46964 17.06.2026 9.9
CVE-2026-46978 18.06.2026 10
CVE-2026-22313 OS Commands Executed with Administrative Permissions in Radiflow iSAP Smart Collector 17.06.2026 9.1
CVE-2026-48777 FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory 17.06.2026 9.3
CVE-2026-53776 Perry < 0.5.1166 JWT Expiration Bypass via verify_decode 16.06.2026 9.3
CVE-2025-13036 Rockwell Automation FactoryTalk Historian Site Edition - Authentication Bypass 16.06.2026 9.2
CVE-2026-40750 WordPress Kids Online Store theme <= 0.8.9 - Arbitrary File Upload vulnerability 16.06.2026 9.9
CVE-2026-39574 WordPress InPost Gallery plugin <= 2.1.4.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49772 WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49774 WordPress RD Station plugin <= 5.6.0 - Remote Code Execution (RCE) vulnerability 16.06.2026 9.9
CVE-2026-52715 WordPress GEO my WordPress plugin <= 4.5.5 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-48853 Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc 17.06.2026 9.2
CVE-2026-48713 i18next-fs-backend: Prototype pollution via crafted missing-key string 16.06.2026 9.1
CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names 16.06.2026 9.1
CVE-2026-27053 WordPress Broadcast Live Video plugin < 7.1.3 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-34901 WordPress iControlWP plugin <= 5.5.3 - Privilege Escalation vulnerability 16.06.2026 9.8
CVE-2026-39441 WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39465 WordPress Responsive Slider by MetaSlider plugin <= 3.106.0 - Remote Code Execution (RCE) vulnerability 16.06.2026 9.1
CVE-2026-39492 WordPress WP Maps plugin <= 4.9.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39493 WordPress Simply Schedule Appointments plugin <= 1.6.9.27 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39502 WordPress Form Maker by 10Web plugin <= 1.15.38 - SQL Injection vulnerability 15.06.2026 9.3
CVE-2026-39511 WordPress WP Photo Album Plus plugin <= 9.1.08.001 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39512 WordPress GeoDirectory plugin <= 2.8.152 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39519 WordPress GeekyBot plugin <= 1.2.0 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39530 WordPress SpeakOut! Email Petitions plugin <= 4.6.5 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-39583 WordPress Datalogics Ecommerce Delivery plugin <= 2.6.62 - Privilege Escalation vulnerability 16.06.2026 9.8
CVE-2026-39591 WordPress WP-BusinessDirectory plugin <= 4.0.0 - Arbitrary File Upload vulnerability 16.06.2026 9.9
CVE-2026-40771 WordPress Contest Gallery plugin <= 28.1.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-40772 WordPress GeekyBot plugin <= 1.2.2 - Arbitrary File Upload vulnerability 16.06.2026 10
CVE-2026-40798 WordPress wpForo Forum plugin <= 3.0.4 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42381 WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42386 WordPress Order Delivery Date for WooCommerce plugin <= 4.5.1 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42639 WordPress GD Rating System plugin <= 3.6.2 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-42665 WordPress WP Data Access plugin <= 5.5.70 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-45439 WordPress Realtyna Organic IDX plugin plugin <= 5.1.0 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-48836 WordPress Easy Invoice plugin <= 2.1.19 - Remote Code Execution (RCE) vulnerability 16.06.2026 10
CVE-2026-48881 WordPress TrueBooker plugin <= 1.1.9 - Broken Access Control vulnerability 16.06.2026 9.1
CVE-2026-48886 WordPress JS Help Desk plugin <= 3.0.9 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49067 WordPress Advanced 301 and 302 Redirect plugin <= 1.6.9 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49085 WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49104 WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.2.1 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49105 WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability 15.06.2026 9.8
CVE-2026-49106 WordPress Integration for Contact Form 7 and Constant Contact plugin <= 1.1.6 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49109 WordPress Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.4.3 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49763 WordPress Integration for Contact Form 7 HubSpot plugin <= 1.3.7 - PHP Object Injection vulnerability 15.06.2026 9.8
CVE-2026-49764 WordPress RegistrationMagic plugin <= 6.0.8.6 - Broken Authentication vulnerability 15.06.2026 9.8
CVE-2026-49765 WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.8 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49766 WordPress WP User Manager plugin <= 2.9.16 - Arbitrary File Deletion vulnerability 16.06.2026 9.9
CVE-2026-49768 WordPress Happyforms plugin <= 1.26.13 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49769 WordPress wpForo Forum plugin <= 3.1.0 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49770 WordPress WP Travel Engine plugin <= 6.7.12 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-49776 WordPress GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin <= 2.32.6 - SQL Injection vulnerability 16.06.2026 9.3
CVE-2026-49781 WordPress OttoKit plugin <= 1.1.27 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-52693 WordPress eCommerce Product Catalog plugin <= 3.5.5 - SQL Injection vulnerability 15.06.2026 9.3
CVE-2026-52703 WordPress FastDup plugin <= 2.7.2 - Path Traversal vulnerability 16.06.2026 9.6
CVE-2026-9691 WordPress Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.1 - PHP Object Injection vulnerability 16.06.2026 9.8
CVE-2026-48114 Metacat has an unauthenticated SQL injection vulnerability 15.06.2026 9.8
CVE-2026-49952 Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle 16.06.2026 9.3
CVE-2026-9862 Core Privileged Access Manager (BoKS) autoregistration service command injection vulnerability 15.06.2026 9.8
CVE-2018-25436 WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload 15.06.2026 9.3
CVE-2026-52704 WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Remote Code Execution (RCE) vulnerability 15.06.2026 10
CVE-2026-49757 OAuth2/OIDC account takeover in AshAuthentication via email-based user matching 15.06.2026 9.2
CVE-2026-5482 Remote Code Execution via Unrestricted File Upload in Responsive FileManager 15.06.2026 9.3
CVE-2026-12183 17.06.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2024-58351 Flowise - Remote Code Execution via overrideConfig Parameter 20.06.2026
CVE-2026-56317 Nuxt - Cross-Site Scripting via NoScript Component Slot Content 20.06.2026
CVE-2026-56325 Capgo - App ID Confusion via ILIKE Wildcard in Preview Subdomain Lookup 20.06.2026
CVE-2019-25763 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 Authentication Bypass 20.06.2026
CVE-2020-37255 WordPress Time Capsule Plugin 1.21.16 Authentication Bypass 20.06.2026
CVE-2022-50972 WooCommerce 7.1.0 Remote Code Execution via class-wc-meta-box-product-images.php 20.06.2026
CVE-2026-12673 20.06.2026
CVE-2026-48908 Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.12 20.06.2026
CVE-2026-48909 Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4 20.06.2026
CVE-2026-48939 Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15 20.06.2026
CVE-2026-11911 Simple File List <= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter 20.06.2026 7.5
CVE-2026-11912 Simple File List <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action 20.06.2026 7.5
CVE-2026-12119 Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute 20.06.2026 6.5
CVE-2026-9265 Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path 20.06.2026
CVE-2026-9843 Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value 20.06.2026 8.1
CVE-2026-56212 Capgo - Improper 2FA Enforcement Logic via Team Security Settings 20.06.2026
CVE-2026-56213 Capgo - Unauthenticated Cross-Tenant Metrics Poisoning via upsert_version_meta RPC 20.06.2026
CVE-2026-56214 Capgo - Unauthenticated Organization Enumeration and Billing Status Disclosure via Supabase RPC 20.06.2026
CVE-2026-56215 Capgo - Account Merge via Poisoned public.users.email in SSO Provisioning 20.06.2026
CVE-2026-56216 Capgo - Scope Escalation via API Key Creation in /functions/v1/apikey 20.06.2026
CVE-2026-11551 Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover 19.06.2026 9.8
CVE-2026-56073 Cap-go - OTP Bypass via Response Manipulation in Email Verification 19.06.2026
CVE-2026-56079 Capgo - Cross-Tenant Authorization Bypass via PostgREST Webhook Access 19.06.2026
CVE-2026-56080 Cap-go - Authentication Logic Flaw in Enforce Password Policy 19.06.2026
CVE-2026-56081 Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email 19.06.2026
CVE-2026-56082 Capgo - Unauthenticated Cross-Tenant Billing Log Tampering via public.record_build_time RPC 20.06.2026
CVE-2026-32208 Microsoft Edge (Chromium-based) Spoofing Vulnerability 19.06.2026 8.8
CVE-2026-42895 Microsoft Copilot Tampering Vulnerability 19.06.2026 6.5
CVE-2026-45480 Azure Active Directory Elevation of Privilege Vulnerability 19.06.2026 10
CVE-2026-47645 Microsoft 365 Copilot's Business Chat Elevation of Privilege Vulnerability 19.06.2026 8.8
CVE-2026-48582 Microsoft Exchange Online Elevation of Privilege Vulnerability 19.06.2026 9.6
CVE-2026-48584 Microsoft Azure Synapse Elevation of Privilege Vulnerability 19.06.2026 9.9
CVE-2026-50519 Microsoft Visual Studio Code CoPilot Chat Security Feature Bypass Vulnerability 19.06.2026 6.5
CVE-2026-47203 Authelia Missing Username Canonicalization in Basic Auth (LDAP) 19.06.2026
CVE-2026-48129 Kestra task inputFiles accepts traversal filenames for worker file writes 19.06.2026 6.5
CVE-2026-48794 Authelia has an Edge Case Access Control Rule Mismatch 19.06.2026
CVE-2026-49295 libde265 has an out-of-bounds write in process_reference_picture_set via predicted short-term RPS 19.06.2026 7.1
CVE-2026-49337 libde265 has an unbounded memory leak via orphaned slice headers in `read_slice_NAL` 19.06.2026 4.3
CVE-2026-49346 libde265 has a heap buffer overflow in de265_image_get_buffer via SPS dimension integer overflow 19.06.2026 7.1
CVE-2026-50559 Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities 19.06.2026 7.5
CVE-2026-48089 DevGuard has improper authorization on public assets 19.06.2026
CVE-2026-48715 radvdump's Route Information Option Parser has a Stack Buffer Overflow 19.06.2026
CVE-2026-48772 ProxySQL: PROXY-Protocol-v1 UNKNOWN parses spoofed source IP, bypassing mysql_query_rules.client_addr ACL 19.06.2026 10
CVE-2026-48773 ProxySQL pre-auth heap overflow in MySQL and PostgreSQL first-packet handling 19.06.2026 9.8
CVE-2026-48774 ProxySQL MCP run_sql_readonly executes side-effecting MySQL multi-statements despite read-only contract 19.06.2026 7.5
CVE-2026-48787 gin-vue-admin vulnerable to RCE 19.06.2026
CVE-2026-49342 YARD static cache reads raw traversal paths before router sanitization 19.06.2026 5.3
CVE-2026-49344 Mercator has a Personal Identifiable Information Leak from Query Executor feature 19.06.2026
CVE-2026-49345 Mercator CVE Configuration Vulnerable to Server-Side Request Forgery (SSRF) 19.06.2026
CVE-2026-12726 Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential 19.06.2026
CVE-2026-27878 Tempo TraceQL query with exemplar hint could result in unbounded memory usage 19.06.2026 6.5
CVE-2026-49338 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR) 19.06.2026 7.1
CVE-2026-49340 gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host 19.06.2026 8.1
CVE-2026-9375 Decompression Bomb Bypass via Negative max_length in Streaming API in urllib3 19.06.2026
CVE-2023-54357 Joomla com_booking 2.4.9 Information Disclosure via Account Enumeration 19.06.2026
CVE-2026-12238 WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation 19.06.2026 5.3
CVE-2026-49288 Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources 19.06.2026 4.3
CVE-2026-49291 mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call 19.06.2026 8.1
CVE-2026-49293 CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals 19.06.2026 7.5
CVE-2026-49336 @microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter 19.06.2026
CVE-2026-49339 Path traversal in getPlaylist/deletePlaylist bypasses ownership check: any authenticated user can read or delete any other user's playlist 19.06.2026 7.1
CVE-2019-25754 Joomla vRestaurant 1.9.4 SQL Injection via menu-listing-layout 19.06.2026
CVE-2019-25755 Joomla vReview 1.9.11 SQL Injection via editReview 19.06.2026
CVE-2019-25756 Joomla! Component vAccount 2.0.2 SQL Injection via vaccount-dashboard 19.06.2026
CVE-2019-25757 Joomla vWishlist 1.0.1 SQL Injection via vproductid Parameter 19.06.2026
CVE-2019-25758 Joomla! Component vBizz 1.0.7 Remote Code Execution 19.06.2026
CVE-2019-25759 Joomla! Component vBizz 1.0.7 SQL Injection 19.06.2026
CVE-2019-25760 Joomla! Component Easy Shop 1.2.3 Local File Inclusion 19.06.2026
CVE-2019-25761 Joomla! Component JoomCRM 1.1.1 SQL Injection via deal_id 19.06.2026
CVE-2019-25762 Joomla! Component JoomProject 1.1.3.2 Information Disclosure 19.06.2026
CVE-2026-49287 Statamic CMS vulnerable to unsafe method invocation via collection sorting allows data destruction 19.06.2026 7.4
CVE-2026-49290 Slopsmith has path traversal in archive extractors that allows arbitrary file write → potential RCE 19.06.2026