CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-71243 SPIP Saisies Plugin < 5.11.1 Remote Code Execution 19.02.2026 9.3
CVE-2025-71250 SPIP < 4.4.9 Insecure Deserialization 19.02.2026 9.2
CVE-2025-9953 SQLi in Database Software's Databank Accreditation Software 19.02.2026 9.8
CVE-2025-8350 Authentication Bypass with Redirect in BiEticaret Software's BiEticaret CMS 19.02.2026 9.8
CVE-2025-12107 Potential authenticated Server-Side Template Injection (SSTI) vulnerability. 19.02.2026 10
CVE-2025-13590 Authenticated arbitrary file upload via a System REST API requiring administrator permission. 19.02.2026 9.1
CVE-2026-1994 s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover 19.02.2026 9.8
CVE-2026-2731 Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8 19.02.2026 10
CVE-2025-13563 Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-13851 Buyent Theme (with Buyent Classified Plugin) <= 1.0.7 - Unauthenticated Privilege Escalation via User Registration 19.02.2026 9.8
CVE-2026-0926 Prodigy Commerce <= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name] 19.02.2026 9.8
CVE-2026-1405 Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload 19.02.2026 9.8
CVE-2025-12882 Clasifico Listing <= 2.0 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-15586 19.02.2026 10
CVE-2026-2686 SECCN Dingcheng G10 session_login.cgi qq os command injection 19.02.2026 9.3
CVE-2026-25548 InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning 18.02.2026 9.1
CVE-2019-25362 WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow 18.02.2026 9.3
CVE-2019-25364 Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow 18.02.2026 9.3
CVE-2026-27174 MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval 18.02.2026 9.3
CVE-2026-27175 MajorDoMo Command Injection in rc/index.php via Race Condition 18.02.2026 9.2
CVE-2026-27180 MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning 18.02.2026 9.3
CVE-2026-23491 InvoicePlane has Unauthenticated Path Traversal in Guest Controller 18.02.2026 9.3
CVE-2025-14009 Zip Slip Vulnerability in nltk/nltk Leading to Remote Code Execution 19.02.2026 10
CVE-2025-70152 18.02.2026 9.8
CVE-2025-70150 18.02.2026 9.8
CVE-2025-15579 An Insecure Deserialization vulnerability has been discovered in OpenText™ Directory Services. 18.02.2026 9.5
CVE-2026-2329 Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow 18.02.2026 9.3
CVE-2026-1435 Incorrect management of session invalidation vulnerability in Graylog Web Interface 18.02.2026 9.3
CVE-2026-1937 YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action 18.02.2026 9.8
CVE-2026-1670 Honeywell CCTV Products Missing Authentication for Critical Function 18.02.2026 9.3
CVE-2026-22769 19.02.2026 10
CVE-2026-23647 Glory RBG-100 Recycler System Hard-coded OS Credentials 18.02.2026 9.3
CVE-2026-22208 OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access 17.02.2026 9.4
CVE-2026-26220 LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE 17.02.2026 9.3
CVE-2026-2564 Intelbras VIP 3260 Z IA OutsideCmd password recovery 17.02.2026 9.2
CVE-2026-2550 EFM iptime A6004MX timepro.cgi commit_vpncli_file_upload unrestricted upload 17.02.2026 9.3
CVE-2026-2577 Nanobot Unauthenticated WhatsApp Session Hijack via WebSocket Bridge 17.02.2026 10
CVE-2026-26366 JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials 17.02.2026 9.3
CVE-2026-26369 JUNG eNet SMART HOME server 2.2.1/2.3.1 Privilege Escalation via setUserGroup 17.02.2026 9.3
CVE-2025-32058 Stack Overflow in processing requests over INC interface on RH850 side of Infotainment ECU 17.02.2026 9.3
CVE-2026-1490 Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation 17.02.2026 9.8
CVE-2025-8572 Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration 17.02.2026 9.8
CVE-2026-1306 midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action 18.02.2026 9.8
CVE-2026-26273 Known affected by Account Takeover via Password Reset Token Leakage 17.02.2026 9.8
CVE-2026-26333 Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE 18.02.2026 10
CVE-2026-26335 Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE 18.02.2026 9.3
CVE-2026-26190 Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise 18.02.2026 9.8
CVE-2026-26221 Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE 18.02.2026 10

Latest Updates

CVE Title Updated Score
CVE-2026-25738 Indico has Server-Side Request Forgery (SSRF) in multiple places 19.02.2026
CVE-2026-25940 jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property) 19.02.2026 8.1
CVE-2026-26223 SPIP < 4.4.8 Cross-Site Scripting via Iframe Tags in Private Area 19.02.2026
CVE-2026-26345 SPIP < 4.4.8 Cross-Site Scripting in Public Area 19.02.2026
CVE-2026-2274 Arbitrary File Read and SSRF in Google AppSheet 19.02.2026
CVE-2025-71240 SPIP < 4.2.15 Cross-Site Scripting via Code Tags 19.02.2026
CVE-2025-71241 SPIP < 4.3.6 Cross-Site Scripting in Private Area 19.02.2026
CVE-2025-71242 SPIP < 4.3.6 Authorization Bypass Leading to Content Disclosure 19.02.2026
CVE-2025-71243 SPIP Saisies Plugin < 5.11.1 Remote Code Execution 19.02.2026
CVE-2025-71244 SPIP < 4.4.5 Open Redirect via Login Form 19.02.2026
CVE-2025-71245 19.02.2026
CVE-2025-71246 19.02.2026
CVE-2025-71247 SPIP < 4.4.9 Blind Server-Side Request Forgery via Syndicated Sites 19.02.2026
CVE-2025-71248 SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites 19.02.2026
CVE-2025-71249 SPIP < 4.4.9 Cross-Site Scripting in Private Area (Incomplete Fix) 19.02.2026
CVE-2025-71250 SPIP < 4.4.9 Insecure Deserialization 19.02.2026
CVE-2026-25535 jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions 19.02.2026
CVE-2026-25755 jsPDF has PDF Object Injection via Unsanitized Input in addJS Method 19.02.2026 8.1
CVE-2025-55853 19.02.2026
CVE-2026-25527 changedetection.io vulnerable to unauthenticated static path traversal 19.02.2026 5.3
CVE-2026-2744 19.02.2026
CVE-2019-25402 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via login 19.02.2026
CVE-2019-25403 Comodo Dome Firewall 2.7.0 Stored Cross-Site Scripting via admin_profiles 19.02.2026
CVE-2019-25404 Comodo Dome Firewall 2.7.0 Stored Cross-Site Scripting via admins 19.02.2026
CVE-2019-25405 Comodo Dome Firewall 2.7.0 Stored Cross-Site Scripting via license_activation 19.02.2026
CVE-2019-25406 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via organization Parameter 19.02.2026
CVE-2019-25407 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via backupschedule 19.02.2026
CVE-2019-25408 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via netwizard2 19.02.2026
CVE-2019-25409 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via routing 19.02.2026
CVE-2019-25410 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via policy_routing 19.02.2026
CVE-2019-25411 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via DHCP 19.02.2026
CVE-2019-25412 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via NTP_SERVER_LIST 19.02.2026
CVE-2019-25413 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via ID Parameter 19.02.2026
CVE-2019-25414 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via ID Parameter Appid 19.02.2026
CVE-2019-25415 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via hotspot_permanent_users 19.02.2026
CVE-2019-25416 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via device Parameter 19.02.2026
CVE-2019-25417 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via QoS Rules 19.02.2026
CVE-2019-25418 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via fwgroups 19.02.2026
CVE-2019-25419 Comodo Dome Firewall 2.7.0 Stored Cross-Site Scripting via schedule 19.02.2026
CVE-2019-25420 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via snat 19.02.2026
CVE-2019-25421 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via policyfw 19.02.2026
CVE-2019-25422 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via vpnfw 19.02.2026
CVE-2019-25423 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via proxyconfig 19.02.2026
CVE-2019-25424 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via https_exceptions 19.02.2026
CVE-2019-25425 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via smtpconfig 19.02.2026
CVE-2019-25426 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via dnsmasq 19.02.2026
CVE-2019-25427 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via antispyware 19.02.2026
CVE-2019-25428 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via openvpn_users 19.02.2026
CVE-2019-25429 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via openvpn_advanced 19.02.2026
CVE-2019-25430 Comodo Dome Firewall 2.7.0 Reflected Cross-Site Scripting via vpn_users 19.02.2026
CVE-2025-9953 SQLi in Database Software's Databank Accreditation Software 19.02.2026 9.8
CVE-2025-8350 Authentication Bypass with Redirect in BiEticaret Software's BiEticaret CMS 19.02.2026 9.8
CVE-2025-15559 Unauthenticated OS Command Injection in NesterSoft WorkTime 19.02.2026
CVE-2025-15560 SQL Injection in NesterSoft WorkTime 19.02.2026
CVE-2025-15561 Local Privilege Escalation in NesterSoft WorkTime 19.02.2026
CVE-2025-15562 Reflected Cross-Site Scripting in NesterSoft WorkTime 19.02.2026
CVE-2025-15563 Broken Access Control results in Denial of Service in NesterSoft WorkTime 19.02.2026
CVE-2025-9062 IDOR in MeCODE Informatics' Envanty 19.02.2026 7.3
CVE-2025-12107 Potential authenticated Server-Side Template Injection (SSTI) vulnerability. 19.02.2026 10
CVE-2025-13590 Authenticated arbitrary file upload via a System REST API requiring administrator permission. 19.02.2026 9.1
CVE-2026-1219 MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure 19.02.2026 5.3
CVE-2026-1461 Simple Membership <= 4.7.0 - Unauthenticated Improper Handling of Missing Values 19.02.2026 6.5
CVE-2026-2716 Client Testimonial Slider <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Testimonial Heading' Setting 19.02.2026 4.4
CVE-2026-2718 Dealia <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutenberg Block Attributes 19.02.2026 6.4
CVE-2026-22266 19.02.2026 4.7
CVE-2026-22267 19.02.2026 8.1
CVE-2026-22268 19.02.2026 6.3
CVE-2025-40697 Reflected Cross-Site Scripting (XSS) in Lewe WebMeasure 19.02.2026
CVE-2025-41023 Authentication bypass in AutoGPT de Thesamur 19.02.2026
CVE-2026-22269 19.02.2026 4.7
CVE-2026-26358 19.02.2026 8.8
CVE-2026-22333 WordPress YITH WooCommerce Compare plugin <= 3.6.0 - Deserialization of untrusted data vulnerability 19.02.2026
CVE-2026-22422 WordPress Everest Forms plugin <= 3.4.1 - Arbitrary Shortcode Execution vulnerability 19.02.2026
CVE-2026-23541 WordPress Mail Mint plugin <= 1.19.4 - Broken Access Control vulnerability 19.02.2026
CVE-2026-23542 WordPress Grand Restaurant theme <= 7.0.10 - PHP Object Injection vulnerability 19.02.2026
CVE-2026-23543 WordPress Essential Addons for Elementor plugin <= 6.5.5 - Broken Access Control vulnerability 19.02.2026
CVE-2026-23544 WordPress Valenti theme <= 5.6.3.5 - PHP Object Injection vulnerability 19.02.2026
CVE-2026-23545 WordPress Aruba HiSpeed Cache plugin <= 3.0.4 - Broken Access Control vulnerability 19.02.2026
CVE-2026-23547 WordPress CMSMasters Content Composer plugin <= 2.5.8 - Broken Access Control vulnerability 19.02.2026
CVE-2026-23548 WordPress DirectoryPress plugin <= 3.6.25 - Broken Access Control vulnerability 19.02.2026
CVE-2026-23549 WordPress WpEvently plugin <= 5.1.1 - PHP Object Injection vulnerability 19.02.2026
CVE-2026-23803 WordPress Smart Auto Upload Images plugin <= 1.2.2 - Server Side Request Forgery (SSRF) vulnerability 19.02.2026
CVE-2026-23804 WordPress Better Business Reviews plugin <= 0.1.1 - Broken Access Control vulnerability 19.02.2026
CVE-2026-23805 WordPress Media Search Enhanced plugin <= 0.9.1 - SQL Injection vulnerability 19.02.2026
CVE-2026-24375 WordPress Ultimate Gift Cards For WooCommerce plugin <= 3.2.4 - Broken Access Control vulnerability 19.02.2026
CVE-2026-24392 WordPress HurryTimer plugin <= 2.14.2 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-24999 WordPress Alma plugin <= 5.16.1 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25000 WordPress Wheel of Life plugin <= 1.2.0 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25003 WordPress Client Portal plugin <= 1.2.1 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25004 WordPress CM Business Directory plugin <= 1.5.3 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25005 WordPress Frontend File Manager plugin <= 23.5 - Insecure Direct Object References (IDOR) vulnerability 19.02.2026
CVE-2026-25006 WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability 19.02.2026
CVE-2026-25008 WordPress Ninja Tables plugin <= 5.2.5 - Sensitive Data Exposure vulnerability 19.02.2026
CVE-2026-25305 WordPress XStore theme <= 9.6.4 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25307 WordPress XStore Core plugin < 5.7 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25308 WordPress Simple Membership plugin <= 4.6.9 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25310 WordPress Extend Link plugin <= 2.0.0 - Server Side Request Forgery (SSRF) vulnerability 19.02.2026
CVE-2026-25311 WordPress Autoshare for Twitter plugin <= 2.3.1 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25313 WordPress FluentForm plugin <= 6.1.14 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25314 WordPress TOP Table Of Contents plugin <= 1.3.31 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25315 WordPress hCaptcha for WP plugin <= 4.22.0 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25316 WordPress CartFlows plugin <= 2.1.19 - PHP Object Injection vulnerability 19.02.2026
CVE-2026-25318 WordPress WiserReview Product Reviews for WooCommerce plugin <= 2.9 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25319 WordPress Zita Elementor Site Library plugin <= 1.6.6 - Cross Site Request Forgery (CSRF) vulnerability 19.02.2026
CVE-2026-25320 WordPress Elementor Contact Form DB plugin <= 2.1.3 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25321 WordPress SupportCandy plugin <= 3.4.4 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25322 WordPress PublishPress Revisions plugin <= 3.7.22 - Cross Site Request Forgery (CSRF) vulnerability 19.02.2026
CVE-2026-25323 WordPress OSM plugin <= 6.1.12 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25324 WordPress Quiz And Survey Master plugin <= 10.3.4 - Insecure Direct Object References (IDOR) vulnerability 19.02.2026
CVE-2026-25325 WordPress rtMedia for WordPress, BuddyPress and bbPress plugin <= 4.7.8 - Sensitive Data Exposure vulnerability 19.02.2026
CVE-2026-25326 WordPress CMSMasters Content Composer plugin <= 1.4.5 - Local File Inclusion vulnerability 19.02.2026
CVE-2026-25329 WordPress Quiz And Survey Master plugin <= 10.3.4 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25330 WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25331 WordPress WP Activity Log plugin <= 5.5.4 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25332 WordPress Endless Posts Navigation plugin <= 2.2.9 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25333 WordPress Shopwell theme <= 1.0.11 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25335 WordPress Secure Copy Content Protection and Content Locking plugin <= 5.0.0 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25336 WordPress Coachify theme <= 1.1.5 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25337 WordPress Coachify theme <= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability 19.02.2026
CVE-2026-25338 WordPress AI ChatBot with ChatGPT and Content Generator by AYS plugin <= 2.7.4 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25343 WordPress WP SMS plugin <= 7.1 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25348 WordPress Download Alt Text AI plugin <= 1.10.15 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25362 WordPress FooGallery plugin <= 3.1.11 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25363 WordPress FooGallery plugin <= 3.1.11 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25364 WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.8 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25367 WordPress CitiLights theme < 3.7.2 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25368 WordPress Calculated Fields Form plugin <= 5.4.4.1 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25370 WordPress WP Compress plugin <= 6.60.28 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25372 WordPress Academy LMS plugin <= 3.5.3 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25374 WordPress Spa and Salon theme <= 1.3.2 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25375 WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.10 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25378 WordPress Nelio AB Testing plugin <= 8.2.4 - SQL Injection vulnerability 19.02.2026
CVE-2026-25384 WordPress WP-Lister Lite for eBay plugin <= 3.8.5 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25385 WordPress URL Shortify plugin <= 1.12.3 - Server Side Request Forgery (SSRF) vulnerability 19.02.2026
CVE-2026-25386 WordPress Ally plugin <= 4.0.2 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25387 WordPress Image Optimizer by Elementor plugin <= 1.7.1 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25388 WordPress Ads Pro plugin <= 5.0 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25389 WordPress EventPrime plugin <= 4.2.8.3 - Sensitive Data Exposure vulnerability 19.02.2026
CVE-2026-25391 WordPress WP Wand plugin <= 1.3.07 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25392 WordPress Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress plugin <= 1.4.0 - Open Redirection vulnerability 19.02.2026
CVE-2026-25393 WordPress Hello FSE theme <= 1.0.6 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25394 WordPress Fitness FSE theme <= 1.0.6 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25395 WordPress Business Roy theme <= 1.1.4 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25399 WordPress Serious Slider plugin <= 1.2.7 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25402 WordPress Knowledge Base for Documentation, FAQs with AI Assistance plugin <= 16.011.0 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25404 WordPress WP Job Manager plugin <= 2.4.0 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25407 WordPress Cookiebot plugin <= 4.6.4 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25408 WordPress Broken Link Notifier plugin <= 1.3.5 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25409 WordPress JAMstack Deployments plugin <= 1.1.1 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25410 WordPress WP-CORS plugin <= 0.2.2 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25411 WordPress Revision Manager TMC plugin <= 2.8.22 - Cross Site Request Forgery (CSRF) vulnerability 19.02.2026
CVE-2026-25412 WordPress Advanced iFrame plugin <= 2025.10 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25415 WordPress WPBookit Pro plugin <= 1.6.18 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25416 WordPress News Kit Elementor Addons plugin <= 1.4.2 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25418 WordPress Bit Form plugin <= 2.21.10 - SQL Injection vulnerability 19.02.2026
CVE-2026-25419 WordPress UpsellWP plugin <= 2.2.3 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25420 WordPress MailerLite plugin <= 1.7.18 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25422 WordPress Popularis Extra plugin <= 1.2.10 - Cross Site Request Forgery (CSRF) vulnerability 19.02.2026
CVE-2026-25423 WordPress Real 3D FlipBook plugin <= 4.16.4 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25428 WordPress TS Poll plugin <= 2.5.5 - Server Side Request Forgery (SSRF) vulnerability 19.02.2026
CVE-2026-25432 WordPress Omnipress plugin <= 1.6.7 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25441 WordPress LeadConnector plugin <= 3.0.21 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25451 WordPress Bold Page Builder plugin <= 5.6.4 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25453 WordPress Advanced iFrame plugin <= 2025.10 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25459 WordPress Sober theme <= 3.5.12 - Broken Access Control vulnerability 19.02.2026
CVE-2026-25463 WordPress Wpresidence Core plugin <= 5.4.0 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25472 WordPress Fusion Builder plugin <= 3.14.3 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-25473 WordPress WZone plugin <= 14.0.31 - Broken Access Control vulnerability 19.02.2026
CVE-2026-26359 19.02.2026 8.8
CVE-2026-26360 19.02.2026 8.1
CVE-2026-27042 WordPress NotificationX plugin <= 3.2.1 - Broken Access Control vulnerability 19.02.2026
CVE-2026-27050 WordPress RealPress plugin <= 1.1.0 - Cross Site Request Forgery (CSRF) vulnerability 19.02.2026
CVE-2026-27052 WordPress Sales Countdown Timer for WooCommerce and WordPress plugin <= 1.1.8.1 - Local File Inclusion vulnerability 19.02.2026
CVE-2026-27055 WordPress Penci AI SmartContent Creator plugin <= 2.0 - Broken Access Control vulnerability 19.02.2026
CVE-2026-27057 WordPress Penci Filter Everything plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-27058 WordPress Penci Podcast plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-27059 WordPress Penci Recipe plugin <= 4.1 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-27066 WordPress Live sales notification for WooCommerce plugin <= 2.3.46 - Broken Access Control vulnerability 19.02.2026
CVE-2026-27069 WordPress Soledad theme <= 8.7.2 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-27074 WordPress Shortcoder plugin <= 6.5.1 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-27090 WordPress Kenta Companion plugin <= 1.3.3 - Cross Site Request Forgery (CSRF) vulnerability 19.02.2026
CVE-2026-27092 WordPress WPAdverts plugin <= 2.2.11 - Broken Access Control vulnerability 19.02.2026
CVE-2026-27094 WordPress CoBlocks plugin <= 3.1.16 - Cross Site Scripting (XSS) vulnerability 19.02.2026
CVE-2026-2735 Stored Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms 19.02.2026
CVE-2026-2736 Reflected Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms 19.02.2026
CVE-2026-26361 19.02.2026 6.5
CVE-2026-26362 19.02.2026 8.1
CVE-2026-27056 WordPress iThemes Sync plugin <= 3.2.8 - Broken Access Control vulnerability 19.02.2026
CVE-2026-2733 Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol 19.02.2026
CVE-2026-2711 zhutoutoutousan worldquant-miner URL ssrf_proxy.py server-side request forgery 19.02.2026
CVE-2026-1994 s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover 19.02.2026 9.8
CVE-2026-2681 Github.com/supranational/blst: blst cryptographic library: denial of service via out-of-bounds stack write in key generation 19.02.2026
CVE-2026-2731 Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8 19.02.2026
CVE-2026-2709 busy Callback app.js redirect 19.02.2026
CVE-2026-2706 code-projects Patient Record Management System fecalysis_not.php sql injection 19.02.2026
CVE-2026-2705 Open Babel MOL2 File atom.h SetFormalCharge out-of-bounds 19.02.2026
CVE-2025-12975 CTX Feed – WooCommerce Product Feed Manager <= 6.6.11 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Plugin Installation 19.02.2026 7.2
CVE-2025-13091 Shopire <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install 19.02.2026 4.3
CVE-2025-13413 Country Blocker for AdSense <= 1.0 - Cross-Site Request Forgery to Settings Update 19.02.2026 4.3
CVE-2025-13438 Page Title, Description & Open Graph Updater <= 1.02 - Cross-Site Request Forgery to Arbitrary Page Title Modification 19.02.2026 4.3
CVE-2025-13563 Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-13587 Two Factor (2FA) Authentication via Email <= 1.9.8 - Two-Factor Authentication Bypass via token 19.02.2026 6.5
CVE-2025-13603 WP AUDIO GALLERY <= 2.0 - Authenticated (Subscriber+) Arbitrary File Read via .htaccess Manipulation 19.02.2026 8.8
CVE-2025-13612 Album and Image Gallery Plus Lightbox <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode 19.02.2026 6.4
CVE-2025-13617 Apollo13 Framework Extension <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via `a13_alt_link` Parameter 19.02.2026 6.4
CVE-2025-13732 s2Member <= 251005 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 19.02.2026 6.4
CVE-2025-13738 Easy Table of Contents <= 2.0.78 - Authenticated (Contributor+) Stored Cross-Site Scripting 19.02.2026 6.4
CVE-2025-13842 Breadcrumb NavXT <= 7.5.0 - Missing Authorization to Sensitive Information Exposure 19.02.2026 5.3
CVE-2025-13851 Buyent Theme (with Buyent Classified Plugin) <= 1.0.7 - Unauthenticated Privilege Escalation via User Registration 19.02.2026 9.8
CVE-2025-13864 Breeze – WordPress Cache Plugin <= 2.2.21 - Missing Authorization to Cache Deletion 19.02.2026 5.3
CVE-2025-13930 Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.5 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion 19.02.2026 5.3
CVE-2025-14076 iXML – Google XML sitemap generator <= 0.6 - Reflected Cross-Site Scripting via 'iXML_email' Parameter 19.02.2026 6.1
CVE-2025-14167 Remove Post Type Slug <= 1.0.2 - Cross-Site Request Forgery to Settings Update 19.02.2026 4.3
CVE-2025-14270 OneClick Chat to Order <= 1.0.9 - Missing Authorization to Authenticated (Editor+) Plugin Settings Update 19.02.2026 2.7
CVE-2025-14294 Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification 19.02.2026 5.3
CVE-2025-14342 SEO Plugin by Squirrly SEO <= 12.4.14 - Missing Authorization to Authenticated (Subscriber+) Cloud Service Disconnection 19.02.2026 4.3
CVE-2025-14357 Mega Store Woocommerce <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change 19.02.2026 5.3
CVE-2025-14427 Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update 19.02.2026 4.3
CVE-2025-14445 Image Hotspot by DevVN <= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Field Meta 19.02.2026 6.4
CVE-2025-14452 WP Customer Reviews <= 3.7.5 - Reflected Cross-Site Scripting via 'wpcr3_fname' Parameter 19.02.2026 7.2
CVE-2025-14851 YaMaps for WordPress <= 0.6.40 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Parameters 19.02.2026 6.4
CVE-2025-14864 Virusdie <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) API Key Disclosure 19.02.2026 4.3
CVE-2025-14983 Advanced Custom Fields: Font Awesome <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 19.02.2026 6.4
CVE-2025-15041 BackWPup <= 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update 19.02.2026 7.2
CVE-2025-4521 IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_profile Function 19.02.2026 8.8
CVE-2026-0549 Groups <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'groups_group_info' Shortcode 19.02.2026 6.4
CVE-2026-0556 XO Event Calendar <= 3.2.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'xo_event_field' shortcode 19.02.2026 6.4
CVE-2026-0561 Shield Security <= 21.0.8 - Unauthenticated Reflected Cross-Site Scripting via 'message' Parameter 19.02.2026 6.1
CVE-2026-0722 Shield Security <= 21.0.8 - Cross-Site Request Forgery to SQL Injection 19.02.2026 6.5
CVE-2026-0912 Toret Manager <= 1.2.7 - Authenticated (Subscriber+) Arbitrary Options Update via AJAX actions 19.02.2026 8.8
CVE-2026-0926 Prodigy Commerce <= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name] 19.02.2026 9.8
CVE-2026-0974 Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation 19.02.2026 8.8
CVE-2026-1043 PostmarkApp Email Integrator <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings 19.02.2026 4.4
CVE-2026-1044 Tennis Court Bookings <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings and Calendar Parameters 19.02.2026 4.4
CVE-2026-1047 salavat counter Plugin <= 0.9.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'image_url' Parameter 19.02.2026 4.4
CVE-2026-1055 TalkJS <= 0.1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'welcomeMessage' Parameter 19.02.2026 4.4
CVE-2026-1373 Easy Author Image <= 1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Picture URL 19.02.2026 6.4
CVE-2026-1405 Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload 19.02.2026 9.8
CVE-2026-1455 Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action 19.02.2026 4.3
CVE-2026-1646 Advance Block Extend <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via TitleColor Block Attribute 19.02.2026 6.4
CVE-2026-2282 Slidorion <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Slidorion Settings 19.02.2026 4.4
CVE-2026-2284 News Element Elementor Blog Magazine <= 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Data Loss 19.02.2026 5.4
CVE-2026-2502 xmlrpc attacks blocker <= 1.0 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For' 19.02.2026 6.1
CVE-2026-2504 Dealia – Request a quote <= 1.0.6 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset 19.02.2026 4.3
CVE-2026-2704 Open Babel CIF File transform3d.cpp DescribeAsString out-of-bounds 19.02.2026
CVE-2025-11706 Aruba HiSpeed Cache <= 3.0.2 - Reflected Cross-Site Scripting 19.02.2026 6.1
CVE-2025-11725 Aruba HiSpeed Cache <= 3.0.2 - Missing Authorization to Unauthenticated Plugin's Settings Modification 19.02.2026 6.5
CVE-2025-11754 Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure 19.02.2026 7.5
CVE-2025-12027 Mesmerize Companion <= 1.6.158 - Missing Authorization Authenticated (Subscriber+) Settings Update 19.02.2026 4.3
CVE-2025-12081 ACF Photo Gallery Field <= 3.0 - Missing Authorization to Authenticated (Subscriber+) Attachment Metadata Modification 19.02.2026 4.3
CVE-2025-12116 Drift <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title 19.02.2026 6.4
CVE-2025-12117 Renden <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title 19.02.2026 6.4
CVE-2025-12172 Mailchimp List Subscribe Form <= 2.0.0 - Cross-Site Request Forgery to Mailchimp List Change 19.02.2026 4.3
CVE-2025-12375 Printful Integration for WooCommerce <= 2.2.11 - Authenticated (Contributor+) Server-Side Request Forgery 19.02.2026 6.4
CVE-2025-12448 Smartsupp – live chat, AI shopping assistant and chatbots <= 3.9.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting 19.02.2026 6.4
CVE-2025-12451 Easy SVG Support <= 4.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload 19.02.2026 6.1
CVE-2025-12500 Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.1 - Unauthenticated Limited File Upload 19.02.2026 5.3
CVE-2025-12707 Library Management System <= 3.2.1 - Unauthenticated SQL Injection 19.02.2026 7.5
CVE-2025-12821 NewsBlogger <= 0.2.5.6 - 0.2.6.1 - Cross-Site Request Forgery to Arbitrary Plugin Installation 19.02.2026 8.8
CVE-2025-12845 Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 - 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation 19.02.2026 8.8
CVE-2025-12882 Clasifico Listing <= 2.0 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-12884 Advanced Ads – Ad Manager & AdSense <= 2.0.14 - Missing Authorization to Authenticated (Subscriber+) Ad Placements Update 19.02.2026 4.3
CVE-2025-13048 Official StatCounter Plugin <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nickname 19.02.2026 6.4
CVE-2025-13079 Popup Builder - Create highly converting, mobile friendly marketing popups. <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens 19.02.2026 5.3
CVE-2025-13113 Web Accessibility by accessiBe <= 2.11 - Unauthenticated Sensitive Information Exposure 19.02.2026 5.3
CVE-2025-15586 19.02.2026
CVE-2026-2702 Beetel 777VR1 WPA2 PSK hard-coded credentials 19.02.2026
CVE-2026-2703 xlnt-community xlnt Encrypted XLSX File base64.cpp decode_base64 off-by-one 19.02.2026
CVE-2026-25229 Gogs Authorization Bypass Allows Cross-Repository Label Modification 19.02.2026
CVE-2026-25232 Gogs has a Protected Branch Deletion Bypass in Web Interface 19.02.2026
CVE-2026-25242 Gogs allows unauthenticated file uploads 19.02.2026
CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass 19.02.2026 7.5
CVE-2026-2693 CoCoTeaNet CyreneAdmin System Info Endpoint getCount improper authorization 19.02.2026
CVE-2025-4960 macOS Local Privilege Escalation via Improper Authorization Handling in EPSON Printer Controller Installer 19.02.2026 7.8
CVE-2026-25120 Gogs Allows Cross-Repository Comment Deletion via DeleteComment 19.02.2026
CVE-2026-2691 itsourcecode Event Management System manage_register.php sql injection 19.02.2026
CVE-2026-2692 CoCoTeaNet CyreneAdmin Image getAvatar path traversal 19.02.2026
CVE-2026-24764 OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions 19.02.2026 3.7
CVE-2026-2690 itsourcecode Event Management System Admin Login ajax.php sql injection 19.02.2026