CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-1454 The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. T... | 7.2 | HIGH | β | 0 |
| CVE-2026-3876 The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient in... | 7.2 | HIGH | β | 0 |
| CVE-2026-1931 The Rent Fetch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'keyword' parameter in all versions up to, and including, 0.32.4 due to insufficient input sanitization and out... | 7.2 | HIGH | β | 0 |
| CVE-2026-4388 The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. ... | 7.2 | HIGH | β | 0 |
| CVE-2026-21893 n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8nβs community package installation functionality. The ... | 7.2 | HIGH | β | 0 |
| CVE-2026-26045 A flaw was identified in Moodleβs backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead... | 7.2 | HIGH | β | 0 |
| CVE-2026-1216 The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization... | 7.2 | HIGH | β | 0 |
| CVE-2025-14675 The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. Thi... | 7.2 | HIGH | β | 0 |
| CVE-2026-26892 Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_carrier.php. | 7.2 | HIGH | β | 0 |
| CVE-2026-1945 The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpb_user_name' and 'wpb_user_email' parameters in all versions up to, and including, 1.0.8 due to insufficient i... | 7.2 | HIGH | β | 0 |
| CVE-2026-26325 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be p... | 7.2 | HIGH | β | 0 |
| CVE-2026-3352 The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient in... | 7.2 | HIGH | β | 0 |
| CVE-2019-25395 Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the preferences.cgi script that allow attackers to inject malicious scripts through the... | 7.2 | HIGH | β | 0 |
| CVE-2026-6227 The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 ... | 7.2 | HIGH | β | 0 |
| CVE-2019-25394 Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple stored cross-site scripting vulnerabilities in the modem.cgi script that allow attackers to inject malicious scripts through POST para... | 7.2 | HIGH | β | 0 |
| CVE-2025-63911 Cohesity TranZman Migration Appliance Release 4.0 Build 14614 was discovered to contain an authenticated command injection vulnerability. | 7.2 | HIGH | β | 0 |
| CVE-2026-37748 Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any... | 7.2 | HIGH | β | 0 |
| CVE-2026-27178 MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthentic... | 7.2 | HIGH | β | 0 |
| CVE-2026-1074 The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanit... | 7.2 | HIGH | β | 0 |
| CVE-2026-39467 Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection.This issue affects Responsive Slider by MetaSlider: from n/a through 3.106.0. | 7.2 | HIGH | β | 0 |
| CVE-2026-26046 A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled a... | 7.2 | HIGH | β | 0 |
| CVE-2026-3017 The Smart Post Show β Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserializa... | 7.2 | HIGH | β | 0 |
| CVE-2026-5231 The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sani... | 7.2 | HIGH | β | 0 |
| CVE-2026-1459 A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the ZyxelΒ VMG3625-T50B firmware versions throughΒ 5.50(ABPM.9.7)C0 could allow an authenticated a... | 7.2 | HIGH | β | 0 |
| CVE-2019-25379 Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains stored and reflected cross-site scripting vulnerabilities in the urlfilter.cgi endpoint that allow attackers to inject malicious scripts. Attac... | 7.2 | HIGH | β | 0 |
| CVE-2026-2365 The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to... | 7.2 | HIGH | β | 0 |
| CVE-2026-34188 Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800 | 7.2 | HIGH | β | 0 |
| CVE-2026-3231 The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the Woo... | 7.2 | HIGH | β | 0 |
| CVE-2026-5627 A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input... | 7.2 | HIGH | β | 0 |
| CVE-2026-30804 Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800 | 7.2 | HIGH | β | 0 |
| CVE-2026-1937 The YayMail β WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yayma... | 7.2 | HIGH | β | 0 |
| CVE-2026-23898 Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism. | 7.2 | HIGH | β | 0 |
| CVE-2026-6483 A vulnerability was found in Wavlink WL-WN530H4 20220721. This vulnerability affects the function strcat/snprintf of the file /cgi-bin/internet.cgi. The manipulation results in os command injection. I... | 7.2 | HIGH | β | 0 |
| CVE-2026-1841 The PixelYourSite β Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in ... | 7.2 | HIGH | β | 0 |
| CVE-2026-33273 Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the produc... | 7.2 | HIGH | β | 0 |
| CVE-2026-4808 The Gerador de Certificados β DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and inc... | 7.2 | HIGH | β | 0 |
| CVE-2026-33906 Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file wit... | 7.2 | HIGH | β | 0 |
| CVE-2026-39343 ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST ... | 7.2 | HIGH | β | 0 |
| CVE-2026-34724 Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environ... | 7.2 | HIGH | β | 0 |
| CVE-2026-5464 The ExactMetrics β Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to... | 7.2 | HIGH | β | 0 |
| CVE-2026-35476 InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user accou... | 7.2 | HIGH | β | 0 |
| CVE-2026-26943 Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulne... | 7.2 | HIGH | β | 0 |
| CVE-2026-24506 Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulne... | 7.2 | HIGH | β | 0 |
| CVE-2026-24505 Dell PowerProtect Data Domain, versions 8.5 through 8.6 contain an improper input validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, ... | 7.2 | HIGH | β | 0 |
| CVE-2026-24504 Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper input validation ... | 7.2 | HIGH | β | 0 |
| CVE-2026-1343 IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Acces... | 7.2 | HIGH | β | 0 |
| CVE-2026-39971 Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMT... | 7.2 | HIGH | β | 0 |
| CVE-2026-23774 Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10, LTS2024 release versions 7.13... | 7.2 | HIGH | β | 0 |
| CVE-2026-33881 Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals withou... | 7.2 | HIGH | β | 0 |
| CVE-2026-37344 SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_location.php. | 7.2 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.