CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-15581 Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application'sΒ HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalatio... | N/A | NONE | β | 0 |
| CVE-2026-24745 InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of Invoi... | 5.7 | MEDIUM | β | 0 |
| CVE-2026-25548 InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained ... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-25594 InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name f... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-25595 InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Numbe... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-25596 InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit ... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-26270 InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allow... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-26281 InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated ... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-25335 Missing Authorization vulnerability in Ays Pro Secure Copy Content Protection and Content Locking secure-copy-content-protection allows Exploiting Incorrectly Configured Access Control Security Levels... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-2676 A weakness has been identified in GoogTech sms-ssm up to e8534c766fd13f5f94c01dab475d75f286918a8d. Affected by this issue is the function preHandle of the file LoginInterceptor.java of the component A... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-2682 A vulnerability has been found in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). Impacted is an unknown function of the file /mine/PublicReport/prinReport.html?token=java. Such ... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-2683 A vulnerability was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). The affected element is an unknown function of the file /Using/Subject/downLoad.html. Performing a manipula... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-15585 Fileflows versions before 25.05.2 are affected by an authenticated SQL injection vulnerability in the library-file search function. Successful exploitation requires the system to use MySQL as the unde... | N/A | NONE | β | 0 |
| CVE-2026-24126 Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh... | 6.6 | MEDIUM | β | 0 |
| CVE-2026-25926 Notepad++ is a free and open-source source code editor. An Unsafe Search Path vulnerability (CWE-426) exists in versions prior to 8.9.2 when launching Windows Explorer without an absolute executable p... | 7.3 | HIGH | β | 0 |
| CVE-2026-25336 Missing Authorization vulnerability in wpcoachify Coachify coachify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coachify: from n/a through <= 1.1.5. | 5.3 | MEDIUM | β | 0 |
| CVE-2025-12081 The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up t... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-12116 The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. Th... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-12117 The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. T... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-12172 The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on ... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-12375 The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. T... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-12884 The Advanced Ads β Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a use... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-12975 The CTX Feed β WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() f... | 7.2 | HIGH | β | 0 |
| CVE-2025-13048 The StatCounter β Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13079 The Popup Builder β Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to t... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13091 The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13113 The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()`... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13413 The Country Blocker for AdSense plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the CBFA_guardar_... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13438 The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13563 The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restri... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-13587 The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login()... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-13603 The WP AUDIO GALLERY plugin for WordPress is vulnerable to Unauthorized Arbitrary File Read in all versions up to, and including, 2.0. This is due to insufficient capability checks and lack of nonce v... | 8.8 | HIGH | β | 0 |
| CVE-2025-13612 The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `aigpl-gallery-album` shortcode in all versions up to, and including, 2.1.7... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13617 The Apollo13 Framework Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βa13_alt_linkβ parameter in all versions up to, and including, 1.9.8 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13732 The s2Member β Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13738 The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13842 The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting ... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13851 The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugi... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-13864 The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breez... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-13930 The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14427 The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEm... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14445 The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14452 The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanit... | 7.2 | HIGH | β | 0 |
| CVE-2025-14851 The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input s... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14864 The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on ... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14983 The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-0561 The Shield Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 21.0.8 due to insufficient input sanitization... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-0722 The Shield Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 21.0.8. This is due to the plugin allowing nonce verification to be bypassed ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-0974 The Orderable β WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'in... | 8.8 | HIGH | β | 0 |
| CVE-2026-1455 The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validat... | 4.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.