CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-34516 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than... | 7.5 | HIGH | β | 0 |
| CVE-2026-34520 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in resp... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-2924 The Gutenverse β Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2949 The Xpro Addons β 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Box widget in versions up to, and including, 1.4.24 due to insufficient inpu... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13368 The Xpro Addons β 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-15064 The Ultimate Member β User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user descri... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-0552 The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsc_display_product' shortcode in all versions up to, and including, 5.2.4 due to insuffic... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-0664 The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter in all versions up to, and including, 1.7.1049 due to insufficient inpu... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-0737 The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitiza... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-0738 The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the su_carousel shortcode in all versions up to, and including, 7.4.8. This is due ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2600 The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget in all versions up to, and ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4896 The WCFM β Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and inclu... | 8.1 | HIGH | β | 0 |
| CVE-2026-2437 The WP Travel Engine β Tour Booking Plugin β Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, a... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2826 The Kadence Blocks β Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not pro... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3445 The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content β ProfilePress plugin for WordPress is vulnerable to unauthorized membership payment bypass i... | 7.1 | HIGH | β | 0 |
| CVE-2026-5425 The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feed_data' parameter keys in all versions up to, and including, 1.7.9 due to insufficient i... | 7.2 | HIGH | β | 0 |
| CVE-2026-32335 Missing Authorization vulnerability in raratheme The Conference the-conference allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Conference: from n/a throu... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32336 Missing Authorization vulnerability in raratheme Rara Business rara-business allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rara Business: from n/a through ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32349 Server-Side Request Forgery (SSRF) vulnerability in Andy Fragen Embed PDF Viewer embed-pdf-viewer allows Server Side Request Forgery.This issue affects Embed PDF Viewer: from n/a through <= 2.4.7. | 4.9 | MEDIUM | β | 0 |
| CVE-2026-32350 Missing Authorization vulnerability in wpradiant Chocolate House chocolate-house allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chocolate House: from n/a th... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32375 Missing Authorization vulnerability in raratheme Travel Diaries travel-diaries allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Diaries: from n/a throu... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32376 Missing Authorization vulnerability in raratheme Kalon kalon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kalon: from n/a through <= 1.2.9. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32377 Missing Authorization vulnerability in raratheme Pranayama Yoga pranayama-yoga allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pranayama Yoga: from n/a throu... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32378 Missing Authorization vulnerability in raratheme Book Landing Page book-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Book Landing Page: from ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32379 Missing Authorization vulnerability in raratheme Rara Academic rara-academic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rara Academic: from n/a through ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32380 Missing Authorization vulnerability in raratheme Numinous numinous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Numinous: from n/a through <= 1.3.0. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32381 Missing Authorization vulnerability in raratheme App Landing Page app-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects App Landing Page: from n/a... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32382 Missing Authorization vulnerability in raratheme Digital Download digital-download allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Digital Download: from n/a... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32383 Missing Authorization vulnerability in raratheme Ridhi ridhi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ridhi: from n/a through <= 1.1.2. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32396 Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team: from n/a through <= 5.0.13. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32397 Missing Authorization vulnerability in YMC Filter & Grids ymc-smart-filter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter & Grids: from n/a through <... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32421 Missing Authorization vulnerability in Agile Logix Post Timeline post-timeline allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Timeline: from n/a throug... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32422 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.This issue affects WP Easy... | 8.5 | HIGH | β | 0 |
| CVE-2026-32434 Missing Authorization vulnerability in vowelweb VW Fitness vw-fitness allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Fitness: from n/a through <= 4.3.4. | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32435 Missing Authorization vulnerability in vowelweb VW Pet Shop vw-pet-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Pet Shop: from n/a through <= 1.4.... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32436 Missing Authorization vulnerability in vowelweb VW Photography vw-photography allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Photography: from n/a throug... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32437 Missing Authorization vulnerability in vowelweb VW Portfolio vw-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Portfolio: from n/a through <= 1... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32451 Missing Authorization vulnerability in ThemeFusion Fusion Builder fusion-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fusion Builder: from n/a thr... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-32452 Missing Authorization vulnerability in ThemeFusion Fusion Builder fusion-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fusion Builder: from n/a thr... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32453 Missing Authorization vulnerability in ThemeFusion Avada Core fusion-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Avada Core: from n/a through < 5.15... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-32454 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Avada Core fusion-core allows DOM-Based XSS.This issue affects Avada Core: from n/a th... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32775 libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_mnote_data_get_value function gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow. | 7.4 | HIGH | β | 0 |
| CVE-2026-24062 The "Privileged Helper" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects.Β This leads to an attacker being able to co... | 7.8 | HIGH | β | 0 |
| CVE-2025-62043 Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-67618 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside allows Reflected XSS.This issue affects Brookside: from n/a through 1.4. | 7.1 | HIGH | β | 0 |
| CVE-2026-27046 Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StoreCustomizer: from n/a through ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-32504 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS VintWood vintwood allows PHP Local File Inclusion.This issue affects... | 8.1 | HIGH | β | 0 |
| CVE-2026-32511 Deserialization of Untrusted Data vulnerability in Mikado-Themes StΓ₯l stal allows Object Injection.This issue affects StΓ₯l: from n/a through < 1.7. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-32512 Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-7343 HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to t... | 7.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.