Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-1044 The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and ou... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-1047 The salavat counter Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_url' parameter in all versions up to, and including, 0.9.5 due to insufficient input sanitiz... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-1373 The Easy Author Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author_profile_picture_url' parameter in all versions up to, and including, 1.7 due to insufficient inp... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1405 The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and includ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-1646 The Advance Block Extend plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TitleColor block attribute in the Latest Posts Gutenberg block in all versions up to, and including, ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1994 The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's id... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-24764 OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can ... | 3.7 | LOW | — | 0 |
| CVE-2026-25120 Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repos... | 2.7 | LOW | — | 0 |
| CVE-2026-25229 Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labe... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25232 Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protecte... | 8.8 | HIGH | — | 0 |
| CVE-2026-25242 Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any ... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25474 OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without ver... | 7.5 | HIGH | — | 0 |
| CVE-2026-2282 The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escapin... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-2284 The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce ve... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-2502 The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin tru... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-2681 A flaw was found in the blst cryptographic library. This out-of-bounds stack write vulnerability, specifically in the blst_sha256_bcopy assembly routine, occurs due to a missing zero-length guard. A r... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-2731 Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests | N/A | NONE | — | 0 |
| CVE-2026-2711 A vulnerability has been found in zhutoutoutousan worldquant-miner up to 1.0.9. The impacted element is an unknown function of the file worldquant-miner-master/agent-dify-api/core/helper/ssrf_proxy.py... | 5.6 | MEDIUM | — | 0 |
| CVE-2026-2733 A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that t... | 3.8 | LOW | — | 0 |
| CVE-2025-40697 Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter. This vulnerability can be e... | N/A | NONE | — | 0 |
| CVE-2025-41023 An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms. Once inside the web application, the attacker ca... | N/A | NONE | — | 0 |
| CVE-2026-22269 Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remot... | 4.7 | MEDIUM | — | 0 |
| CVE-2026-22333 Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through <= 3... | 7.2 | HIGH | — | 0 |
| CVE-2026-22422 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a th... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-23542 Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.10. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-25364 Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client In... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25367 Missing Authorization vulnerability in NooTheme CitiLights noo-citilights allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CitiLights: from n/a through < 3.7.... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25368 Missing Authorization vulnerability in codepeople Calculated Fields Form calculated-fields-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Calculated Fi... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25372 Missing Authorization vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LMS: from n/a through <= 3.5.3... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-25374 Missing Authorization vulnerability in raratheme Spa and Salon spa-and-salon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spa and Salon: from n/a through ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25375 Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue af... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25378 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Blind SQL Injection.This issue affects Nel... | 7.6 | HIGH | — | 0 |
| CVE-2026-25384 Missing Authorization vulnerability in WP Lab WP-Lister Lite for eBay wp-lister-for-ebay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-Lister Lite for e... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25385 Server-Side Request Forgery (SSRF) vulnerability in KaizenCoders URL Shortify url-shortify allows Server Side Request Forgery.This issue affects URL Shortify: from n/a through <= 1.12.3. | 5.5 | MEDIUM | — | 0 |
| CVE-2026-25386 Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ally: from n/a through <= 4.0.2. | 5.3 | MEDIUM | — | 0 |
| CVE-2025-69402 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/... | 8.1 | HIGH | — | 0 |
| CVE-2026-25389 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Retrieve Embedded Sensitive Data.This issue... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25391 Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Wand: from n/a through <= 1.... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25393 Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hello FSE: from n/a through <= 1.0... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25394 Missing Authorization vulnerability in sparklewpthemes Fitness FSE fitness-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fitness FSE: from n/a through ... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25395 Missing Authorization vulnerability in ikreatethemes Business Roy business-roy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Roy: from n/a through... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25399 Missing Authorization vulnerability in CryoutCreations Serious Slider cryout-serious-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Serious Slider: f... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25402 Missing Authorization vulnerability in echoplugins Knowledge Base for Documentation, FAQs with AI Assistance echo-knowledge-base allows Exploiting Incorrectly Configured Access Control Security Levels... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25404 Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a thro... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25407 Missing Authorization vulnerability in cookiebot Cookiebot cookiebot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cookiebot: from n/a through <= 4.6.4. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25408 Missing Authorization vulnerability in PluginRx Broken Link Notifier broken-link-notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broken Link Notifie... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-25409 Missing Authorization vulnerability in crgeary JAMstack Deployments wp-jamstack-deployments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JAMstack Deployme... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25410 Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CORS: from n/a through <= 0.2.2. | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25411 Cross-Site Request Forgery (CSRF) vulnerability in themastercut Revision Manager TMC revision-manager-tmc allows Cross Site Request Forgery.This issue affects Revision Manager TMC: from n/a through <=... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-25412 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.