Export limit exceeded: 363715 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363715 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-10104 | 2 Nikhilgadhiya, Wordpress | 2 Product Video Gallery For Woocommerce, Wordpress | 2026-07-06 | 4.4 Medium |
| The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-54430 | 1 Openidc | 1 Liboauth2 | 2026-07-06 | 5.8 Medium |
| liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path. This issue was fixed in version 2.3.0 | ||||
| CVE-2026-54431 | 1 Openidc | 1 Liboauth2 | 2026-07-06 | 5.3 Medium |
| In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header. This issue was fixed in version 2.3.0 | ||||
| CVE-2026-11946 | 1 Open62541 | 1 Open62541 | 2026-07-06 | 7.5 High |
| An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configurations. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master. | ||||
| CVE-2025-69132 | 2 Wordpress, Zozothemes | 2 Wordpress, Corpkit | 2026-07-06 | 6.5 Medium |
| Subscriber Sensitive Data Exposure in Corpkit <= 1.0.5 versions. | ||||
| CVE-2025-69134 | 2 Merkulove, Wordpress | 2 Openai Chatbot For Wordpress – Helper, Wordpress | 2026-07-06 | 7.5 High |
| Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions. | ||||
| CVE-2025-69152 | 2 Themegoods, Wordpress | 2 Artale | Wedding Photography Wordpress, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions. | ||||
| CVE-2025-69153 | 2 Designthemes, Wordpress | 2 Trendy Travel, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions. | ||||
| CVE-2025-69154 | 2 Designthemes, Wordpress | 2 Spalab | Beauty Salon Wordpress Theme, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions. | ||||
| CVE-2025-69155 | 2 Designthemes, Wordpress | 2 Fitness Zone Wordpress Theme, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions. | ||||
| CVE-2025-69156 | 2 Design Themes, Wordpress | 2 Kids Zone - Children Wordpress Theme, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions. | ||||
| CVE-2026-27402 | 2 Designthemes, Wordpress | 2 Kids Life | Children School Wordpress, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Kids Life | Children School WordPress <= 5.2 versions. | ||||
| CVE-2026-27404 | 2 Designthemes, Wordpress | 2 Lms, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in LMS <= 9.7 versions. | ||||
| CVE-2026-27408 | 2 Imithemes, Wordpress | 2 Nativechurch, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in NativeChurch <= 4.8.8.2 versions. | ||||
| CVE-2026-27412 | 2 Stylemixthemes, Wordpress | 2 Pearl - Corporate Business, Wordpress | 2026-07-06 | 8.1 High |
| Unauthenticated Local File Inclusion in Pearl - Corporate Business <= 3.4.10 versions. | ||||
| CVE-2026-27414 | 2 Fuelthemes, Wordpress | 2 Werkstatt, Wordpress | 2026-07-06 | 8.8 High |
| Contributor PHP Object Injection in Werkstatt <= 4.8.3 versions. | ||||
| CVE-2026-27425 | 2 Themesuite, Wordpress | 2 Automotive Listings, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Automotive Listings <= 18.6 versions. | ||||
| CVE-2026-27430 | 2 Tranmautritam, Wordpress | 2 Thefox, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in TheFox <= 3.9.76 versions. | ||||
| CVE-2026-39448 | 2 Coderpress, Wordpress | 2 Nowpayments For Woocommerce, Wordpress | 2026-07-06 | 7.5 High |
| Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions. | ||||
| CVE-2026-49779 | 2 Addify, Wordpress | 2 Tax Exempt For Woocommerce, Wordpress | 2026-07-06 | 6.5 Medium |
| Customer Path Traversal in Tax Exempt for WooCommerce <= 1.9.3 versions. | ||||