CVE Database

108042+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-58902
8.1 HIGH

Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.

Jul 2, 2026
CVE-2026-54431

In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step …

Jul 2, 2026
CVE-2026-54430

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If …

Jul 2, 2026
CVE-2026-9834
7.2 HIGH

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all …

Jul 2, 2026
CVE-2026-9188
5.3 MEDIUM

The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to …

Jul 2, 2026
CVE-2026-9145
6.5 MEDIUM

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up …

Jul 2, 2026
CVE-2026-8482
4.3 MEDIUM

A vulnerability was discovered on StormShield Network Security 4.3.0 to 4.3.41 (included), 4.8.0 to 4.8.15 (included) , 5.0.0 to 5.0.5 (included) There is a possible …

Jul 2, 2026
CVE-2026-8441
7.5 HIGH

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp_load_more_revs AJAX action in versions up …

Jul 2, 2026
CVE-2026-14336
8.2 HIGH

PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a …

Jul 2, 2026
CVE-2026-14029
6.5 MEDIUM

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'select' parameter in all versions up …

Jul 2, 2026
CVE-2026-13459
5.3 MEDIUM

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is …

Jul 2, 2026
CVE-2026-13369
7.5 HIGH

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, …

Jul 2, 2026
CVE-2026-13252
6.4 MEDIUM

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting …

Jul 2, 2026
CVE-2026-13251
7.5 HIGH

The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it …

Jul 2, 2026
CVE-2026-12657
5.3 MEDIUM

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, …

Jul 2, 2026
CVE-2026-12472
5.3 MEDIUM

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, …

Jul 2, 2026
CVE-2026-12134
4.3 MEDIUM

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, …

Jul 2, 2026
CVE-2026-12122
5.3 MEDIUM

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and …

Jul 2, 2026
CVE-2026-11896
5.3 MEDIUM

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 …

Jul 2, 2026
CVE-2026-10104
4.4 MEDIUM

The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, …

Jul 2, 2026
CVE-2026-9563
7.5 HIGH

In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed …

Jul 2, 2026
CVE-2026-8147
8.1 HIGH

In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to …

Jul 2, 2026
CVE-2026-33592
7.5 HIGH

An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length …

Jul 2, 2026
CVE-2026-5821
8.1 HIGH

The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path …

Jul 2, 2026
CVE-2026-5348
5.3 MEDIUM

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, …

Jul 2, 2026
CVE-2026-14249
7.5 HIGH

The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emd_delete_file AJAX action. This …

Jul 2, 2026
CVE-2026-13704
6.4 MEDIUM

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in all versions up …

Jul 2, 2026
CVE-2026-13357
4.9 MEDIUM

The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due …

Jul 2, 2026
CVE-2026-11965
6.5 MEDIUM

The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering …

Jul 2, 2026
CVE-2026-11781
2.7 LOW

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users …

Jul 2, 2026
CVE-2026-11600
4.3 MEDIUM

The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check …

Jul 2, 2026
CVE-2026-11592
4.3 MEDIUM

The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all …

Jul 2, 2026
CVE-2026-11578
2.7 LOW

The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized …

Jul 2, 2026
CVE-2026-10089
6.4 MEDIUM

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, …

Jul 2, 2026
CVE-2026-10077
6.8 MEDIUM

The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, …

Jul 2, 2026
CVE-2026-57278
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57277
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57276
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57275
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57274
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57273
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57272
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57271
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57270
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57269
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57268
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57267
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57266
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57265
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026
CVE-2026-57264
8.3 HIGH

GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software …

Jul 2, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.