CVE Database

109208+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-42748
9.9 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects …

May 27, 2026
CVE-2026-42747
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects …

May 27, 2026
CVE-2026-42746
7.3 HIGH

Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Retrieve Embedded Sensitive Data.This issue affects Smart Online …

May 27, 2026
CVE-2026-42745
7.3 HIGH

Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Authentication Bypass.This issue affects Smart Online Order …

May 27, 2026
CVE-2026-42744
6.5 MEDIUM

Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Manipulating Hidden Fields.This issue affects Ads by WPQuads: …

May 27, 2026
CVE-2026-42740
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows Blind SQL Injection.This issue affects Tainacan: from …

May 27, 2026
CVE-2026-42739
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IniLerm Advanced IP Blocker advanced-ip-blocker allows DOM-Based XSS.This issue affects Advanced IP Blocker: …

May 27, 2026
CVE-2026-42738
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Stored XSS.This issue affects Smart …

May 27, 2026
CVE-2026-42737
8.6 HIGH

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue …

May 27, 2026
CVE-2026-42736
7.5 HIGH

Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: …

May 27, 2026
CVE-2026-42735
8.2 HIGH

Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through <= …

May 27, 2026
CVE-2026-42734
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows Reflected XSS.This issue affects Geo Mashup: from …

May 27, 2026
CVE-2026-42733
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 WPCS currency-switcher allows DOM-Based XSS.This issue affects WPCS: from n/a through <= …

May 27, 2026
CVE-2026-42732
6.5 MEDIUM

Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: …

May 27, 2026
CVE-2026-42731
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through <= 5.4.9.

May 27, 2026
CVE-2026-42730
8.5 HIGH

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy …

May 27, 2026
CVE-2026-42729
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows DOM-Based XSS.This issue affects PropertyHive: from n/a through …

May 27, 2026
CVE-2026-42728
7.1 HIGH

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT …

May 27, 2026
CVE-2026-42727
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This …

May 27, 2026
CVE-2026-42726
6.5 MEDIUM

Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through <= …

May 27, 2026
CVE-2026-42725
6.5 MEDIUM

Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects …

May 27, 2026
CVE-2026-3349
6.1 MEDIUM

The MinhNhut Link Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' parameter on the redirect page in all versions up …

May 27, 2026
CVE-2026-3348
4.4 MEDIUM

The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings (Description, Title, and other fields) in all versions …

May 27, 2026
CVE-2026-3012
8.0 HIGH

A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted …

May 27, 2026
CVE-2026-2288
4.8 MEDIUM

The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_title' parameter in all versions up to, and including, 1.6 due to …

May 27, 2026
CVE-2026-2280
4.8 MEDIUM

The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient …

May 27, 2026
CVE-2025-0898
6.5 MEDIUM

The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the …

May 27, 2026
CVE-2026-8054

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 …

May 27, 2026
CVE-2026-49002
9.1 CRITICAL

Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, …

May 27, 2026
CVE-2026-48968
6.5 MEDIUM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS. This issue affects Master Slider: from n/a …

May 27, 2026
CVE-2026-48877
6.5 MEDIUM

Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0.

May 27, 2026
CVE-2026-40852
7.2 HIGH

A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value …

May 27, 2026
CVE-2026-40851
8.4 HIGH

A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This …

May 27, 2026
CVE-2026-40850
7.5 HIGH

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountData function due to improper neutralization of special elements in a SQL …

May 27, 2026
CVE-2026-40849
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the user_alarmprofile view due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40848
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40847
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40846
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40845
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40844
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40843
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40842
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getWidgetTags function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40841
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40840
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40839
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getComponentScalings function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40838
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40837
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40836
7.1 HIGH

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40835
6.5 MEDIUM

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the saveObjectFromData function due to improper neutralization of special elements in a …

May 27, 2026
CVE-2026-40834
7.1 HIGH

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash_layout.php files saveDashboardLayout function due to improper neutralization of special elements …

May 27, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.