36304+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.
Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions.
Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions.
Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions.
Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.
Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions.
Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.
Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.
Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions.
Unauthenticated Cross Site Scripting (XSS) in GiveWP <= 4.14.2 versions.
Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.
Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.
Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.
Editor Privilege Escalation in AI Engine <= 3.4.9 versions.
Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.
Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.
Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.
Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.
Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.
Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.
Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.
A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size …
A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the …
A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure …
A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, …
A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a …
An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream …
Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a …
An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying …
Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request.
Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.
An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and …
An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
An issue in the attachment handling component of Feuerhamster MailForm v1.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted request.
An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a directory traversal via supplying files with names containing traversal characters.
Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted …
An OS command injection vulnerability in the /manage/features/media component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.
An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.
Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted …
In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: …
In OCaml-TLS before 2.1.0, the server implementation does insufficient checks of the certificate provided by the client (when doing client authentication), which allows impersonation with …
In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is …
An issue in Iru, Inc Kandji Agent before v.4.7.5(5374) allows a local attacker to escalate privileges via a client validation gap to invoke restricted agent …
An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component.
A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary …
An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local attacker to escalate privileges via the MemuService.exe component.
Free website and port scanning — find vulnerabilities before attackers do.