CVE Database

108224+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-48943
6.5 MEDIUM

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a …

Jun 25, 2026
CVE-2026-48942
6.1 MEDIUM

K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.

Jun 25, 2026
CVE-2026-48941
6.5 MEDIUM

The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`

Jun 25, 2026
CVE-2026-48940
3.4 LOW

A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; …

Jun 25, 2026
CVE-2026-12844
7.5 HIGH

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a …

Jun 25, 2026
CVE-2026-6432

Improper bounds validation in EmberZNet SDK versions 9.0.2 and earlier may result in crashes or dynamic memory leakage.

Jun 25, 2026
CVE-2026-57588
3.3 LOW

A SQL injection vulnerability in Nessus allows an attacker to craft a malicious scan result file that, when imported by a privileged user, injects malicious …

Jun 25, 2026
CVE-2026-57587
5.3 MEDIUM

A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into …

Jun 25, 2026
CVE-2026-57536

Our payment integration with Mollie did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and …

Jun 25, 2026
CVE-2026-57535

Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src attribute of these images pointed to …

Jun 25, 2026
CVE-2026-57534

Malicious HTML content could be injected into the content of a page in the pretix-pages plugin.

Jun 25, 2026
CVE-2026-57533

Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this …

Jun 25, 2026
CVE-2026-57532

Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the …

Jun 25, 2026
CVE-2026-57437
5.3 MEDIUM

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive …

Jun 25, 2026
CVE-2026-57436
5.3 MEDIUM

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was …

Jun 25, 2026
CVE-2026-57435
7.5 HIGH

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby …

Jun 25, 2026
CVE-2026-57434
7.5 HIGH

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods …

Jun 25, 2026
CVE-2026-57236
8.2 HIGH

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a …

Jun 25, 2026
CVE-2026-57235
8.2 HIGH

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested …

Jun 25, 2026
CVE-2026-57234
2.6 LOW

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on …

Jun 25, 2026
CVE-2026-49319
6.5 MEDIUM

Remote Keyless Entry System (RKES), using the 433 MHz key fob bearing FCC ID CWTR53R0 manufactured by ALPS ALPINE CO., LTD., is vulnerable to a …

Jun 25, 2026
CVE-2026-46735
7.8 HIGH

Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command …

Jun 25, 2026
CVE-2026-13314

Malicious HTML content could be injected into the content rendered by the pretix-digital plugin.

Jun 25, 2026
CVE-2026-13225

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets …

Jun 25, 2026
CVE-2026-13223

Our payment integration with Computop-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one …

Jun 25, 2026
CVE-2026-13222

Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one …

Jun 25, 2026
CVE-2026-57619
6.5 MEDIUM

Contributor Sensitive Data Exposure in Elementor Website Builder <= 4.1.3 versions.

Jun 25, 2026
CVE-2026-57429
6.5 MEDIUM

Contributor Broken Access Control in Slim SEO <= 4.6.2 versions.

Jun 25, 2026
CVE-2026-56122
7.5 HIGH

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash …

Jun 25, 2026
CVE-2026-56071
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.

Jun 25, 2026
CVE-2026-56054
7.7 HIGH

Subscriber Arbitrary File Deletion in JS Help Desk <= 3.1.1 versions.

Jun 25, 2026
CVE-2026-56053
8.8 HIGH

Subscriber PHP Object Injection in EventPrime <= 4.3.4.1 versions.

Jun 25, 2026
CVE-2026-56051
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in TablePress <= 3.3.1 versions.

Jun 25, 2026
CVE-2026-56050
6.5 MEDIUM

Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PPOM for WooCommerce: from n/a …

Jun 25, 2026
CVE-2026-56049
8.5 HIGH

Contributor Remote Code Execution (RCE) in Post Snippets <= 4.0.19 versions.

Jun 25, 2026
CVE-2026-56042
7.1 HIGH

Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce <= 4.0.9 versions.

Jun 25, 2026
CVE-2026-56023
5.4 MEDIUM

Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.

Jun 25, 2026
CVE-2026-56014
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in Master Slider <= 3.11.2 versions.

Jun 25, 2026
CVE-2026-56013
6.5 MEDIUM

Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions.

Jun 25, 2026
CVE-2026-56006
7.1 HIGH

Unauthenticated Cross Site Scripting (XSS) in H5P <= 1.17.6 versions.

Jun 25, 2026
CVE-2026-56005
7.1 HIGH

Subscriber Cross Site Scripting (XSS) in WP Activity Log <= 5.6.3.1 versions.

Jun 25, 2026
CVE-2026-54849
9.3 CRITICAL

Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.

Jun 25, 2026
CVE-2026-54848
8.3 HIGH

Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects APIExperts Square …

Jun 25, 2026
CVE-2026-54845
8.1 HIGH

Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions.

Jun 25, 2026
CVE-2026-54844
7.5 HIGH

Unauthenticated Broken Access Control in CheckView Automated Testing <= 2.1.0 versions.

Jun 25, 2026
CVE-2026-54843
9.3 CRITICAL

Unauthenticated SQL Injection in MDTF <= 1.3.7 versions.

Jun 25, 2026
CVE-2026-54842
8.1 HIGH

Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal MCP: from n/a through 1.4.25.

Jun 25, 2026
CVE-2026-54841
7.5 HIGH

Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.

Jun 25, 2026
CVE-2026-54838
8.5 HIGH

Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.

Jun 25, 2026
CVE-2026-54836
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection. This issue affects YMC Filter: from …

Jun 25, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.