Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-2717 The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields befo... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-2719 The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanit... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-3362 The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient i... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-4074 The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4082 The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [swiffy] shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitizat... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4085 The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to,... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4088 The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppw_cta_box' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanit... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4089 The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input s... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4090 The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page func... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-4117 The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, whi... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-4119 The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-4121 The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4125 The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4126 The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanage... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4128 The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcatt... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4131 The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page (wpo_admin_... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-4132 The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient va... | 7.2 | HIGH | β | 0 |
| CVE-2026-4133 The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.7. This is due to missing nonce validation in the imTextP2POptionPage(... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4139 The mCatFilter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5.2. This is due to the complete absence of nonce verification and capability chec... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4140 The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the ni_order_expo... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-4142 The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This ... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-4279 The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to i... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-4280 The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwp_ajax_form AJAX endpoint lacking both authorization c... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-4353 The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `cihub_metadata` shortcode in all versions up to, and including, 1.2.106 due to ins... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5748 The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ts` shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization a... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5767 The SlideShowPro SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `slideShowProSC` shortcode in all versions up to, and including, 1.0.2 due to insufficient input ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-5820 The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rende... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-6041 The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' (buzz_comments_avatar_image) setting in all versions up to, and including, 0.9.4. This ... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-6235 The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugi... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-6246 The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'container_right_width' attribute of the 'simple_random_posts' shortcode in all versions up ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-6294 The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() func... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6396 The Fast & Fancy Filter β 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields() funct... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1395 The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1913 The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1930 The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and includ... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-58922 Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.This issue affects Avada: from n/a before 7.13.2. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3673 An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpo... | N/A | NONE | β | 0 |
| CVE-2026-5774 Improper synchronization of the userTokens map in the API server in Canonical JujuΒ 4.0.5,Β 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or poss... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-25125 October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's ... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-24176 NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-24177 NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure. | 7.7 | HIGH | β | 0 |
| CVE-2026-24189 NVIDIA CUDA-Q contains a vulnerability in an endpoint, where an unauthenticated attacker could cause an out-of-bounds read by sending a maliciously crafted request. A successful exploit of this vulner... | 8.2 | HIGH | β | 0 |
| CVE-2026-25542 Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI)... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26274 October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations whe... | 6.6 | MEDIUM | β | 0 |
| CVE-2026-27937 October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a q... | 3.1 | LOW | β | 0 |
| CVE-2026-29179 October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and T... | 3.3 | LOW | β | 0 |
| CVE-2026-35451 Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock compone... | 5.7 | MEDIUM | β | 0 |
| CVE-2026-38835 Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-40050 CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-7343 HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to t... | 7.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.