Export limit exceeded: 326334 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (326334 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0913 | 1 Wordpress | 1 Wordpress | 2026-01-16 | 6.4 Medium |
| The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0916 | 1 Wordpress | 1 Wordpress | 2026-01-16 | 6.4 Medium |
| The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'related_posts_by_tax' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0942 | 3 Linknacional, Woocommerce, Wordpress | 3 Rede Itau For Woocommerce, Woocommerce, Wordpress | 2026-01-16 | 5.3 Medium |
| The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.2. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders. | ||||
| CVE-2026-1000 | 3 Mailerlite, Woocommerce, Wordpress | 3 Mailerlite, Woocommerce, Wordpress | 2026-01-16 | 6.5 Medium |
| The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history. | ||||
| CVE-2026-1004 | 2 Wordpress, Wpdevteam | 2 Wordpress, Essential Addons For Elementor | 2026-01-16 | 5.3 Medium |
| The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted. | ||||
| CVE-2026-20759 | 1 Toa Corporation | 1 Trifora 3 Series | 2026-01-16 | N/A |
| OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command. | ||||
| CVE-2026-20894 | 1 Toa Corporation | 1 Trifora 3 Series | 2026-01-16 | N/A |
| Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen. | ||||
| CVE-2025-58754 | 1 Axios | 1 Axios | 2026-01-16 | 7.5 High |
| Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue. | ||||
| CVE-2025-1029 | 1 Utarit | 1 Soliclub | 2026-01-16 | 7.5 High |
| Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable.This issue affects SoliClub: from 5.2.4 before 5.3.7. | ||||
| CVE-2025-1030 | 1 Utarit | 1 Soliclub | 2026-01-16 | 7.5 High |
| Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information.This issue affects SoliClub: from 5.2.4 before 5.3.7. | ||||
| CVE-2025-1031 | 1 Utarit | 1 Soliclub | 2026-01-16 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Utarit Informatics Services Inc. SoliClub allows Functionality Misuse.This issue affects SoliClub: from 5.2.4 before 5.3.7. | ||||
| CVE-2025-7047 | 1 Utarit | 1 Soliclub | 2026-01-16 | 4.3 Medium |
| Missing Authorization vulnerability in Utarit Informatics Services Inc. SoliClub allows Privilege Abuse.This issue affects SoliClub: before 5.3.7. | ||||
| CVE-2025-7358 | 1 Utarit | 1 Soliclub | 2026-01-16 | 7.5 High |
| Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse.This issue affects SoliClub: before 5.3.7. | ||||
| CVE-2025-7404 | 2 Gelbphoenix, Janeczku | 2 Autocaliweb, Calibre-web | 2026-01-16 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1. | ||||
| CVE-2025-43023 | 2 Hp, Linux | 5 Hp, Linux Imaging And Printing, Linux Imaging And Printing Project and 2 more | 2026-01-16 | 9.1 Critical |
| A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software documentation. This potential vulnerability is due to the use of a weak code signing key, Digital Signature Algorithm (DSA). | ||||
| CVE-2025-68637 | 1 Apache | 1 Uniffle | 2026-01-16 | 9.1 Critical |
| The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue. | ||||
| CVE-2025-68493 | 1 Apache | 1 Struts | 2026-01-16 | 8.1 High |
| Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. | ||||
| CVE-2025-66169 | 1 Apache | 1 Camel | 2026-01-16 | 5.3 Medium |
| Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0. | ||||
| CVE-2025-39400 | 1 Wpeverest | 2 User Registration, User Registration \& Membership | 2026-01-16 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration allows Reflected XSS. This issue affects User Registration: from n/a through n/a. | ||||
| CVE-2024-3677 | 2 Tinyweb, Wordpress | 2 Ultimate 410 Gone Status Code, Wordpress | 2026-01-16 | 6.4 Medium |
| The Ultimate 410 Gone Status Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 410 entries in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note TinyWeb as a separate Web Browser is not affected, and only shares a name with the author of this plugin. | ||||