Export limit exceeded: 362446 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 47000 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47000 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-68851 2 Arrayhq, Wordpress 2 Okay Toolkit, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.
CVE-2025-68872 2 Eli, Wordpress 2 Eli's Wordcents Adsense Widget With Analytics, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Eli&#039;s WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
CVE-2026-39507 2 Themeisle, Wordpress 2 Social Slider Feed, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed <= 2.3.2 versions.
CVE-2026-39540 2 Amit Mittal, Wordpress 2 Shipment Tracker For Woocommerce, Wordpress 2026-06-23 6.5 Medium
Subscriber Cross Site Scripting (XSS) in Shipment Tracker for Woocommerce <= 1.5.3.2 versions.
CVE-2026-42649 2 Archetyped, Wordpress 2 Favicon Rotator, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Favicon Rotator <= 1.2.11 versions.
CVE-2026-42650 2 Ruben Garcia, Wordpress 2 Automatorwp, Wordpress 2026-06-23 7.2 High
Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.6.7 versions.
CVE-2026-42656 2 Wasiliy Strecker, Wordpress 2 Contest Gallery, Wordpress 2026-06-23 6.5 Medium
Subscriber Cross Site Scripting (XSS) in Contest Gallery <= 28.1.6 versions.
CVE-2026-48871 2 Takashi Kitajima, Wordpress 2 Mw Wp Form, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions.
CVE-2026-48876 2 Web Guy, Wordpress 2 Stop Spammers, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions.
CVE-2026-48966 2 Funnelkit, Wordpress 2 Funnel Builder By Funnelkit, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions.
CVE-2026-52702 2 Wordpress, Wp-buy 2 Wordpress, Seo Redirection 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.
CVE-2026-48157 1 Slimphp 1 Slim 2026-06-23 6.1 Medium
Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.
CVE-2026-10093 2 Deepakkite, Wordpress 2 Secure Client Portal And Private File Sharing Plugin – User Private Files, Wordpress 2026-06-23 6.4 Medium
The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-39437 2 Wordpress, Wpfactory 2 Wordpress, Min Max Step Quantity Limits Manager For Woocommerce 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions.
CVE-2026-54191 2 Pods Framework, Wordpress 2 Pods, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions.
CVE-2026-12425 1 Powerschool 1 Employee Access Center 2026-06-23 N/A
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()'d in the page and execute in the context of the user.
CVE-2026-48294 1 Adobe 1 Adobe Acrobat Pdf Extension (chrome) 2026-06-23 7.4 High
Adobe Acrobat PDF Extension (Chrome) versions 26.5.2.2 and earlier are affected by a UXSS-class cross-origin data disclosure vulnerability. An attacker could exploit this vulnerability to gain access to data regarding the victim's session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
CVE-2025-69104 2 Jkdevstudio, Wordpress 2 Qreatix, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Qreatix <= 1.9.4 versions.
CVE-2026-56265 1 Crawl4ai 1 Crawl4ai 2026-06-23 9.8 Critical
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.
CVE-2026-11746 1 Ly Corporation 1 Central Dogma 2026-06-23 N/A
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.