CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-54826
High

The SupportCandy plugin version 3.4.6 and earlier contains an Insecure Direct Object References (IDOR) vulnerability for subscribers. This allows unauthorized access to other users' data.

CVE-2026-54825
Critical

The wpDataTables plugin in versions 7.4 and earlier contains an unauthenticated SQL injection vulnerability. An attacker can remotely execute arbitrary SQL queries, leading to unauthorized database access.

CVE-2026-54824
High

The Ads by WPQuads plugin version 3.0.3 and earlier allows unauthenticated attackers to access sensitive data. This vulnerability is due to missing access controls on data stored by the plugin.

CVE-2026-54820
Critical

SQL Injection vulnerability in JetBooking plugin versions up to 4.0.4.1 allows an unauthenticated attacker to inject malicious SQL code into database queries.

CVE-2026-52701
Medium

The User Registration plugin version 5.2.2 and earlier contains an unauthenticated broken access control vulnerability. An attacker without authentication can exploit this flaw to perform unauthorized actions.

CVE-2026-4339
Medium

A vulnerability in the Mattermost Agents plugin MCP server allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) by supplying internal URLs as file attachments in post creation requests. Affected versions are 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, and 11.5.x <= 11.5.6.

CVE-2026-45257
High

A vulnerability in the KTLS receive path decrypts data in place, allowing a local unprivileged user who can read a file to overwrite its contents by sending it over a loopback connection with KTLS receive enabled.

CVE-2026-45256
Medium

A vulnerability in the thr_kill2(2) function of FreeBSD allows sending a signal to any process without checking permissions. The missing verification of the p_cansignal() result enables an unprivileged user to send signals to processes owned by other users or root, as well as across jail boundaries.

CVE-2026-3472
Low

A vulnerability in Mattermost allows an authenticated attacker to exfiltrate data by injecting Markdown image syntax into AI bot tool result posts. Markdown image rendering restrictions are not properly applied to AI bot tool result posts, enabling data leakage to an attacker-controlled server when rendered by a victim's client.

CVE-2026-30041
High

An integer overflow in the PSD parser component of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file.

CVE-2026-30040
Medium

A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.

CVE-2026-24547
Medium

The vulnerability in SiteGround Email Marketing plugin versions up to 1.7.5 allows unauthenticated attackers to bypass access control. Lack of required authentication enables unauthorized operations on plugin resources.

CVE-2025-68075
Medium

The BNE Testimonials plugin version 2.0.8 and earlier contains a Cross Site Scripting (XSS) vulnerability from contributors. This allows injection of malicious JavaScript code by content authors.

CVE-2025-68074
Medium

Cross Site Scripting (XSS) vulnerability in Image Carousel plugin versions up to 1.0.0.41 allows an attacker to inject malicious JavaScript code into the page. The flaw is due to insufficient input sanitization.

CVE-2025-68064
High

Local File Inclusion (LFI) vulnerability in Goya Core plugin versions prior to 1.0.9.4 allows a contributor to read arbitrary files on the server.

CVE-2025-68063
High

The Splash - Sport Club WordPress Theme for Basketball, Football, Hockey versions 4.4.3 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by contributors. This allows an attacker with contributor privileges to read sensitive files on the server.

CVE-2025-68052
High

The vulnerability allows an unauthenticated Cross-Site Request Forgery (CSRF) attack in Eagle Booking versions up to 1.3.4.3. An attacker can trick an administrator into performing unintended actions, such as changing settings or adding new users.

CVE-2025-66123
Medium

An Insecure Direct Object References (IDOR) vulnerability in BookPro version 1.1.0 and earlier allows an unauthenticated attacker to access resources they should not have permission to. The issue stems from a lack of authorization checks when directly referencing objects.

CVE-2025-64637
Medium

In Auros Core versions up to and including 5.3.1, there is an unauthenticated content injection vulnerability. An attacker without authentication can modify application content.

CVE-2025-64636
Medium

The Donation Thermometer plugin versions up to 2.2.7 contain an unauthenticated broken access control vulnerability. An attacker without authentication can gain unauthorized access to plugin functions.

PreviousPage 168 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS