CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2026-12094
Medium

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to and including 1.0.0. The function does not perform nonce verification, capability checks, or ownership checks before deleting data from the wp_cf7cdb_data table.

CVE-2026-11997
Medium

The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page, allowing unauthenticated attackers to bulk-overwrite image ALT-text metadata.

CVE-2026-11370
Medium

The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including 4.5.18 via the 'new_link' parameter. This allows authenticated attackers with contributor-level access or higher to make arbitrary HTTP requests from the application, potentially querying and modifying information from internal services.

CVE-2026-10753
Low

The Site Kit by Google WordPress plugin before version 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users (such as Editors) to modify a site-wide setting that should only be modifiable by administrators.

CVE-2026-10749
High

The Post Duplicator WordPress plugin before version 3.0.15 does not safely handle custom meta-data during post duplication, allowing attacker-supplied serialized values to be stored without the WordPress meta API's double-serialization protection.

CVE-2026-10735
High

WordPress plugins such as Shapedsmart-post-show-pro, Real Testimonials Pro, and Product Slider for WooCommerce before specified versions contained malicious code. They were distributed through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage attack.

CVE-2026-10552
Medium

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. The issue arises from missing or incorrect nonce validation on the main admin panel and on subpages, allowing unauthenticated attackers to perform destructive operations.

CVE-2026-10531
Medium

The AI Share & Summarize WordPress plugin before version 2.0.4 does not sanitize and escape some shortcode attributes before outputting them on a page, allowing users with Contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2026-10092
High

The Cincopa plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via cincopa shortcode in post comments in all versions up to and including 1.163 due to insufficient input sanitization and output escaping.

CVE-2026-10091
High

The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'email' shortcode in all versions up to and including 1.03 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-9539
Medium

An out-of-bounds heap read and integer underflow in TCP urgent data handling in libslirp versions before v4.9.2 allows a privileged guest VM attacker to leak sensitive host-process heap memory.

CVE-2026-12851
CriticalEPSS 74%

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.

CVE-2026-12850
CriticalEPSS 75%

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.

CVE-2026-12849
CriticalEPSS 74%

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.

CVE-2026-12848
Critical

The GV-I/O Box 4E is a smart embedded device that supports communication over Ethernet and RS-485. The DVRSearch service, running by default on port 10001, is vulnerable to a stack overflow that can be exploited by an attacker to execute malicious code.

CVE-2026-12847
Critical

The GV-I/O Box 4E is a smart embedded device that is vulnerable to stack overflow due to improper handling of UDP messages. An attacker can send a specially crafted message, leading to potential buffer overflow.

CVE-2026-12846
Critical

The GV-I/O Box 4E is an embedded smart device that is vulnerable to stack overflow due to improper handling of UDP messages. An attacker can send a specially crafted message, potentially leading to unauthorized access or device failure.

CVE-2026-12488
Medium

A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted network request can lead to a denial of service.

CVE-2026-12486
CriticalEPSS 75%

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.

CVE-2026-12485
Critical

GV-I/O Box 4E is a smart embedded device that supports communication over Ethernet and RS-485. The DVRSearch service, running by default on this device, is vulnerable to a stack overflow that can be exploited by an attacker to execute malicious code.

PreviousPage 243 of 4580Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS