CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-40749
Critical

In Charity Zone versions <= 1.1.1, there is a vulnerability that allows subscribers to upload arbitrary files.

CVE-2026-40748
Critical

In Kids Gift Shop versions <= 0.5.4, there is a vulnerability allowing arbitrary file uploads by subscribers.

CVE-2026-40747
Critical

In Ecommerce Zone versions <= 0.9.7, there is a vulnerability that allows subscribers to upload arbitrary files.

CVE-2026-40746
Critical

In Restaurant Zone versions <= 0.7.8, there is a vulnerability allowing arbitrary file uploads by subscribers.

CVE-2026-40725
Critical

There is an unauthenticated PHP Object Injection vulnerability in WooCommerce Product Filters versions below 2.0.6.

CVE-2026-39596
Critical

There is an unauthenticated SQL injection vulnerability in Blocksy Companion Pro versions below 2.1.29.

CVE-2026-39589
Critical

In Webenvo versions <= 0.0.6, there is a vulnerability that allows subscribers to upload arbitrary files.

CVE-2026-39529
Critical

There is an unauthenticated PHP Object Injection vulnerability in Elementra versions <= 1.0.9.

CVE-2026-39438
Critical

Unauthenticated SQL Injection exists in ListingPro versions <= 2.9.10.

CVE-2026-32967
Critical

Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects versions before 3.4.2.

CVE-2026-32966
Critical

Missing authorization check in DataSource API leads to arbitrary data source metadata disclosure in Apache DolphinScheduler.

CVE-2026-27429
Critical

Nifty versions up to 1.4.1 are vulnerable to unauthenticated PHP object injection.

CVE-2026-27395
Critical

In Support Board versions below 3.8.9, there is a vulnerability that allows unauthenticated privilege escalation.

CVE-2026-27041
Critical

The Elementor (Premium) plugin versions up to 2.0.6 contain a vulnerability that allows unauthorized file uploads by users with appropriate permissions.

CVE-2026-25470
Critical

The ACPT (Pro) - Custom Post Types Plugin for WordPress has a vulnerability due to improper control of code generation, allowing for remote code injection.

CVE-2026-25446
Critical

In WishList Member X versions up to 3.29.0, there is a vulnerability that allows subscribers to upload arbitrary files.

CVE-2026-24611
Critical

Versions of MetForm Pro <= 3.9.1 have an unauthenticated broken access control vulnerability that may allow attackers to access resources they should not have access to.

CVE-2026-22340
Critical

There is an unauthenticated SQL injection vulnerability in WPJobster versions up to 6.3.5.

CVE-2026-22332
Critical

There is an unauthenticated SQL injection vulnerability in Tutor LMS Pro versions up to 3.9.6.

CVE-2026-22327
Critical

In Restaurt versions <= 1.0.4, there is a vulnerability that allows subscribers to upload arbitrary files.

PreviousPage 27 of 554Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS