CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-41123
Medium

Dell PowerProtect Data Domain versions 7.7.1.0 through 8.6, LTS2026 release 8.6.1.0 through 8.6.1.10, LTS2025 release 8.3.1.0 through 8.3.1.30, and LTS2024 release 7.13.1.0 through 7.13.1.70 contain an improper access control vulnerability in RBAC. A low privileged attacker with remote access could exploit this vulnerability to tamper with information.

CVE-2026-26355
Medium

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high privileged attacker with remote access could exploit this flaw to execute arbitrary commands.

CVE-2026-5137
Medium

The RTMKit (rometheme-for-elementor) plugin for WordPress up to version 2.0.7 is vulnerable to Local File Inclusion (LFI). This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization.

CVE-2026-4322
Medium

The Destekz plugin from Raera - Ankara Web Design and Digital Advertising Agency contains a reflected XSS vulnerability due to improper input neutralization during page generation. This affects versions up to 02062026, and the product is no longer supported by the vendor.

CVE-2026-9756
Medium

The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Headline Block 'linkMetaFieldType' Dynamic Link Attribute in versions up to and including 2.2.1 due to insufficient input sanitization and output escaping.

CVE-2026-4804
Medium

The Zakra theme for WordPress up to version 4.2.0 is vulnerable to Stored Cross-Site Scripting. The lack of sanitization for post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, zakra_menu_item_active_color) via the REST API allows authenticated attackers with Contributor-level access or higher to inject arbitrary scripts that execute when users visit the affected page.

CVE-2026-35159
Medium

A vulnerability in Dell Client Platform BIOS allows authentication bypass due to a primary weakness. An unauthenticated attacker with physical access could potentially exploit this flaw, leading to information disclosure.

CVE-2026-11900
Medium

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress up to version 2.8.16 is vulnerable to Insecure Direct Object Reference (IDOR) via the 'data' attribute of the [adinserter] shortcode. The replace_ai_tags() function processes a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying user capabilities with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This allows authenticated attackers with Contributor-level access and above to read the full content of arbitrary posts, including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.

CVE-2026-11778
Medium

The CURCY – Multi Currency for WooCommerce plugin for WordPress up to version 2.2.14 is vulnerable to arbitrary shortcode execution by unauthenticated attackers. This is due to insufficient validation before passing a value to the do_shortcode function.

CVE-2026-11398
Medium

The LatePoint plugin for WordPress, up to version 5.6.1, has an authorization bypass vulnerability. Unauthenticated attackers can modify personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including administrator accounts, by submitting the booking form with a known email address. Exploitation requires guest bookings to be enabled.

CVE-2026-9230
Medium

The Quiz and Survey Master (QSM) plugin for WordPress up to version 11.1.4 is vulnerable to authorization bypass. Authenticated attackers with contributor-level access or higher can modify quizzes they do not own, overwrite result pages, and redirect notification emails to attacker-controlled addresses.

CVE-2026-8804
Medium

A vulnerability in Puppet resource_api (shipped with Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) fails to preserve the sensitive flag on parameters defined via the resource-api, causing values like passwords to be stored in cleartext in the agent's local transaction state cache.

CVE-2026-8351
Medium

The RTMKit plugin for WordPress up to version 2.0.7 is vulnerable to Stored Cross-Site Scripting in the Advanced Heading widget due to insufficient output escaping of the 'Background Text' parameter. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when users visit the page.

CVE-2026-47898
Medium

An XML External Entity (XXE) vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common library). Affects versions from 4.8.0-beta00005 up to 4.8.0-beta00017.

CVE-2026-9626
Medium

The JSON API User plugin for WordPress up to version 4.1.0 is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the post_comment API endpoint. The post_comment() function lacks proper input sanitization, allowing authenticated attackers with subscriber-level access or higher to inject arbitrary web scripts.

CVE-2026-9180
Medium

The MotoPress Appointment Booking plugin for WordPress up to version 2.4.4 contains an authorization bypass vulnerability via a user-controlled key. Unauthenticated attackers can overwrite customer data (name, email, phone number) in non-confirmed bookings by exploiting a publicly accessible REST endpoint.

CVE-2026-8892
Medium

The CM Business Directory plugin for WordPress up to version 1.5.7 is vulnerable to Stored Cross-Site Scripting via Business Address Meta Fields due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that execute when users visit affected pages.

CVE-2026-8489
Medium

The Ultimate Member plugin for WordPress is vulnerable to stored XSS via the 'about_me' parameter in versions up to and including 2.11.4 due to insufficient input sanitization and output escaping.

CVE-2026-12557
Medium

The Ninja Forms - File Uploads plugin for WordPress up to version 3.3.29 inclusive contains an authorization bypass vulnerability. Unauthenticated attackers can read all debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table.

CVE-2026-11397
Medium

The WP Import Export Lite plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to and including 3.9.30 via the wpie_import_upload_file_from_url AJAX action. After wp_safe_remote_get() fails (blocking private IPs), the plugin falls back to GuzzleHttp\Client::request() without SSRF protection and with TLS verification disabled. This allows authenticated attackers with administrator access to make requests to arbitrary locations, including internal services like the cloud metadata endpoint.

PreviousPage 3 of 489Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS