CVE search

363,051 results
CVE-2026-53903MEDIUMInsecure Direct Object Reference in MCOEPSS CVE-2026-53902HIGHPrivilege Escalation in MCOEPSS CVE-2026-14181HIGH@fastify/middie standalone engine vulnerable to Denial of Service via malformed percent-encoded pathsEPSS CVE-2026-14198CRITICAL@fastify/middie vulnerable to authorization bypass via encoded slash in path parameter valuesEPSS CVE-2026-13323MEDIUMIn Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a CoEPSS CVE-2026-12142HIGHNEX-Forms <= 9.2.2 - Unauthenticated Stored Cross-Site Scripting via '_name[]' Array ParameterEPSS CVE-2026-13228HIGHLatePoint <= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via 'order[customer_id]' ParameterEPSS CVE-2026-10095MEDIUMWP Photo Album Plus <= 9.1.13.005 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'subtext' Shortcode AttributeEPSS CVE-2026-14258MEDIUMDhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handlingEPSS CVE-2026-27435MEDIUMWordPress Woffice theme < 5.4.33 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2026-12754MEDIUMVikBooking Hotel Booking Engine & PMS <= 1.8.12 - Reflected Cross-Site Scripting via 'layoutstyle' ParameterEPSS 0.3%CVE-2026-13454MEDIUMMotoPress Appointment Booking <= 2.4.5 - Authenticated (Staff+) SQL Injection via 's' ParameterEPSS 0.4%CVE-2026-10538HIGHImproper deserialization handling in Control-M ComponentsEPSS 0.2%CVE-2026-10539CRITICALUnauthenticated command injection in Control-M/Server communication commandEPSS 0.2%CVE-2026-12158HIGHRegistrationMagic <= 6.0.9.1 - Cross-Site Request Forgery to Privilege Escalation via 'rmc_assign_user_role_action' ParameterEPSS 0.2%CVE-2026-13733MEDIUMDownload Manager <= 3.3.60 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'no_data_msg' Shortcode AttributeEPSS 0.2%CVE-2026-11387CRITICALSMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password ResetEPSS 0.4%CVE-2026-12408MEDIUMSlim SEO <= 4.9.8 - Authenticated (Contributor+) Insufficient Authorization to Private Content Disclosure via 'object.ID' ParameterEPSS 0.3%CVE-2026-10096MEDIUMQi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' ParameterEPSS 0.2%CVE-2026-12435MEDIUMMotors <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Modification via 'stm_mark_as_sold_car' ParameterEPSS 0.2%