Search

Search Results (363089 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-14074 1 Google 1 Chrome 2026-07-02 6.5 Medium
Side-channel information leakage in WebAuthentication in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-14076 1 Google 1 Chrome 2026-07-02 4.3 Medium
Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-57348 2 Cozmoslabs, Wordpress 2 Paid Member Subscriptions, Wordpress 2026-07-02 7.2 High
Unauthenticated Server Side Request Forgery (SSRF) in Paid Member Subscriptions <= 3.0.4 versions.
CVE-2026-13953 1 Google 1 Chrome 2026-07-02 6.5 Medium
Inappropriate implementation in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-49779 2026-07-02 6.5 Medium
Customer Path Traversal in Tax Exempt for WooCommerce <= 1.9.3 versions.
CVE-2026-56379 1 Imagemagick 1 Imagemagick 2026-07-02 8.1 High
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
CVE-2026-56371 1 Imagemagick 1 Imagemagick 2026-07-02 5.3 Medium
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory leak in coders/txt.c when processing TXT files with texture attributes: the texture object allocated via ReadImage is not released when GetTypeMetrics fails, leaking memory each time a crafted TXT file with a texture attribute is processed.
CVE-2026-58451 1 Horde 1 Imp 2026-07-02 6.5 Medium
Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.
CVE-2026-14133 1 Google 1 Chrome 2026-07-02 4.3 Medium
Race in History Embeddings in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-12122 2 Themeum, Wordpress 2 Kirki – Freeform Page Builder, Website Builder & Customizer, Wordpress 2026-07-02 5.3 Medium
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the get_single_symbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and rendered HTML of any kirki_symbol post — including unpublished drafts — by supplying a sequential WordPress post ID.
CVE-2026-27419 2 Wordpress, Zozothemes 2 Wordpress, Zegen 2026-07-02 9.9 Critical
Subscriber Arbitrary File Upload in Zegen <= 1.1.9 versions.
CVE-2026-57764 2026-07-02 6.5 Medium
Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.
CVE-2026-57686 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions.
CVE-2026-57757 2026-07-02 7.1 High
Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.
CVE-2026-13937 1 Google 1 Chrome 2026-07-02 6.5 Medium
Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-57751 2026-07-02 8.1 High
Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions.
CVE-2026-4767 2026-07-02 9.8 Critical
Missing authentication for critical function vulnerability in TR7 Cyber ​​Defense Inc. WAF-ASP allows Authentication Abuse. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117.
CVE-2026-57680 2 Themeum, Wordpress 2 Kirki, Wordpress 2026-07-02 6.5 Medium
Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions.
CVE-2026-57678 2 Themepunch, Wordpress 2 Slider Revolution, Wordpress 2026-07-02 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePunch Slider Revolution allows Reflected XSS. This issue affects Slider Revolution: from 7.0.0 through 7.0.16.
CVE-2026-58172 1 Threemammals 1 Ocelot 2026-07-02 9.1 Critical
Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.