|
2461
|
7.5 |
HIGH
Network
|
-
|
-
|
WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Attack…
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2018-25329
|
2026-05-19 02:05 |
2026-05-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2462
|
9.8 |
CRITICAL
Network
|
-
|
-
|
WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint.…
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2018-25335
|
2026-05-19 02:05 |
2026-05-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2463
|
5.4 |
MEDIUM
Network
|
-
|
-
|
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and galle…
|
CWE-862
Missing Authorization
|
CVE-2026-1631
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2464
|
8.8 |
HIGH
Network
|
-
|
-
|
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Script…
|
CWE-79
Cross-site Scripting
|
CVE-2026-3220
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2465
|
8.6 |
HIGH
Network
|
-
|
-
|
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection at…
|
CWE-89
SQL Injection
|
CVE-2026-6379
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2466
|
7.5 |
HIGH
Network
|
-
|
-
|
The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.
|
CWE-22
Path Traversal
|
CVE-2026-6381
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2467
|
7.1 |
HIGH
Network
|
-
|
-
|
The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used again…
|
CWE-79
Cross-site Scripting
|
CVE-2026-6495
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2468
|
8.1 |
HIGH
Network
|
dani-garcia
|
vaultwarden
|
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (pass…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-43911
|
2026-05-19 01:58 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2469
|
6.1 |
MEDIUM
Network
|
gofiber
|
fiber
|
Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42554
|
2026-05-19 01:50 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2470
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39608. Reason: This candidate is a reservation duplicate of CVE-2026-39608. Notes: All CVE users should reference …
|
-
|
CVE-2026-4663
|
2026-05-19 01:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
