|
1721
|
9.8 |
CRITICAL
Network
|
-
|
-
|
WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint.…
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2018-25335
|
2026-05-19 02:05 |
2026-05-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1722
|
5.4 |
MEDIUM
Network
|
-
|
-
|
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and galle…
|
CWE-862
Missing Authorization
|
CVE-2026-1631
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1723
|
8.8 |
HIGH
Network
|
-
|
-
|
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Script…
|
CWE-79
Cross-site Scripting
|
CVE-2026-3220
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1724
|
8.6 |
HIGH
Network
|
-
|
-
|
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection at…
|
CWE-89
SQL Injection
|
CVE-2026-6379
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1725
|
7.5 |
HIGH
Network
|
-
|
-
|
The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.
|
CWE-22
Path Traversal
|
CVE-2026-6381
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1726
|
7.1 |
HIGH
Network
|
-
|
-
|
The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used again…
|
CWE-79
Cross-site Scripting
|
CVE-2026-6495
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1727
|
8.1 |
HIGH
Network
|
dani-garcia
|
vaultwarden
|
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (pass…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-43911
|
2026-05-19 01:58 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1728
|
6.1 |
MEDIUM
Network
|
gofiber
|
fiber
|
Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42554
|
2026-05-19 01:50 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1729
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39608. Reason: This candidate is a reservation duplicate of CVE-2026-39608. Notes: All CVE users should reference …
|
-
|
CVE-2026-4663
|
2026-05-19 01:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1730
|
6.1 |
MEDIUM
Network
|
-
|
-
|
fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. T…
|
CWE-91
Blind XPath Injection
|
CVE-2026-44665
|
2026-05-19 01:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
