| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-8024 | 0.00 | — | 0.01 | Jun 18, 2026 | A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems. | |||
| CVE-2026-8811 | 0.00 | — | 0.00 | Jun 18, 2026 | SEPPmail versions before 15.0.5 allow improper handling of attachment filenames during encrypted PDF generation. An attacker can exploit this to create new files outside the intended directory, potentially placing files in web-accessible locations. | |||
| CVE-2026-50643 | — | 0.00 | — | 0.00 | Jun 18, 2026 | 8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of #line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying… | ||
| CVE-2025-10560 | 0.00 | — | 0.00 | Jun 18, 2026 | Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed… | |||
| CVE-2026-2021 | 0.00 | — | 0.00 | Jun 18, 2026 | The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This… | |||
| CVE-2026-8039 | 0.00 | — | 0.00 | Jun 18, 2026 | The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it… | |||
| CVE-2026-12111 | 0.00 | — | 0.00 | Jun 18, 2026 | The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2()… | |||
| CVE-2026-11395 | 0.00 | — | 0.00 | Jun 18, 2026 | The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull_the_trigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web… | |||
| CVE-2026-12098 | 0.00 | — | 0.00 | Jun 18, 2026 | The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for… | |||
| CVE-2026-12137 | 0.00 | — | 0.00 | Jun 18, 2026 | The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and… | |||
| CVE-2026-12102 | 0.00 | — | 0.00 | Jun 18, 2026 | The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a… | |||
| CVE-2026-12136 | 0.00 | — | 0.00 | Jun 18, 2026 | The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied… | |||
| CVE-2026-55746 | 0.00 | — | 0.00 | Jun 18, 2026 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so… | |||
| CVE-2026-28573 | — | 0.00 | — | 0.00 | Jun 18, 2026 | In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | ||
| CVE-2026-55745 | 0.00 | — | 0.00 | Jun 18, 2026 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags)… | |||
| CVE-2026-55744 | 0.00 | — | 0.00 | Jun 18, 2026 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the… | |||
| CVE-2026-55742 | 0.00 | — | 0.00 | Jun 18, 2026 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update') modifies group access rights (including via cot_auth_add_group) without… | |||
| CVE-2026-55741 | 0.00 | — | 0.00 | Jun 18, 2026 | Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without… | |||
| CVE-2026-9815 | 0.00 | — | 0.00 | Jun 18, 2026 | The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code… | |||
| CVE-2026-12390 | hig | 0.51 | 7.8 | 0.00 | Jun 18, 2026 | In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution. | ||
| CVE-2026-12921 | hig | 0.51 | 7.8 | 0.00 | Jun 18, 2026 | In AzeoTech DAQFactory versions 21.1 and prior, a Use After Free vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution. | ||
| CVE-2026-40624 | cri | 0.64 | 9.8 | 0.01 | Jun 18, 2026 | Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request. | ||
| CVE-2026-55740 | 0.00 | — | 0.00 | Jun 18, 2026 | Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from… | |||
| CVE-2026-11358 | 0.00 | — | 0.00 | Jun 18, 2026 | The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping.… | |||
| CVE-2026-11402 | 0.00 | — | 0.00 | Jun 18, 2026 | The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This… | |||
| CVE-2026-11784 | 0.00 | — | 0.00 | Jun 18, 2026 | The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace_file… | |||
| CVE-2026-12093 | 0.00 | — | 0.00 | Jun 18, 2026 | The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to… | |||
| CVE-2026-10736 | 0.00 | — | 0.00 | Jun 18, 2026 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation… | |||
| CVE-2026-10623 | 0.00 | — | 0.00 | Jun 18, 2026 | The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the 'rule_id' parameter due to missing validation on a user controlled key. This… | |||
| CVE-2026-11360 | 0.00 | — | 0.00 | Jun 18, 2026 | The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all versions up to, and including, 4.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on… | |||
| CVE-2026-11357 | 0.00 | — | 0.00 | Jun 18, 2026 | The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editor_assets_variables. This makes it possible for authenticated attackers, with… | |||
| CVE-2026-11776 | 0.00 | — | 0.00 | Jun 18, 2026 | The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and… | |||
| CVE-2026-10029 | 0.00 | — | 0.00 | Jun 18, 2026 | The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract… | |||
| CVE-2026-9860 | 0.00 | — | 0.01 | Jun 18, 2026 | The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX… | |||
| CVE-2026-12120 | 0.00 | — | 0.00 | Jun 18, 2026 | The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the 'form_id' parameter. This makes it possible for unauthenticated attackers to extract download a… | |||
| CVE-2026-11777 | 0.00 | — | 0.00 | Jun 18, 2026 | The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of… | |||
| CVE-2026-9199 | 0.00 | — | 0.00 | Jun 18, 2026 | The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform… | |||
| CVE-2026-12407 | 0.00 | — | 0.00 | Jun 18, 2026 | The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification — when invoked via the… | |||
| CVE-2026-10023 | 0.00 | — | 0.00 | Jun 18, 2026 | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note,… | |||
| CVE-2026-12535 | — | 0.00 | — | 0.00 | Jun 18, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | ||
| CVE-2026-55809 | — | 0.00 | — | 0.00 | Jun 18, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | ||
| CVE-2026-55810 | — | 0.00 | — | 0.00 | Jun 18, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | ||
| CVE-2026-55803 | — | 0.00 | — | 0.00 | Jun 18, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | ||
| CVE-2026-55804 | — | 0.00 | — | 0.00 | Jun 18, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | ||
| CVE-2026-55806 | — | 0.00 | — | 0.00 | Jun 18, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | ||
| CVE-2026-55807 | 0.00 | — | 0.00 | Jun 18, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-55808 | — | 0.00 | — | 0.00 | Jun 18, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | ||
| CVE-2026-12569 | 0.12 | — | 0.01 | KEV | Jun 18, 2026 | A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified… | ||
| CVE-2026-38714 | 0.00 | — | 0.01 | Jun 18, 2026 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a… | |||
| CVE-2026-38715 | 0.00 | — | 0.01 | Jun 18, 2026 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input. |
- CVE-2026-8024Jun 18, 2026risk 0.00cvss —epss 0.01
A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems.
- CVE-2026-8811Jun 18, 2026risk 0.00cvss —epss 0.00
SEPPmail versions before 15.0.5 allow improper handling of attachment filenames during encrypted PDF generation. An attacker can exploit this to create new files outside the intended directory, potentially placing files in web-accessible locations.
- CVE-2026-50643Jun 18, 2026risk 0.00cvss —epss 0.00
8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of #line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying…
- CVE-2025-10560Jun 18, 2026risk 0.00cvss —epss 0.00
Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed…
- CVE-2026-2021Jun 18, 2026risk 0.00cvss —epss 0.00
The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This…
- CVE-2026-8039Jun 18, 2026risk 0.00cvss —epss 0.00
The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it…
- CVE-2026-12111Jun 18, 2026risk 0.00cvss —epss 0.00
The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2()…
- CVE-2026-11395Jun 18, 2026risk 0.00cvss —epss 0.00
The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull_the_trigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web…
- CVE-2026-12098Jun 18, 2026risk 0.00cvss —epss 0.00
The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for…
- CVE-2026-12137Jun 18, 2026risk 0.00cvss —epss 0.00
The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and…
- CVE-2026-12102Jun 18, 2026risk 0.00cvss —epss 0.00
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a…
- CVE-2026-12136Jun 18, 2026risk 0.00cvss —epss 0.00
The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied…
- CVE-2026-55746Jun 18, 2026risk 0.00cvss —epss 0.00
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so…
- CVE-2026-28573Jun 18, 2026risk 0.00cvss —epss 0.00
In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2026-55745Jun 18, 2026risk 0.00cvss —epss 0.00
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags)…
- CVE-2026-55744Jun 18, 2026risk 0.00cvss —epss 0.00
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the…
- CVE-2026-55742Jun 18, 2026risk 0.00cvss —epss 0.00
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update') modifies group access rights (including via cot_auth_add_group) without…
- CVE-2026-55741Jun 18, 2026risk 0.00cvss —epss 0.00
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without…
- CVE-2026-9815Jun 18, 2026risk 0.00cvss —epss 0.00
The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code…
- risk 0.51cvss 7.8epss 0.00
In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.
- risk 0.51cvss 7.8epss 0.00
In AzeoTech DAQFactory versions 21.1 and prior, a Use After Free vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.
- risk 0.64cvss 9.8epss 0.01
Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request.
- CVE-2026-55740Jun 18, 2026risk 0.00cvss —epss 0.00
Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from…
- CVE-2026-11358Jun 18, 2026risk 0.00cvss —epss 0.00
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping.…
- CVE-2026-11402Jun 18, 2026risk 0.00cvss —epss 0.00
The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This…
- CVE-2026-11784Jun 18, 2026risk 0.00cvss —epss 0.00
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace_file…
- CVE-2026-12093Jun 18, 2026risk 0.00cvss —epss 0.00
The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to…
- CVE-2026-10736Jun 18, 2026risk 0.00cvss —epss 0.00
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation…
- CVE-2026-10623Jun 18, 2026risk 0.00cvss —epss 0.00
The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the 'rule_id' parameter due to missing validation on a user controlled key. This…
- CVE-2026-11360Jun 18, 2026risk 0.00cvss —epss 0.00
The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all versions up to, and including, 4.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on…
- CVE-2026-11357Jun 18, 2026risk 0.00cvss —epss 0.00
The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editor_assets_variables. This makes it possible for authenticated attackers, with…
- CVE-2026-11776Jun 18, 2026risk 0.00cvss —epss 0.00
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and…
- CVE-2026-10029Jun 18, 2026risk 0.00cvss —epss 0.00
The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract…
- CVE-2026-9860Jun 18, 2026risk 0.00cvss —epss 0.01
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX…
- CVE-2026-12120Jun 18, 2026risk 0.00cvss —epss 0.00
The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the 'form_id' parameter. This makes it possible for unauthenticated attackers to extract download a…
- CVE-2026-11777Jun 18, 2026risk 0.00cvss —epss 0.00
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of…
- CVE-2026-9199Jun 18, 2026risk 0.00cvss —epss 0.00
The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform…
- CVE-2026-12407Jun 18, 2026risk 0.00cvss —epss 0.00
The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a dedicated capability check and nonce verification — when invoked via the…
- CVE-2026-10023Jun 18, 2026risk 0.00cvss —epss 0.00
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note,…
- CVE-2026-12535Jun 18, 2026risk 0.00cvss —epss 0.00
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-55809Jun 18, 2026risk 0.00cvss —epss 0.00
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-55810Jun 18, 2026risk 0.00cvss —epss 0.00
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-55803Jun 18, 2026risk 0.00cvss —epss 0.00
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-55804Jun 18, 2026risk 0.00cvss —epss 0.00
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-55806Jun 18, 2026risk 0.00cvss —epss 0.00
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-55807Jun 18, 2026risk 0.00cvss —epss 0.00
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-55808Jun 18, 2026risk 0.00cvss —epss 0.00
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- risk 0.12cvss —epss 0.01
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions * The identified…
- CVE-2026-38714Jun 18, 2026risk 0.00cvss —epss 0.01
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a…
- CVE-2026-38715Jun 18, 2026risk 0.00cvss —epss 0.01
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.