VYPR

CVEs

38,009 total · page 7 of 761

  • CVE-2026-39481HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.

  • CVE-2026-39480HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions.

  • CVE-2026-39478HigJun 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.

  • CVE-2026-39474HigJun 15, 2026
    risk 0.50cvss 8.8epss 0.00

    Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions.

  • CVE-2026-39472HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.

  • CVE-2026-39471HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.

  • CVE-2026-39470HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions.

  • CVE-2026-39463HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions.

  • CVE-2026-39450HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions.

  • CVE-2026-39449HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.

  • CVE-2026-39447HigJun 15, 2026
    risk 0.39cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions.

  • CVE-2026-39435HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.

  • CVE-2026-39434HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.

  • CVE-2026-34902HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions.

  • CVE-2026-34900HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in GiveWP <= 4.14.2 versions.

  • CVE-2026-34898HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.

  • CVE-2026-34891HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.

  • CVE-2026-34886HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.

  • CVE-2026-27407HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Editor Privilege Escalation in AI Engine <= 3.4.9 versions.

  • CVE-2026-27333HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.

  • CVE-2026-27089HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.

  • CVE-2026-25425HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.

  • CVE-2026-24637HigJun 15, 2026
    risk 0.55cvss 8.5epss 0.00

    Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.

  • CVE-2026-23970HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.

  • CVE-2025-68872HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions.

  • CVE-2025-68851HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.

  • CVE-2025-68840HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.

  • CVE-2025-59133HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.

  • CVE-2026-54283higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary `request.form()` accepts `max_fields` and `max_part_size` to bound resource consumption while parsing form data. These limits are enforced for `multipart/form-data`, but silently ignored for `application/x-www-form-urlencoded`. An unauthenticated attacker can…

  • CVE-2026-54281higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Impact An authentication bypass vulnerability exists in `@nestjs/platform-fastify` (confirmed on version `11.1.24`, the latest available release at time of report). When middleware is registered through NestJS's `MiddlewareConsumer.forRoutes()` API on the Fastify adapter,…

  • CVE-2026-53539higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary When parsing `application/x-www-form-urlencoded` bodies, `QuerystringParser` located the field separator with a two step lookup: it first scanned the entire remaining buffer for `&`, and only when no `&` existed anywhere ahead did it fall back to scanning for `;`.…

  • CVE-2026-49853higJun 15, 2026
    risk 0.38cvss epss

    ## Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect…

  • CVE-2026-49855higJun 15, 2026
    risk 0.38cvss epss

    Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively…

  • CVE-2026-53705HigJun 15, 2026
    risk 0.49cvss 7.6epss 0.00

    A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation.…

  • CVE-2026-53704HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without…

  • CVE-2026-53703HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec…

  • CVE-2026-52722HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a…

  • CVE-2026-52720HigJun 15, 2026
    risk 0.57cvss 8.8epss 0.00

    A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote…

  • CVE-2026-52719HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially…

  • CVE-2026-50891HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

  • CVE-2026-50889HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header.

  • CVE-2026-50888HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.

  • CVE-2026-50885HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request.

  • CVE-2026-50884HigJun 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.

  • CVE-2026-50882HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

  • CVE-2026-50881HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes.

  • CVE-2026-50879HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

  • CVE-2026-50878HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue in the attachment handling component of Feuerhamster MailForm v1.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted request.

  • CVE-2026-50877HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.01

    An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a directory traversal via supplying files with names containing traversal characters.

  • CVE-2026-50875HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.