| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-48876 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions. | ||
| CVE-2026-48874 | Hig | 0.55 | 8.5 | 0.00 | Jun 15, 2026 | Subscriber SQL Injection in GamiPress <= 7.8.7 versions. | ||
| CVE-2026-48873 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions. | ||
| CVE-2026-48872 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions. | ||
| CVE-2026-48871 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions. | ||
| CVE-2026-48870 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Cross Site Scripting (XSS) in King Addons for Elementor <= 51.1.62 versions. | ||
| CVE-2026-48868 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions. | ||
| CVE-2026-48867 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions. | ||
| CVE-2026-48838 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Post SMTP <= 3.6.2 versions. | ||
| CVE-2026-48836 | Cri | 0.65 | 10.0 | 0.01 | Jun 15, 2026 | Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions. | ||
| CVE-2026-48835 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions. | ||
| CVE-2026-48709 | Low | 0.17 | 3.7 | 0.00 | Jun 15, 2026 | OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API… | ||
| CVE-2026-48708 | Hig | 0.42 | 7.5 | 0.00 | Jun 15, 2026 | OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action… | ||
| CVE-2026-48518 | Med | 0.21 | 4.3 | 0.00 | Jun 15, 2026 | MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint (POST /multi-juicer/api/teams/{team}/join) accepted requests with any Content-Type, including… | ||
| CVE-2026-48124 | Hig | 0.55 | — | 0.00 | Jun 15, 2026 | Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could… | ||
| CVE-2026-47825 | Hig | 0.56 | 8.6 | 0.00 | Jun 15, 2026 | Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway… | ||
| CVE-2026-47261 | Hig | 0.42 | 7.5 | 0.00 | Jun 15, 2026 | Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1… | ||
| CVE-2026-45441 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions. | ||
| CVE-2026-45439 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions. | ||
| CVE-2026-45437 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions. | ||
| CVE-2026-42775 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.7.2 versions. | ||
| CVE-2026-42752 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Bypass Vulnerability in Stripe Payments <= 2.0.98 versions. | ||
| CVE-2026-42743 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Authentication in Masteriyo - LMS <= 2.1.8 versions. | ||
| CVE-2026-42688 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Cross Site Scripting (XSS) in Modula Image Gallery <= 2.14.23 versions. | ||
| CVE-2026-42687 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions. | ||
| CVE-2026-42686 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Subscriber Cross Site Scripting (XSS) in EventPrime <= 4.3.2.1 versions. | ||
| CVE-2026-42668 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions. | ||
| CVE-2026-42667 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions. | ||
| CVE-2026-42666 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions. | ||
| CVE-2026-42665 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions. | ||
| CVE-2026-42664 | Hig | 0.53 | 8.2 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions. | ||
| CVE-2026-42663 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Simple Membership <= 4.7.2 versions. | ||
| CVE-2026-42662 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions. | ||
| CVE-2026-42661 | Hig | 0.57 | 8.8 | 0.00 | Jun 15, 2026 | Custom role Path Traversal in WP Customer Area <= 8.3.4 versions. | ||
| CVE-2026-42660 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Sensitive Data Exposure in Contest Gallery <= 28.1.7 versions. | ||
| CVE-2026-42659 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Advanced Form Integration <= 1.126.12 versions. | ||
| CVE-2026-42658 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.3.8 versions. | ||
| CVE-2026-42657 | Med | 0.34 | 5.3 | 0.00 | Jun 15, 2026 | Unauthenticated Other Vulnerability Type in Contest Gallery <= 28.1.7 versions. | ||
| CVE-2026-42656 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Cross Site Scripting (XSS) in Contest Gallery <= 28.1.6 versions. | ||
| CVE-2026-42655 | Med | 0.38 | 5.9 | 0.00 | Jun 15, 2026 | Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions. | ||
| CVE-2026-42651 | Med | 0.41 | 6.3 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Classified Listing <= 5.3.9 versions. | ||
| CVE-2026-42650 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.6.7 versions. | ||
| CVE-2026-42649 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Favicon Rotator <= 1.2.11 versions. | ||
| CVE-2026-42640 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Classified Listing <= 5.3.8 versions. | ||
| CVE-2026-42639 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions. | ||
| CVE-2026-42411 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions. | ||
| CVE-2026-42386 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions. | ||
| CVE-2026-42384 | Hig | 0.42 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions. | ||
| CVE-2026-42381 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions. | ||
| CVE-2026-42378 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Authentication in WP Full Stripe Free <= 8.4.1 versions. |
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions.
- risk 0.55cvss 8.5epss 0.00
Subscriber SQL Injection in GamiPress <= 7.8.7 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Cross Site Scripting (XSS) in King Addons for Elementor <= 51.1.62 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Post SMTP <= 3.6.2 versions.
- risk 0.65cvss 10.0epss 0.01
Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
- risk 0.17cvss 3.7epss 0.00
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API…
- risk 0.42cvss 7.5epss 0.00
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action…
- risk 0.21cvss 4.3epss 0.00
MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint (POST /multi-juicer/api/teams/{team}/join) accepted requests with any Content-Type, including…
- risk 0.55cvss —epss 0.00
Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could…
- risk 0.56cvss 8.6epss 0.00
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway…
- risk 0.42cvss 7.5epss 0.00
Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1…
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.7.2 versions.
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Bypass Vulnerability in Stripe Payments <= 2.0.98 versions.
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Broken Authentication in Masteriyo - LMS <= 2.1.8 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Cross Site Scripting (XSS) in Modula Image Gallery <= 2.14.23 versions.
- risk 0.53cvss 8.1epss 0.00
Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.
- risk 0.46cvss 7.1epss 0.00
Subscriber Cross Site Scripting (XSS) in EventPrime <= 4.3.2.1 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.
- risk 0.53cvss 8.2epss 0.00
Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions.
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Simple Membership <= 4.7.2 versions.
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions.
- risk 0.57cvss 8.8epss 0.00
Custom role Path Traversal in WP Customer Area <= 8.3.4 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Sensitive Data Exposure in Contest Gallery <= 28.1.7 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in Advanced Form Integration <= 1.126.12 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.3.8 versions.
- risk 0.34cvss 5.3epss 0.00
Unauthenticated Other Vulnerability Type in Contest Gallery <= 28.1.7 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Cross Site Scripting (XSS) in Contest Gallery <= 28.1.6 versions.
- risk 0.38cvss 5.9epss 0.00
Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions.
- risk 0.41cvss 6.3epss 0.00
Subscriber Broken Access Control in Classified Listing <= 5.3.9 versions.
- risk 0.47cvss 7.2epss 0.00
Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.6.7 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Favicon Rotator <= 1.2.11 versions.
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Broken Access Control in Classified Listing <= 5.3.8 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions.
- risk 0.53cvss 8.1epss 0.00
Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions.
- risk 0.42cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Authentication in WP Full Stripe Free <= 8.4.1 versions.