Total
336347 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2295 | 2026-02-11 | N/A | 5.3 MEDIUM | ||
|
The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_post_grid_load_more' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attackers to retrieve protected (draft, future, pending) post titles and excerpts that should not be accessible to unauthenticated users.
|
|||||
| CVE-2026-1885 | 2026-02-11 | N/A | 6.4 MEDIUM | ||
|
The Slideshow Wp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sswpid' attribute of the 'sswp-slide' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-52541 | 2026-02-11 | N/A | 7.3 HIGH | ||
|
A DLL hijacking vulnerability in Vivado could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
|
|||||
| CVE-2018-25157 | 2026-02-11 | N/A | 6.4 MEDIUM | ||
|
Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. Attackers can upload files with embedded SVG scripts that execute in the browser, potentially stealing cookies or redirecting users when the file is viewed.
|
|||||
| CVE-2025-15440 | 2026-02-11 | N/A | 7.2 HIGH | ||
|
The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-8025 | 2026-02-11 | N/A | 9.8 CRITICAL | ||
|
Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dinosoft ERP: from < 3.0.1 through 11022026.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-0724 | 2026-02-11 | N/A | 4.4 MEDIUM | ||
|
The WPlyr Media Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_wplyr_accent_color' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-13648 | 2026-02-11 | N/A | N/A | ||
|
An attacker with access to the web application ZeusWeb of the provider Microcom
(in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html resulting in a stored XSS.
This issue affects ZeusWeb: 6.1.31.
|
|||||
| CVE-2026-1215 | 2026-02-11 | N/A | 4.3 MEDIUM | ||
|
The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for unauthenticated attackers to modify call tracking configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2026-1827 | 2026-02-11 | N/A | 6.4 MEDIUM | ||
|
The Flask Micro code-editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's codeflask shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-36316 | 2026-02-11 | N/A | 5.5 MEDIUM | ||
|
The integer overflow vulnerability within AMD Graphics driver could allow an attacker to bypass size checks potentially resulting in a denial of service
|
|||||
| CVE-2025-13650 | 2026-02-11 | N/A | N/A | ||
|
An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Surname’ parameter of the ‘Create Account’ operation at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true . This issue affects ZeusWeb: 6.1.31.
|
|||||
| CVE-2025-48518 | 2026-02-11 | N/A | N/A | ||
|
Improper input validation in AMD Graphics Driver could allow a local attacker to write out of bounds, potentially resulting in loss of integrity or denial of service.
|
|||||
| CVE-2026-1833 | 2026-02-11 | N/A | 5.3 MEDIUM | ||
|
The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to block and unblock phone numbers, which should be restricted to administrators.
|
|||||
| CVE-2026-1226 | 2026-02-11 | N/A | N/A | ||
|
CWE‑94: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file.
|
|||||
| CVE-2026-0910 | 2026-02-11 | N/A | 8.8 HIGH | ||
|
The wpForo Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.13 via deserialization of untrusted input in the 'wpforo_display_array_data' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the si ...
Show More |
|||||
| CVE-2025-13649 | 2026-02-11 | N/A | N/A | ||
|
An attacker with access to the web application ZeusWeb of the provider Microcom
(in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Email’ parameters within the ‘Recover password’ section at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true . This issue affects ZeusWeb: 6.1.31.
|
|||||
| CVE-2026-1804 | 2026-02-11 | N/A | 6.4 MEDIUM | ||
|
The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-15096 | 2026-02-11 | N/A | 8.8 HIGH | ||
|
The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to t ...
Show More |
|||||
| CVE-2025-9986 | 2026-02-11 | N/A | 8.2 HIGH | ||
|
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate Information Systems Ltd. Co. DIGIKENT allows Excavation.This issue affects DIGIKENT: through 13092025.
|
|||||
| CVE-2025-14541 | 2026-02-11 | N/A | 7.2 HIGH | ||
|
The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
|
|||||
| CVE-2026-1821 | 2026-02-11 | N/A | 6.4 MEDIUM | ||
|
The Microtango plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'restkey' parameter of the mt_reservation shortcode in all versions up to, and including, 0.9.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2026-1853 | 2026-02-11 | N/A | 6.4 MEDIUM | ||
|
The BuddyHolis ListSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listsearch' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2026-21533 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-02-11 | N/A | 7.8 HIGH |
|
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2025-52628 | 1 Hcltech | 1 Aion | 2026-02-11 | N/A | 4.6 MEDIUM |
|
HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0.
|
|||||
| CVE-2026-1774 | 2026-02-11 | N/A | 9.8 CRITICAL | ||
|
CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.
|
|||||
| CVE-2025-63386 | 1 Langgenius | 1 Dify | 2026-02-11 | N/A | 9.1 CRITICAL |
|
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.
|
|||||
| CVE-2025-52631 | 1 Hcltech | 1 Aion | 2026-02-11 | N/A | 3.7 LOW |
|
HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks.. This issue affects AION: 2.0.
|
|||||
| CVE-2025-52633 | 1 Hcltech | 1 Aion | 2026-02-11 | N/A | 3.1 LOW |
|
HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. This issue affects AION: 2.0.
|
|||||
| CVE-2025-21427 | 1 Qualcomm | 358 205 Mobile, 205 Mobile Firmware, 215 Mobile and 355 more | 2026-02-11 | N/A | 8.2 HIGH |
|
Information disclosure while decoding this RTP packet Payload when UE receives the RTP packet from the network.
|
|||||
| CVE-2025-6830 | 2026-02-11 | N/A | 9.8 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpoda Türkiye Information Technology Inc. Password Module allows SQL Injection.This issue affects Password Module: through 11022026.
|
|||||
| CVE-2025-25207 | 2026-02-11 | N/A | 5.7 MEDIUM | ||
|
The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Serv ...
Show More |
|||||
| CVE-2025-0875 | 2026-02-11 | N/A | 6.5 MEDIUM | ||
|
Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection.This issue affects OBS (Student Affairs Information System): before v26.0328.
|
|||||
| CVE-2026-26044 | 2026-02-11 | N/A | N/A | ||
|
Rejected reason: Not used
|
|||||
| CVE-2026-26043 | 2026-02-11 | N/A | N/A | ||
|
Rejected reason: Not used
|
|||||
| CVE-2026-26042 | 2026-02-11 | N/A | N/A | ||
|
Rejected reason: Not used
|
|||||
| CVE-2026-26041 | 2026-02-11 | N/A | N/A | ||
|
Rejected reason: Not used
|
|||||
| CVE-2026-26040 | 2026-02-11 | N/A | N/A | ||
|
Rejected reason: Not used
|
|||||
| CVE-2026-26039 | 2026-02-11 | N/A | N/A | ||
|
Rejected reason: Not used
|
|||||
| CVE-2026-26038 | 2026-02-11 | N/A | N/A | ||
|
Rejected reason: Not used
|
|||||