CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-8910
Medium

The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing or incorrect nonce validation on a function.

CVE-2026-8909
Medium

The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 0.0.3. The issue arises from missing or incorrect nonce validation in the handleSaveGeneralSettings function, allowing unauthenticated attackers to modify the plugin's General Settings.

CVE-2026-8907
Medium

The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. The issue is due to missing nonce validation in the process_init() function, which allows saving plugin settings based solely on the presence of a save-setting POST parameter.

CVE-2026-8904
Medium

The FastPicker plugin, an order management system for WooCommerce, is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.0.2. The issue arises from missing or incorrect nonce validation in the settingsPage function, allowing unauthenticated attackers to modify plugin settings.

CVE-2026-8902
Medium

The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.0.4. This is due to missing or incorrect nonce validation on the rc_options_page function.

CVE-2026-8895
Medium

The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'blog-card' shortcode in all versions up to and including 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes.

CVE-2026-8883
Medium

The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'gbmicalc' shortcode in versions up to and including 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes.

CVE-2026-8882
Medium

The WP ApplicantStack Jobs Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via Shortcode Attributes in all versions up to and including 1.1.1 due to insufficient input sanitization and output escaping.

CVE-2026-8880
Medium

The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'blclass' attribute and other attributes of the romancart_button shortcode in versions up to and including 2.0.8. This is due to insufficient input sanitization and output escaping in the romancart_button_shortcode() function.

CVE-2026-8841
Medium

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'title' attribute of the 'rocketchat' shortcode in versions up to and including 0.1. This is due to insufficient input sanitization and output escaping in the rxstg_shortcode() function.

CVE-2026-8499
Medium

The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to and including 1.2.9. The `helpfulcrowd_validate_token()` function uses a loose comparison operator, allowing unauthenticated users to modify plugin settings.

CVE-2026-7662
Medium

The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'publicationid' attribute of the `epaperflip_embed` shortcode in all versions up to and including 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute, allowing for the injection of web scripts.

CVE-2026-41980
Medium

There is a permission control vulnerability in the file preview module. Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2026-41979
Medium

There is a permission control vulnerability in the print module. Successful exploitation of this vulnerability may affect integrity and confidentiality.

CVE-2026-41978
Medium

There is a permission control vulnerability in the clone module. Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2026-41975
Medium

There is a permission management vulnerability in the network management module. Successful exploitation of this vulnerability may affect service integrity.

CVE-2026-41854
Medium

The vulnerability in Spring Framework is caused by incorrect host parsing in UriComponentsBuilder. Applications using this component to parse and validate externally provided URLs may be exposed to an SSRF (Server-Side Request Forgery) attack.

CVE-2026-41853
Medium

Vulnerability in Spring MVC and WebFlux allows Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

CVE-2026-41851
Medium

Applications that accept user-supplied SpEL expressions may be vulnerable to a DoS attack if expression evaluation triggers unbounded cache growth.

CVE-2026-41847
Medium

Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL.

PreviousPage 155 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS