CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-11600
Medium

The Envo's Templates & Widgets for Elementor and WooCommerce plugin up to version 1.4.26 lacks authorization in the Envo Tabs widget, allowing authenticated attackers with Author-level access to disclose private Elementor content. By supplying a private template ID in the widget, an attacker can make that content visible to anonymous visitors.

CVE-2026-11592
Medium

The Email Subscribers & Newsletters plugin for WordPress up to version 5.9.27 is vulnerable to authorization bypass. Authenticated attackers with contributor-level access or higher can overwrite mail settings, create audience lists, insert contacts, create and overwrite newsletters, add workflows, and send mass emails to arbitrary recipients.

CVE-2026-10089
Medium

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to and including 3.11.4. This is due to insufficient output escaping of the custom field key ($key) in the the_meta() function, while the field value is properly sanitized. Authenticated attackers with author-level access or above can inject arbitrary web scripts that execute when a user views an injected page.

CVE-2026-10077
Medium

The yootheme WordPress theme before version 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup. This allows users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user viewing the affected post.

CVE-2026-55792
Medium

A vulnerability in Craft CMS allows users with system email template editing permissions to read server files, including the .env file containing passwords and API keys. An attacker can escalate to full admin account takeover by forging session tokens.

CVE-2026-55791
Medium

Craft CMS versions 4.0.0-RC1 through 4.18.0 and 5.0.0-RC1 through 5.10.0 are vulnerable to SSRF and arbitrary JavaScript injection via the /actions/app/resource-js endpoint. An attacker can poison the Host or X-Forwarded-Host header to bypass URL validation and force the Guzzle client to fetch a malicious payload from an external server.

CVE-2026-50280
Medium

In Craft CMS versions 5.0.0-RC1 through 5.9.20, a vulnerability exists due to improper authorization in the EntriesController::actionMoveToSection() endpoint. An authenticated low-privileged user can move an entry to a section where they have only read access without the required write permissions, breaking the section-level authorization model.

CVE-2026-50283
Medium

Craft CMS has an authorization issue in AssetsController::actionReplaceFile that allows an authenticated user to delete a source asset without source delete permission. Affected versions are 5.0.0-RC1 through 5.9.20 and 4.0.0-RC1 through 4.17.13.

CVE-2026-14440
Medium

A vulnerability in Cloudflare Universal SSL allows bypassing strict CAA records with accounturi or validationmethods parameters (RFC 8657) during TLS certificate issuance. The auto-managed CAA RRset overrides customer configuration, potentially enabling an attacker to obtain a trusted certificate for the victim's domain.

CVE-2026-14421
Medium

An uninitialized use vulnerability in the Dawn component of Google Chrome on ChromeOS prior to version 150.0.7871.46 allows a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-14418
Medium

An uninitialized use vulnerability in the ANGLE component of Google Chrome prior to 150.0.7871.46 allows a remote attacker to leak cross-origin data via a crafted HTML page. The issue is rated as High severity by Chromium security.

CVE-2026-14414
Medium

Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-14410
Medium

An inappropriate implementation in the Skia library in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. The issue is rated as low severity.

CVE-2026-14408
Medium

An uninitialized use vulnerability in the Dawn component of Google Chrome prior to version 150.0.7871.46 allows a remote attacker to read potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-14406
Medium

An out-of-bounds read vulnerability in V8 in Google Chrome prior to 150.0.7871.46 allows an attacker to convince a user to install a malicious extension, potentially leaking sensitive information from process memory.

CVE-2026-14404
Medium

An inappropriate implementation in PDFium in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to perform UI spoofing via a crafted PDF file. The issue is rated as medium severity.

CVE-2026-14402
Medium

An uninitialized use vulnerability in the ANGLE component of Google Chrome on Windows prior to version 150.0.7871.46 allows a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-14399
Medium

An uninitialized use vulnerability in the Dawn component in Google Chrome prior to version 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-14396
Medium

An out-of-bounds read vulnerability in the ANGLE component of Google Chrome prior to version 150.0.7871.46 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2026-14391
Medium

An integer overflow in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.

PreviousPage 8 of 489Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS