Vulnerabilities (CVE)

Total 362682 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2026-56049 2026-06-25 N/A 8.5 HIGH
Contributor Remote Code Execution (RCE) in Post Snippets <= 4.0.19 versions.
CVE-2026-56006 2026-06-25 N/A 7.1 HIGH
Unauthenticated Cross Site Scripting (XSS) in H5P <= 1.17.6 versions.
CVE-2026-56005 2026-06-25 N/A 7.1 HIGH
Subscriber Cross Site Scripting (XSS) in WP Activity Log <= 5.6.3.1 versions.
CVE-2026-55570 2026-06-25 N/A 9.0 CRITICAL
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, description) when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is produced with JSON.stringify() (which does not escape ', <, or >), a package whose name contains a single quote breaks out of the attribute and injects arbitrary HTML. In the desktop client the main BrowserWindow runs with nodeIntegration: true, contextIsolation: false, so the injected markup escalates from DOM XSS to arbitrary OS command execution. This is the same root cause and same impact as the original advisory, reached through a sibling sink the patch did not cover. This vulnerability is fixed in 3.7.0.
CVE-2026-54848 2026-06-25 N/A 8.3 HIGH
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects APIExperts Square for WooCommerce: from n/a through 4.7.3.
CVE-2026-54843 2026-06-25 N/A 9.3 CRITICAL
Unauthenticated SQL Injection in MDTF <= 1.3.7 versions.
CVE-2026-54842 2026-06-25 N/A 8.1 HIGH
Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal MCP: from n/a through 1.4.25.
CVE-2026-54829 2026-06-25 N/A 7.5 HIGH
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection. This issue affects WP Photo Album Plus: from n/a through 9.1.13.005.
CVE-2026-54828 2026-06-25 N/A 7.5 HIGH
Unauthenticated Broken Access Control in Motors <= 1.4.109 versions.
CVE-2026-54069 2026-06-25 N/A N/A
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.
CVE-2026-2815 2026-06-25 N/A N/A
Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys
CVE-2026-13035 2 Apple, Google 2 Macos, Chrome 2026-06-25 N/A 8.8 HIGH
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: High)
CVE-2026-13036 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-06-25 N/A 8.8 HIGH
Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-13037 1 Google 2 Android, Chrome 2026-06-25 N/A 7.8 HIGH
Use after free in WebView in Google Chrome on Android prior to 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-13038 2 Google, Microsoft 2 Chrome, Windows 2026-06-25 N/A 8.8 HIGH
Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-39897 1 Cacti 1 Cacti 2026-06-25 N/A 6.1 MEDIUM
Cacti is an open source performance and fault management framework. Versions 1.2.30 and below contain a Reflected XSS vulnerability in the html_auth_footer. This issue has been fixed in version 1.2.31.
CVE-2026-39900 1 Cacti 1 Cacti 2026-06-25 N/A 6.1 MEDIUM
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab parameter in the auth_profile.php JavaScript context. This issue has been fixed in version 1.2.31.
CVE-2026-48137 1 Ni 2 Instrumentstudio, Ni Grpc Device Server 2026-06-25 N/A 9.1 CRITICAL
There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution.  Successful exploitation requires an attacker  to supply a specially crafted Moniker protobuf message.  This affects NI grpc-device 2.17.0 and prior versions.
CVE-2026-48138 1 Ni 2 Instrumentstudio, Ni Grpc Device Server 2026-06-25 N/A 7.5 HIGH
There is an out-of-bounds read vulnerability in the NI grpc-device streaming API due to a missing bounds check that may result in a denial of service. Successful exploitation requires an attacker to supply a specially crafted write request. This affects NI grpc-device 2.17.0 and prior versions.
CVE-2026-48139 1 Ni 2 Instrumentstudio, Ni Grpc Device Server 2026-06-25 N/A 7.5 HIGH
There is a NULL pointer dereference vulnerability in NI grpc-device in the data moniker service that may allow an attacker to cause a denial of service by triggering a crash.  Successful exploitation requires an attacker to provide an unknown value to the data moniker service. This affects NI grpc-device 2.17.0 and prior versions.