Total
358423 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1047 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| The salavat counter Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_url' parameter in all versions up to, and including, 0.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-1046 | 1 Mattermost | 1 Mattermost Desktop | 2026-06-17 | N/A | 7.6 HIGH |
| Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577 | |||||
| CVE-2026-1045 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2026-1044 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2026-1043 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pma_api_key and pma_sender_address parameters. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page. | |||||
| CVE-2026-1042 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-1036 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin. | |||||
| CVE-2026-1035 | 2026-06-17 | N/A | 3.1 LOW | ||
| A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined. | |||||
| CVE-2026-1023 | 1 Gotac | 1 Statistics Database System | 2026-06-17 | N/A | 7.5 HIGH |
| Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents. | |||||
| CVE-2026-1022 | 1 Gotac | 1 Statistics Database System | 2026-06-17 | N/A | 7.5 HIGH |
| Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | |||||
| CVE-2026-1021 | 1 Gotac | 1 Police Statistics Database System | 2026-06-17 | N/A | 9.8 CRITICAL |
| Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | |||||
| CVE-2026-1020 | 1 Gotac | 1 Police Statistics Database System | 2026-06-17 | N/A | 5.3 MEDIUM |
| Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory. | |||||
| CVE-2026-1019 | 1 Gotac | 1 Police Statistics Database System | 2026-06-17 | N/A | 9.8 CRITICAL |
| Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality. | |||||
| CVE-2026-1018 | 1 Gotac | 1 Police Statistics Database System | 2026-06-17 | N/A | 7.5 HIGH |
| Police Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing Unauthenticated remote attacker to exploit Absolute Path Traversal to download arbitrary system files. | |||||
| CVE-2026-1011 | 1 Altium | 1 Altium Live | 2026-06-17 | N/A | 6.1 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests. The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim’s browser context. | |||||
| CVE-2026-1010 | 1 Altium | 1 On-prem Enterprise Server | 2026-06-17 | N/A | 8.0 HIGH |
| A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions. | |||||
| CVE-2026-1009 | 1 Altium | 1 Altium Live | 2026-06-17 | N/A | 9.0 CRITICAL |
| A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post. | |||||
| CVE-2026-1008 | 1 Altium | 1 Altium Live | 2026-06-17 | N/A | 7.6 HIGH |
| A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile. | |||||
| CVE-2026-1007 | 1 Devolutions | 1 Devolutions Server | 2026-06-17 | N/A | 7.6 HIGH |
| Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12. | |||||
| CVE-2026-1004 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted. | |||||