Total
360908 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-48721 | 2026-06-25 | N/A | 8.6 HIGH | ||
| Warp is an agentic development environment. From 0.2025.10.08.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety boundary for commands that should require confirmation. Because command strings were checked before canonicalizing leading environment-variable assignments, an attacker who can influence the agent's command output may cause denylisted commands to be treated as non-denylisted. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01. | |||||
| CVE-2026-56051 | 2026-06-25 | N/A | 7.1 HIGH | ||
| Unauthenticated Cross Site Scripting (XSS) in TablePress <= 3.3.1 versions. | |||||
| CVE-2026-54845 | 2026-06-25 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions. | |||||
| CVE-2026-54830 | 2026-06-25 | N/A | 7.5 HIGH | ||
| Unauthenticated Broken Access Control in Five Star Restaurant Reservations <= 2.7.19 versions. | |||||
| CVE-2026-54699 | 2026-06-25 | N/A | 7.7 HIGH | ||
| Warp is an agentic development environment. From 0.2024.03.12.08.02.stable_01 until 0.2026.05.06.15.42.stable_01, Warp contains an OS command injection vulnerability in the WSL URL-opening fallback. When Warp is running under WSL and cannot open a URL through wslview, it falls back to a Windows command processor path. A URL controlled through terminal output can reach that fallback when the user opens the link. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01. | |||||
| CVE-2026-54823 | 2026-06-25 | N/A | 9.9 CRITICAL | ||
| Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions. | |||||
| CVE-2026-48703 | 2026-06-25 | N/A | 7.8 HIGH | ||
| Warp is an agentic development environment. From 0.2025.04.09.08.11.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command execution policy bypass in Agent code search tools. The affected Grep and FileGlob actions are authorized as read/search operations, but their implementations build shell command strings from Agent-controlled inputs (search text, paths, glob patterns) and execute them in the active terminal session. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01. | |||||
| CVE-2026-48731 | 2026-06-25 | N/A | 7.8 HIGH | ||
| Warp is an agentic development environment. From 0.2024.02.20.08.01.stable_01 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection issue in the Linux external editor launcher. Warp expanded freedesktop .desktop Exec templates for affected editor integrations and executed the expanded command through a shell. A user who opens an attacker-controlled local file path through an affected external editor or system-default editor route can cause shell syntax embedded in that path to execute as the local user. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01. | |||||
| CVE-2026-56013 | 2026-06-25 | N/A | 6.5 MEDIUM | ||
| Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions. | |||||
| CVE-2026-54841 | 2026-06-25 | N/A | 7.5 HIGH | ||
| Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions. | |||||
| CVE-2026-54838 | 2026-06-25 | N/A | 8.5 HIGH | ||
| Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions. | |||||
| CVE-2026-27366 | 2026-06-25 | N/A | 7.5 HIGH | ||
| Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions. | |||||
| CVE-2026-48704 | 2026-06-25 | N/A | 8.8 HIGH | ||
| Warp is an agentic development environment. From 0.2023.10.24.08.03.stable_00 until 0.2026.05.06.15.42.stable_01, Warp may open executable local files through the operating system default file handler. A malicious Markdown document or project can contain a local-file link that appears as normal rendered content. If a user opens the Markdown in Warp and clicks the link, affected builds may route the resolved local file to a platform file opener instead of limiting the action to safe viewer/editor targets. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01. | |||||
| CVE-2026-54849 | 2026-06-25 | N/A | 9.3 CRITICAL | ||
| Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions. | |||||
| CVE-2026-54821 | 2026-06-25 | N/A | 7.4 HIGH | ||
| Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.3.1 versions. | |||||
| CVE-2026-56053 | 2026-06-25 | N/A | 8.8 HIGH | ||
| Subscriber PHP Object Injection in EventPrime <= 4.3.4.1 versions. | |||||
| CVE-2026-48719 | 2026-06-25 | N/A | 8.0 HIGH | ||
| Warp is an agentic development environment. From 0.2025.08.06.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection in the prompt branch selector. A user who can publish a branch to a Git repository opened in Warp can cause a crafted branch name to be interpreted by the victim's shell if the victim selects that branch from the UI. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01. | |||||
| CVE-2026-48725 | 2026-06-25 | N/A | 8.1 HIGH | ||
| Warp is an agentic development environment. From 0.2021.04.25.23.05.stable_00 until 0.2026.05.06.15.42.stable_01, Warp allows terminal output to request access to the local system clipboard. A malicious remote host, remote program, or other attacker-controlled terminal output source can trigger clipboard reads or writes without a separate confirmation step. This crosses the trust boundary between untrusted terminal output and the user's local desktop clipboard. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01. | |||||
| CVE-2026-54844 | 2026-06-25 | N/A | 7.5 HIGH | ||
| Unauthenticated Broken Access Control in CheckView Automated Testing <= 2.1.0 versions. | |||||
| CVE-2026-56014 | 2026-06-25 | N/A | 7.1 HIGH | ||
| Unauthenticated Cross Site Scripting (XSS) in Master Slider <= 3.11.2 versions. | |||||