Common Vulnerabilities and Exposures (CVE)

CVE-2026-0867

Feb 5, 2026 06:47:42 UTC

The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew-author, ew-archive, ew-category, ew-page, and ew-menu shortcodes in all versions up to, and including, 3.0 due to insufficient input...

CVE-2026-1246

Feb 5, 2026 06:47:41 UTC

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the ...

CVE-2026-1953

Feb 5, 2026 06:34:25 UTC

Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before stori...

CVE-2026-25616

Feb 5, 2026 06:19:50 UTC

Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665.

CVE-2026-25615

Feb 5, 2026 06:19:48 UTC

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668.

CVE-2026-25614

Feb 5, 2026 06:19:47 UTC

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680.

CVE-2025-41717

Feb 5, 2026 06:19:46 UTC

An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and inte...

CVE-2026-1642

Feb 5, 2026 05:25:39 UTC

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond th...

CVE-2025-15080

Feb 5, 2026 05:16:53 UTC

Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an unauthenticated attacker to read device data or part of a control program from the ...

CVE-2026-0660

Feb 5, 2026 04:55:18 UTC

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2026-0536

Feb 5, 2026 04:55:17 UTC

A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2026-20098

Feb 5, 2026 04:55:17 UTC

A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. ...

CVE-2026-20983

Feb 5, 2026 04:55:16 UTC

Improper export of android application components in Samsung Dialer prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Samsung Dialer privilege.

CVE-2025-15556

Feb 5, 2026 04:55:15 UTC

Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or re...

CVE-2025-14740

Feb 5, 2026 04:55:14 UTC

Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. The installer creates this directory without proper ownership verificati...