Common Vulnerabilities and Exposures (CVE)

CVE-2026-22100

Jul 13, 2026 14:26:13 UTC

The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root.

CVE-2026-13116

Jul 13, 2026 14:25:51 UTC

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user con...

CVE-2026-7559

Jul 13, 2026 14:25:12 UTC

The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authori...

CVE-2026-22096

Jul 13, 2026 14:25:02 UTC

The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints.

CVE-2026-56238

Jul 13, 2026 14:23:57 UTC

Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. R...

CVE-2026-22102

Jul 13, 2026 14:23:55 UTC

A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in the Content-Disposition header without verification. This can be used to cause a denial of...

CVE-2026-57739

Jul 13, 2026 14:23:53 UTC

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Blind SQL Injection.This issue affects AcyMailing SMTP Newsletter:...

CVE-2026-22099

Jul 13, 2026 14:22:50 UTC

The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL.

CVE-2026-22097

Jul 13, 2026 14:22:07 UTC

The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to arbitrary code execution.

CVE-2026-22098

Jul 13, 2026 14:21:22 UTC

Various sensitive information such as passwords and charging card UIDs are written to log files.

CVE-2026-56281

Jul 13, 2026 14:21:17 UTC

Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/admin_stats endpoint where the limit parameter is destructured from unvalidated request body and interpolated directly into Cloudflare Analytics Engine SQL qu...

CVE-2026-57814

Jul 13, 2026 14:20:16 UTC

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows DOM-Based XSS.This issue affects Forminator: from n/a through <...

CVE-2026-59521

Jul 13, 2026 14:20:03 UTC

Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC Real Testimonials testimonial-free allows Object Injection.This issue affects Real Testimonials: from n/a through <= 3.1.15.

CVE-2026-61968

Jul 13, 2026 14:19:50 UTC

Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 3.1.2.

CVE-2026-61983

Jul 13, 2026 14:19:36 UTC

Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through <= 5.0.30.