Common Vulnerabilities and Exposures (CVE)

CVE-2025-66076

Jul 2, 2026 14:52:09 UTC

Unauthenticated Broken Access Control in Woostify Sites Library <= 1.6.2 versions.

CVE-2026-5348

Jul 2, 2026 14:52:06 UTC

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being regi...

CVE-2026-27404

Jul 2, 2026 14:51:33 UTC

Unauthenticated Cross Site Scripting (XSS) in LMS <= 9.7 versions.

CVE-2026-10089

Jul 2, 2026 14:50:23 UTC

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() funct...

CVE-2026-55792

Jul 2, 2026 14:49:11 UTC

Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any contr...

CVE-2026-44832

Jul 2, 2026 14:48:03 UTC

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1....

CVE-2026-50283

Jul 2, 2026 14:47:28 UTC

Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete ...

CVE-2026-27426

Jul 2, 2026 14:46:13 UTC

Unauthenticated Cross Site Scripting (XSS) in Automotive Car Dealership Business <= 13.3.3 versions.

CVE-2026-5263

Jul 2, 2026 14:45:49 UTC

URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violat...

CVE-2025-69153

Jul 2, 2026 14:44:40 UTC

Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.

CVE-2026-54261

Jul 2, 2026 14:42:46 UTC

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image...

CVE-2026-54756

Jul 2, 2026 14:41:32 UTC

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) — and the internal ConfigMerge / ConfigProto helpers — merged user-supplied options...

CVE-2026-36911

Jul 2, 2026 14:40:28 UTC

A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

CVE-2026-55688

Jul 2, 2026 14:39:00 UTC

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored ...

CVE-2026-36910

Jul 2, 2026 14:38:37 UTC

An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.