Search Results (8784 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-40758 2 Elated-themes, Wordpress 2 Léonie, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
CVE-2026-40759 2 Mikado-themes, Wordpress 2 Esmée, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
CVE-2026-40735 2 Edge-themes, Wordpress 2 Reina, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in Reina <= 2.1 versions.
CVE-2025-69111 2 Themerex, Wordpress 2 Reisen, Wordpress 2026-06-26 9.8 Critical
Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.
CVE-2025-69127 2 Themerex, Wordpress 2 Plumbing, Wordpress 2026-06-26 9.8 Critical
Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions.
CVE-2026-39556 2 Elated-themes, Wordpress 2 Konsept, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in Konsept <= 1.9 versions.
CVE-2026-39560 2 Select-themes, Wordpress 2 Hiroshi, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in Hiroshi <= 1.5.1 versions.
CVE-2026-39576 2 Elated-themes, Wordpress 2 Singlemalt, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in SingleMalt <= 1.5 versions.
CVE-2026-40733 2 Mikado-themes, Wordpress 2 Shiftup, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in ShiftUp <= 1.3 versions.
CVE-2026-40756 2 Mikado-themes, Wordpress 2 Zoya, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in Zoya <= 1.4 versions.
CVE-2026-40757 2 Mikado-themes, Wordpress 2 Château, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in Château <= 1.2.1 versions.
CVE-2026-23879 1 Miurahr 1 Py7zr 2026-06-26 8 High
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Versions 1.1.2 and below contain an an arbitrary file write vulnerability, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links, linking them to arbitrary directories on the host file system. During extraction, the program only checks the link arcname within the destination directory, but ignores the combined symlink path resolution. Attackers can exploit this vulnerability by constructing malicious archives, thereby bypassing the directory boundary restrictions implemented by the extractor. Subsequent extraction of regular files through these symbolic links can result in arbitrary file writes. This vulnerability may lead to remote code execution, privilege escalation, data corruption, or denial of service. This issue has been fixed in version 1.1.3.
CVE-2026-53766 1 Chromedevtools 1 Chrome-devtools-mcp 2026-06-26 6.1 Medium
Chrome DevTools for agents (chrome-devtools-mcp) lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath() enforces workspace roots by checking whether path.resolve(filePath) textually falls under one of the configured root paths. path.resolve() does not canonicalize symbolic links. As a result, a symlink inside a configured workspace root can point to a file outside that root, pass validation, and then be followed by downstream file read/write operations. This bypass applies even when the MCP client correctly declares the roots capability with a non-empty list. It is separate from the documented legacy behavior where missing roots capability allows all paths. The practical impact is a workspace-boundary bypass. In the write direction, filePath-writing tools can overwrite out-of-root files through an in-root symlink. In the read direction, upload_file can read through the symlink and send the file to the currently selected web page. This vulnerability is fixed in 1.1.0.
CVE-2026-10043 1 Mosaicml 1 Composer 2026-06-26 N/A
MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MosaicML Composer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27990.
CVE-2026-9650 1 Schneider Electric 2 Easylogic T150 (formerly Saitel Dr) Remote Terminal Unit & Controller, Saitel Dp Remote Terminal Unit & Controller 2026-06-26 N/A
CWE-522 Insufficiently Protected Credentials vulnerability that could cause unauthorized access and exposure of sensitive information when unauthenticated attacker accesses credentials stored within firmware or system files. With this credential an attacker could subsequently compromise the device if they have physical access to the device.
CVE-2026-9691 2 Crm Perks, Wordpress 2 Integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms, Wordpress 2026-06-26 9.8 Critical
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.
CVE-2026-27053 2 Videowhisper, Wordpress 2 Broadcast Live Video, Wordpress 2026-06-26 9.8 Critical
Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
CVE-2026-39532 2 Stiofansisland, Wordpress 2 Events Calendar For Geodirectory, Wordpress 2026-06-26 8.8 High
Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions.
CVE-2026-42687 2 Theeventprime, Wordpress 2 Eventprime, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.
CVE-2026-49104 2 Crm Perks, Wordpress 2 Integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms, Wordpress 2026-06-26 9.8 Critical
Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.