4.3
CVE-2026-0658 - Five Star Restaurant Reservations < 2.7.9 - Arbitrary Bookings Deletion via CSRF
The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks.
7.1
CVE-2025-15396 - Library Viewer < 3.2.0 - Reflected Cross-Site Scripting
The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
9.8
CVE-2025-15030 - User Profile Builder < 3.15.2 - Unauthenticated Arbitrary Password Reset
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
5.3
CVE-2026-1746 - JeecgBoot Online Report API loadDictItemByKeyword sql injection
A vulnerability was identified in JeecgBoot 3.9.0. This vulnerability affects unknown code of the file /JeecgBoot/sys/api/loadDictItemByKeyword of the component Online Report API. Such manipulation of the argument keyword leads to sql injection. The attack can be executed remotely. The exploit is pβ¦
5.3
CVE-2026-1745 - SourceCodester Medical Certificate Generator App cross-site request forgery
A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
9.8
CVE-2026-25202 - Hardcoded Database Credentials in MagicINFO 9 Server Allow Remote Administrative Access
The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects MagicINFO 9 Server: less than 21.1090.1.
8.8
CVE-2026-25201 -
An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1.
9.8
CVE-2026-25200 - Stored XSS via Unrestricted HTML Upload in Samsung MagicINFO 9 Server
A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1.
8.7
CVE-2026-24788 - OS Command Injection in RaspAP raspapβwebgui Allowing Remote Execution
RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product.
4.8
CVE-2026-1744 - D-Link DSL-6641K sp_pppoe_user.js doSubmitPPP cross site scripting
A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be launched remotely. The exploit has been made public and coulβ¦