We get it — your site sits on a stack everyone else is trying to break. WebVuln™ is a working index of known web vulnerabilities for those platforms.
Total CVEs
4140
Stacks with data
16
High / critical
1851
Newest published
2026-05-14
| CVE | Stack | Summary | Severity | CVSS | Published | Detail |
|---|---|---|---|---|---|---|
| CVE-2026-7648 | WordPress | The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to payment bypass through user-… | MEDIUM | 4.3 | Details | |
| CVE-2026-7525 | WordPress | The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including,… | MEDIUM | 4.3 | Details | |
| CVE-2026-5361 | WordPress | The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including … | MEDIUM | 6.4 | Details | |
| CVE-2026-5361 | Express | The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including … | MEDIUM | 6.4 | Details | |
| CVE-2026-5486 | WordPress | The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get… | MEDIUM | 6.5 | Details | |
| CVE-2026-44437 | Angular | The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0… | — | — | Details | |
| CVE-2026-45228 | Vue.js | Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders p… | MEDIUM | 5.4 | Details | |
| CVE-2026-45053 | PHP | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API Fil… | CRITICAL | 9.1 | Details | |
| CVE-2026-44377 | PHP | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in … | CRITICAL | 9.1 | Details | |
| CVE-2026-42304 | React | Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vuln… | HIGH | 7.5 | Details | |
| CVE-2026-21821 | jQuery | The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-… | HIGH | 8.3 | Details | |
| CVE-2026-42552 | PHP | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception mess… | HIGH | 7.5 | Details | |
| CVE-2026-42551 | PHP | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override he… | HIGH | 7.5 | Details | |
| CVE-2026-42550 | PHP | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build S… | HIGH | 8.8 | Details | |
| CVE-2026-42549 | PHP | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a pa… | MEDIUM | 4.4 | Details | |
| CVE-2026-42548 | PHP | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an… | — | — | Details | |
| CVE-2026-33380 | Express | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only inst… | MEDIUM | 6.3 | Details | |
| CVE-2026-42582 | Express | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman b… | HIGH | 7.5 | Details | |
| CVE-2026-45411 | Node.js | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside … | CRITICAL | 9.8 | Details | |
| CVE-2026-45411 | Express | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside … | CRITICAL | 9.8 | Details |
WebVuln™ lists NVD records that match our curated web-stack keywords — not personalized security advice. For your own site, run WebCheck™.