We get it — your site sits on a stack everyone else is trying to break. WebVuln™ is a working index of known web vulnerabilities for those platforms.
Total CVEs
4058
Stacks with data
16
High / critical
1809
Newest published
2026-05-12
| CVE | Stack | Summary | Severity | CVSS | Published | Detail |
|---|---|---|---|---|---|---|
| CVE-2026-5371 | WordPress | The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized… | HIGH | 7.1 | Details | |
| CVE-2026-41901 | Express | Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerabilit… | CRITICAL | 9 | Details | |
| CVE-2026-1250 | WordPress | The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ paramete… | HIGH | 7.5 | Details | |
| CVE-2025-15463 | WordPress | The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and inc… | MEDIUM | 6.5 | Details | |
| CVE-2026-44306 | Laravel | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password form… | MEDIUM | 5.3 | Details | |
| CVE-2026-44262 | PHP | Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessib… | CRITICAL | 9.4 | Details | |
| CVE-2026-44262 | Laravel | Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessib… | CRITICAL | 9.4 | Details | |
| CVE-2026-44015 | nginx | Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forg… | HIGH | 8.5 | Details | |
| CVE-2026-42268 | nginx | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15,… | — | — | Details | |
| CVE-2026-42196 | Django | django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path … | — | — | Details | |
| CVE-2026-40902 | PHP | PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX… | HIGH | 7.5 | Details | |
| CVE-2026-40863 | PHP | PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the Spre… | HIGH | 7.5 | Details | |
| CVE-2026-44240 | Node.js | basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-c… | HIGH | 7.5 | Details | |
| CVE-2026-44232 | Node.js | DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, every IPv6 category by… | — | — | Details | |
| CVE-2026-44224 | Node.js | Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array … | — | — | Details | |
| CVE-2026-44217 | Node.js | sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that al… | — | — | Details | |
| CVE-2026-8430 | nginx | SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurat… | HIGH | 8.1 | Details | |
| CVE-2026-44167 | PHP | phpseclib is a PHP secure communications library. Prior to 1.0.29, 2.0.54, and 3.0.52, anyone loading untrusted ASN1 files (eg. X509 certif… | HIGH | 7.5 | Details | |
| CVE-2026-43929 | Node.js | ssrfcheck is a library that checks if a string contains a potential SSRF attack. In 1.3.0 and earlier, ssrfcheck fails to block Server-Side… | HIGH | 8.2 | Details | |
| CVE-2026-43892 | jQuery | AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.t… | HIGH | 8.8 | Details |
WebVuln™ lists NVD records that match our curated web-stack keywords — not personalized security advice. For your own site, run WebCheck™.