Medium Severity CVEs Medium

3,831 documented vulnerabilities classified as medium severity.

Other levels: Critical High Low
2026
2,884
2025
721
2024
54
2023
41
2022
35
2021
20
2020
14
2019
21

Top Affected Vendors (Medium Severity)

Linux 150 Openclaw 63 Apache 52 Google 46 Wireshark 39 Microsoft 31 Oracle 27 Mozilla 22 Ibm 21 Kentico 20 Redhat 19 Wwbn 17 Open5Gs 17 Apple 15 Gitlab 15

All Medium CVEs

Recent Highest Score Oldest
CVE-2026-45498
4.0 medium

Microsoft Defender Denial of Service Vulnerability

Microsoft Defender Antimalware Platform May 20, 2026
CVE-2026-45443
5.0 medium

Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1.

May 20, 2026
CVE-2026-3592
5.3 medium

BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 throu

Isc Bind May 20, 2026
CVE-2026-27424
4.3 medium

Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Photo Gallery Final Tiles Grid: from n/a through 3.6.11.

May 20, 2026
CVE-2026-27405
6.5 medium

Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9.

May 20, 2026
CVE-2026-24573
6.5 medium

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Visualizer allows Stored XSS. This issue affects Visualizer: from n/a before 4.0.0.

May 20, 2026
CVE-2025-31973
4.0 medium

HCL BigFix Service Management (SM) is susceptible to a Configuration – 'Insecure Use of Base Image Version'. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment.

Hcltech Bigfix Service Management May 20, 2026
CVE-2026-25602
4.4 medium

Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: th

May 20, 2026
CVE-2026-0857
6.0 medium

Cleartext Storage of Sensitive Information in Memory vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.

May 20, 2026
CVE-2026-6728
5.3 medium

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the 'get_stream_data()' function. This makes it possible for unauthenticated attackers to extract sensitive data including published password-protected post, page, a

May 20, 2026
CVE-2026-44608
5.9 medium

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can ex

Nlnetlabs Unbound May 20, 2026
CVE-2026-44390
5.3 medium

NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to sp

Nlnetlabs Unbound May 20, 2026
CVE-2026-42923
5.3 medium

NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the att

Nlnetlabs Unbound May 20, 2026
CVE-2026-42534
5.3 medium

NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential t

Nlnetlabs Unbound May 20, 2026
CVE-2026-35070
6.4 medium

Dell SmartFabric Storage Software, versions prior to 1.4.5, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attac

May 20, 2026
CVE-2026-32792
5.3 medium

NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit

Nlnetlabs Unbound May 20, 2026
CVE-2026-6405
4.3 medium

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output e

May 20, 2026
CVE-2026-7385
5.8 medium

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.

May 20, 2026
CVE-2026-6566
4.3 medium

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DEL

May 20, 2026
CVE-2026-5776
6.1 medium

The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks

May 20, 2026
CVE-2026-44392
4.3 medium

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.

May 20, 2026
CVE-2026-2955
6.4 medium

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to

May 20, 2026
CVE-2026-9056
5.4 medium

A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user.

May 20, 2026
CVE-2026-5075
4.3 medium

The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for

May 20, 2026