Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.2 HIGH
CVE-2026-57857 — Flow Payment Plugin for WordPress Reflected Cross-Site Scripting via error_message Parame…

The Flow Payment plugin for WordPress (flow.cl) version 3.0.8 is vulnerable to reflected cross-site scripting on the WooCommerce checkout page. When the plugin handles an order cancellation, the erro…

Remote | Cross-Site Scripting
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
4.0 MEDIUM
CVE-2026-16155 — SourceCodester Class and Exam Timetabling System schoolyr.php cross site scripting

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /schoolyr.php. The manipulation of the argumen…

class_and_exam_timetabling_system | Remote | Cross-Site Scripting
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16154 — SourceCodester Class and Exam Timetabling System edit_room1.php sql injection

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/1.php. Affected by this vulnerability is an unknown functionality of the file /edit_room1.php. Executing a manip…

class_and_exam_timetabling_system | Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16152 — SourceCodester Class and Exam Timetabling System edit_rooma.php sql injection

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /edit_rooma.php. Performing a manipulation of the argument ID results in…

class_and_exam_timetabling_system | Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
8.7 HIGH
CVE-2026-12228 — Stored XSS in Direct Messages via Prompt Sharing in parisneo/lollms

A stored cross-site scripting (XSS) vulnerability exists in the `POST /api/prompts/share` endpoint of parisneo/lollms (latest version). The endpoint stores attacker-controlled `prompt_content` into `…

Remote | Cross-Site Scripting
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
0.0 NA
CVE-2026-16194 — zhayujie CowAgent web_fetch.py WebFetch.execute server-side request forgery

A vulnerability was determined in zhayujie CowAgent up to 2.1.1. This affects the function WebFetch.execute of the file agent/tools/web_fetch/web_fetch.py. Executing a manipulation of the argument ur…

cowagent | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
0.0 NA
CVE-2026-16156 — SourceCodester Class and Exam Timetabling System forexam.php cross site scripting

A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown part of the file /forexam.php. The manipulation of the argument day results in cro…

class_and_exam_timetabling_system | Cross-Site Scripting
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.8 MEDIUM
CVE-2026-57848 — Stoat for Android Internal File Disclosure via Exported ShareTargetActivity URI Validation

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component (reachable to any process on the device via the android.intent.action.SEND intent) and accepts the file to share as a…

| Information Disclosure
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.7 HIGH
CVE-2026-53994 — ProFTPD mod_sftp Heap Buffer Overflow via Unsigned Integer Underflow and Size Truncation

ProFTPD mod_sftp contains a heap-based buffer overflow reachable by an authenticated SFTP user. The fxp_packet_read() function accepts the attacker-supplied 32-bit big-endian SFTP packet length witho…

Remote | Memory Corruption
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16151 — CartoDB carto-api-client filters.ts addFilter prototype pollution

A vulnerability has been found in CartoDB carto-api-client 0.5.29. This impacts the function addFilter of the file src/filters.ts. Such manipulation of the argument column leads to improperly control…

Remote | Misconfiguration
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16150 — RobinHerbots Inputmask Internal Deep Merge Helper extend.js extendAliases prototype pollu…

A vulnerability was found in RobinHerbots Inputmask up to 5.0.9. Affected by this issue is the function extendDefaults/extendDefinitions/extendAliases in the library lib/dependencyLibs/extend.js of t…

Remote | Misconfiguration
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
5.1 MEDIUM
CVE-2026-16133 — LiuMengxuan04 MiniCode mcp.ts child_process.spawn command injection

A flaw has been found in LiuMengxuan04 MiniCode 0.1.0. Affected by this vulnerability is the function child_process.spawn of the file mcp.ts. Executing a manipulation can lead to command injection. T…

Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16131 — itsourcecode Hospital Management System prescriptionrecord.php sql injection

A weakness has been identified in itsourcecode Hospital Management System 1.0. This affects an unknown function of the file /prescriptionrecord.php. This manipulation of the argument delid causes sql…

hospital_management_system | Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
4.4 MEDIUM
CVE-2026-16130 — nearai ironclaw write_file path_utils.rs validate_path link following

A vulnerability was identified in nearai ironclaw up to 0.29.1. The affected element is the function validate_path of the file src/tools/builtin/path_utils.rs of the component write_file. The manipul…

| Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
5.3 MEDIUM
CVE-2026-16129 — princezuda SafestClaw Built-in Web shell.py ShellAction._validate_command incomplete blac…

A vulnerability has been found in princezuda SafestClaw up to 4.2.4. This vulnerability affects the function ShellAction._validate_command of the file src/safestclaw/actions/shell.py of the component…

| Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16128 — zevorn rt-claw http_request swarm.c receiver_thread server-side request forgery

A security flaw has been discovered in zevorn rt-claw up to 0.2.0. This impacts the function receiver_thread of the file claw/services/swarm/swarm.c of the component http_request. Performing a manipu…

Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16127 — zevorn rt-claw http_request tool_net.c claw_net_post server-side request forgery

A vulnerability was identified in zevorn rt-claw up to 0.2.0. This affects the function claw_net_get/claw_net_post of the file claw/tools/tool_net.c of the component http_request. Such manipulation o…

Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16126 — zevorn rt-claw Swarm RPC Receiver swarm.c handle_rpc_request authorization

A vulnerability was determined in zevorn rt-claw up to 0.2.0. The impacted element is the function handle_rpc_request of the file claw/services/swarm/swarm.c of the component Swarm RPC Receiver. This…

Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16125 — zevorn rt-claw http_request net.c claw_net_post server-side request forgery

A vulnerability was found in zevorn rt-claw up to 0.2.0. The affected element is the function claw_net_get/claw_net_post of the file claw/services/tools/net.c of the component http_request. The manip…

Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16124 — nextlevelbuilder GoClaw web_fetch web_shared.go isPrivateIP server-side request forgery

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/web_shared.go of the component w…

goclaw | Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
Showing 20 of 7794 Results