Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.0 HIGH
CVE-2026-12174 — D-Link DCS-935L HTTP rhea snprintf format string

A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation o…

Remote | Injection
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
9.8 CRITICAL
CVE-2026-12183 — Nefteprodukttekhnika BUK TS-G Improper Authentication

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax…

Remote | Authentication
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
7.6 HIGH
CVE-2026-6428 — Koha SQL Injection

SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x b…

Remote | Injection
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
7.2 HIGH
CVE-2026-5513 — Online Scheduling and Appointment Booking System – Bookly <= 27.2 - Unauthenticated Store…

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and inclu…

Remote | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
4.3 MEDIUM
CVE-2026-1291 — Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creati…

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all vers…

Remote | Authorization
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
9.4 CRITICAL
CVE-2026-11624 — Model Context Protocol DNS Rebinding Vulnerability

The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users ha…

Remote | Misconfiguration
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
6.4 MEDIUM
CVE-2026-9629 — Canvas <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tag' Bloc…

The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output esca…

Remote | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
6.4 MEDIUM
CVE-2026-3297 — Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.9 - Authenticated (Contrib…

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insuf…

pagelayer | Remote | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
4.3 MEDIUM
CVE-2026-2470 — Pagelayer <= 2.0.9 - Incorrect Authorization to Authenticated (Contributor+) Mail Relay C…

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_sav…

pagelayer | Remote | Authorization
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
6.4 MEDIUM
CVE-2026-9134 — Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel <= 3.1…

The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomple…

Remote | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
7.2 HIGH
CVE-2026-9109 — GPTranslate <= 2.31 - Unauthenticated Stored Cross-Site Scripting via REST API Translatio…

The GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all…

Remote | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
0.0 NA
CVE-2026-9062 — Agile Store Locator < 1.6.9 - Admin+ Arbitrary File Read via Path Traversal

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from…

store_locator | Path Traversal
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
0.0 NA
CVE-2026-9061 — Agile Store Locator < 1.6.9 - Admin+ Stored XSS via logo_name

The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, all…

store_locator | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
6.4 MEDIUM
CVE-2026-11769 — Operator - Namespaced User Path Traversal

We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. ### S…

Remote | Path Traversal
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
7.5 HIGH
CVE-2026-9848 — WP Ticket <= 6.0.4 - Unauthenticated SQL Injection via WordPress Search 's' Parameter

The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` f…

Remote | Injection
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
5.5 MEDIUM
CVE-2026-54231 — Abrt: unsanitized systemd journal content written to dump directory files enables content…

A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and w…

enterprise_linux enterprise_linux | Injection
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
7.0 HIGH
CVE-2026-54230 — Abrt: event handler scripts follow symlinks when writing output files, allowing arbitrary…

A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the t…

enterprise_linux enterprise_linux | Path Traversal
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
7.0 HIGH
CVE-2026-54229 — Abrt: chownproblemdir succeeds during active post-create event processing due to inadequa…

A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files …

enterprise_linux enterprise_linux | Race Condition
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
7.8 HIGH
CVE-2026-54228 — Abrt: toctou race condition in abrt-dbus setelement allows arbitrary file writes to dump …

A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can c…

enterprise_linux enterprise_linux | Race Condition
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
4.9 MEDIUM
CVE-2026-12089 — WS Optimize – All-in-One Speed Booster & Cache Tools <= 3.3.19 - Authenticated (Editor+) …

The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() …

Remote | Path Traversal
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
Showing 20 of 6716 Results