Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-21729 — Loki detected_fields query limits results in unbounded memory allocation

Loki queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.

loki | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-15652 — Easy Accordion <= 3.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'a…

The Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'align' Block Attribute in all versions up to, and including,…

| Cross-Site Scripting
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-12941 — MultiVendorX <= 5.0.9 - Authenticated (Store Owner+) SQL Injection via 'order_by' Paramet…

The MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and includi…

| Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-14987 — GiveWP <= 4.16.3 - Authenticated (Give Worker+) Stored Cross-Site Scripting via 'twitter_…

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'twitter_message' Sequoia Template Setting in all versions up to, and inclu…

| Cross-Site Scripting
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-12409 — Landing Page Builder <= 1.5.3.6 - Cross-Site Request Forgery to ulpb_admin_data AJAX Acti…

The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including…

| Cross-Site Request Forgery
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-12753 — Advance Product Search- Voice & Ajax Search for WooCommerce <= 1.4.4 - Unauthenticated SQ…

The Advance Product Search- Voice & Ajax Search for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 's' and 'match' parameter in all versions up to, and including, 1.4…

| Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-12434 — List category posts <= 0.95.0 - Missing Authorization to Authenticated (Contributor+) Sen…

The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.95.0 via the sanitize_status. This makes it possible for authentic…

| Information Disclosure
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-15336 — Catch Themes Demo Import <= 3.3 - Missing Authorization to Authenticated (Subscriber+) Si…

The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catch_themes_demo_import_activate_plugin() function,…

catch_themes_demo_import | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-13005 — MxChat <= 3.2.10 - Authenticated (Admin+) Stored Cross-Site Scripting via 'intro_message'…

The MxChat – AI Chatbot & Content Generation for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.10 due to ins…

| Cross-Site Scripting
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.5 HIGH
CVE-2026-48863 — Libsolv: stack-based buffer overflow in libsolv eddsa pgp signature verification allows d…

A flaw was found in libsolv. A stack-based buffer overflow vulnerability exists in the PGP verification component due to incorrect length handling when copying EdDSA 's' MPI into a stack buffer. A re…

Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.8 HIGH
CVE-2026-3842 — Qemu-kvm: hyperv/syndbg: missing mapped-length guard after cpu_physical_memory_map causes…

A flaw was found in QEMU. This vulnerability allows a local attacker within a guest virtual machine to write data beyond its allocated memory. This occurs when cpu_physical_memory_map() returns a sho…

Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.5 HIGH
CVE-2026-23538 — Feast: resource exhaustion via websocket endpoint

A vulnerability was identified in the Feast Feature Server's `/ws/chat` endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a la…

openshift_ai | Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.1 HIGH
CVE-2026-1609 — Org.keycloak/keycloak-quarkus-server: keycloak: unauthorized access via jwt authorization…

A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during…

jboss_enterprise_application_platform | Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.5 MEDIUM
CVE-2026-15909 — RafyMrX TOKO-ONLINE-ROTI add.php authorization

A vulnerability has been found in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. Affected is an unknown function of the file proses/add.php. The manipulation of the argument…

toko-online-roti | Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.5 HIGH
CVE-2026-15907 — H3C SecPath F1000-C8300 g=log_fw_nbc_mail_jsondata sql injection

A flaw has been found in H3C SecPath F1000-C8300 up to 20260522. This impacts an unknown function of the file /webui/?g=log_fw_nbc_mail_jsondata. Executing a manipulation of the argument subject can …

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.1 HIGH
CVE-2026-63175 — Cross-Capture Session Data Leakage Due to Shared Mutable State in Looklyloo - PlaywrightC…

PlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple Capture objects running within t…

Remote | Information Disclosure
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
5.8 MEDIUM
CVE-2026-62314 — Anubis: Policy bypass via client controlled X-Original-URI header

Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. From 1.22.0 until 1.26.0-pre1, lib/policy/checker.go PathChecker.Check…

Remote | Path Traversal
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.8 CRITICAL
CVE-2026-55652 — Wekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unau…

Wekan is open source kanban built with Meteor. Prior to 9.46, header-login with HEADER_LOGIN_TRUSTED_IPS uses getRequestIp() in server/lib/headerLoginAuth.js to trust the client-supplied X-Forwarded-…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.8 HIGH
CVE-2026-55576 — MaaAssistantArknights: PR-title expression injection in release-preparation.yml

MaaAssistantArknights is a one-click tool for daily Arknights tasks. In the current dev-v2 workflow, .github/workflows/release-preparation.yml inlined attacker-controlled github.event.pull_request.ti…

Remote | Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.3 CRITICAL
CVE-2026-55445 — Qinglong: Incomplete fix for CVE-2026-3965: Improper Authentication

Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
Showing 20 of 8258 Results