Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-56460 — HCL DevOps Deploy / HCL Launch is susceptible to an Insertion of Sensitive Information In…

HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.

Remote | Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.3 CRITICAL
CVE-2026-2342 — XSS in Oceanicsoft's ValeApp

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OceanicSoft Informatics Systems Ltd. ValeApp allows Stored XSS. This issue affects ValeApp: thro…

Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.5 HIGH
CVE-2026-1989 — IDOR in PAVO Inc.'s PAVO Pay

Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers. This issue affects PAVO Pay: through 0…

Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.4 MEDIUM
CVE-2026-56458 — HCL DevOps Deploy is susceptible to a Permissive Cross-domain Security Policy with Untrus…

HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to…

Remote | Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.5 MEDIUM
CVE-2026-1365 — Information Disclosure in Sayax's OSOS

Insertion of sensitive information into sent data vulnerability in Sayax Energy Technologies Inc. OSOS allows Authentication Bypass. This issue affects OSOS: through 09072026. NOTE: The vendor was c…

Remote | Authentication
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-12433 — Hydra Booking <= 1.2.1 - Authenticated (Custom+) Insecure Direct Object Reference to Sens…

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-boo…

| Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-15158 — Blocksy Companion <= 2.1.46 - Unauthenticated Arbitrary File Upload via 'blc-review-image…

The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the save_attachments function. This is due to the Custom Fonts exten…

| Authentication
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.8 CRITICAL
CVE-2026-5955 — SQLi in Inrove Software's BiEticaret

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Inrove Software and Internet Services BiEticaret allows SQL Injection. This issue affects BiEtic…

Remote | Injection
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.2 MEDIUM
CVE-2026-56459 — HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure

HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure.  The application stores potentially sensitive information in log files that could be read by a local user.

| Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.1 MEDIUM
CVE-2026-5793 — XSS in Inrove Software's BiEticaret

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Inrove Software and Internet Services BiEticaret allows Reflected XSS. This issue affects BiEtic…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.5 MEDIUM
CVE-2026-8996 — Backup and Staging by WP Time Capsule <= 1.22.26 - Missing Authorization to Authenticated…

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the download_recent_decrypted_file_wpt…

backup_and_staging_by_wp_time_capsule | Remote | Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.2 HIGH
CVE-2026-8848 — Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Bu…

The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2…

Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.3 MEDIUM
CVE-2026-7558 — Age Verification & Identity Verification by Token of Trust <= 4.0.2 - Missing Authorizati…

The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to unauthorized access in all versions up to and including 4.0.2. This is due to the handle_export_ta…

Remote | Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.4 MEDIUM
CVE-2026-6910 — Bookero.pl <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcod…

The Bookero.pl – system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `bookero_products` shortcode's `hide_products` (and `filter_products`) attributes i…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
3.8 LOW
CVE-2026-59269 — Privilege Escalation via Active Directory LDAP injection in Pinniped Supervisor can be ex…

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supe…

pinniped | Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-57111 — Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Or…

Permissive Cross-Origin Resource Sharing (CORS) in the REST API (helix-rest, org.apache.helix.rest.server.filters.CORSFilter) in Apache Helix through 2.0.0 on all platforms allows a remote attacker c…

| Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.4 MEDIUM
CVE-2026-4653 — Block, Suspend, Report for BuddyPress <= 3.6.4 - Authenticated (Subscriber+) Stored Cross…

The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.1 HIGH
CVE-2026-33390 — Incorrect privilege assignment for Arc sensors in Guardian/CMC before 26.2.0

An Incorrect Privilege Assignment vulnerability was discovered in the synchronization functionality due to Arc sensors receiving CLI permissions. An authenticated user with limited privileges can pus…

cmc guardian cmc guardian | Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.3 HIGH
CVE-2026-31985 — Disabled and non-configurable TLS certificate validation in n2os-tui when connecting the …

When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configuration disabled TLS certificate verification, and no option was provided to enable it. A ma…

Remote | Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.7 HIGH
CVE-2026-31984 — DoS through oversized audit log entries in Guardian/CMC before 26.2.0

A denial-of-service vulnerability caused by unbounded resource allocation was discovered in the audit logging functionality, due to a missing size limit on input recorded into audit entries. An unaut…

cmc guardian cmc guardian | Remote | Denial of Service
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
Showing 20 of 7703 Results