Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-12097 — User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modific…

The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.4 MEDIUM
CVE-2026-12041 — Chatra Live Chat + ChatBot + Cart Saver <= 1.0.12 - Authenticated (Administrator+) Stored…

The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.1 MEDIUM
CVE-2026-11798 — Social Share, Social Login and Social Comments Plugin <= 7.14.5 - Reflected Cross-Site Sc…

The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'heateor_mastodon_share' parameter in all ver…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.4 MEDIUM
CVE-2026-10570 — Sympl Repeater for ACF and Elementor <= 2.3 - Authenticated (Author+) Stored Cross-Site S…

The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insu…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-9842 — Backstage <= 1.4.2 - Unauthenticated Privilege Escalation via Permissive Demo Role Capabi…

The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the `manage_options`…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.8 CRITICAL
CVE-2026-9701 — Eventer <= 4.4.2 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalat…

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the…

Remote | Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.1 CRITICAL
CVE-2026-14487 — Simple Coherent Form <= 2.4.13 - Unauthenticated Arbitrary File Deletion via 'id' Paramet…

The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2…

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.8 HIGH
CVE-2026-14482 — 多说社会化评论框 <= 1.2 - Unauthenticated Privilege Escalation via api.php 'option'/'value' Param…

The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. The vulnerability exists due to a missing capability and nonce check on a directly w…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-14244 — Jssor Slider by jssor.com <= 3.1.24 - Unauthenticated Arbitrary File Read via 'url' Param…

The Jssor Slider by jssor.com plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.1.24 via the 'url' parameter parameter. This makes it possible for unau…

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.8 HIGH
CVE-2026-14158 — Widget Logic Visual <= 1.52 - Authenticated (Subscriber+) Remote Code Execution via 'nwlv…

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to mi…

Remote | Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.7 HIGH
CVE-2026-60002 — OpenSSH Client Use-After-Free Vulnerability

ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)

openssh | Remote | Memory Corruption
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.5 MEDIUM
CVE-2026-60001 — OpenSSH Authentication Delay Bypass

sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.

openssh | Remote | Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
3.7 LOW
CVE-2026-60000 — OpenSSH GSSAPIAuthentication Denial of Service

sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentica…

openssh | Remote | Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.9 MEDIUM
CVE-2026-59999 — OpenSSH sshd Security Policy Bypass

In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.

openssh | Remote | Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.8 MEDIUM
CVE-2026-59998 — OpenSSH GSSAPI Authentication Security Bypass

sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.

openssh | Remote | Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.2 MEDIUM
CVE-2026-59997 — OpenSSH internal-sftp Argument Parsing Vulnerability

internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended secur…

openssh | Remote | Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.2 MEDIUM
CVE-2026-59996 — OpenSSH SCP Directory Traversal Vulnerability

scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.

openssh | Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.2 MEDIUM
CVE-2026-59995 — OpenSSH SFTP Path Traversal Vulnerability

sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.

openssh | Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.9 CRITICAL
CVE-2026-56843 — WebPros Plesk XML-RPC API Incorrect Authorization Vulnerability

Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for …

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.8 MEDIUM
CVE-2026-55438 — Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the s…

coder | Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
Showing 20 of 7711 Results