Latest CVE Feed

CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable

Score

Vulnerability

Published

9.0 CRITICAL

CVE-2026-40487 — Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS

Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to t…

postiz | Remote | Cross-Site Scripting

Apr 18, 2026 Apr 23, 2026

Apr 18, 2026

Apr 23, 2026

8.8 HIGH

CVE-2026-35582 — Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in …

Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /b…

emissary | Injection

Apr 18, 2026 Apr 24, 2026

Apr 18, 2026

Apr 24, 2026

6.1 MEDIUM

CVE-2026-1838 — Hostel <= 1.1.6 - Reflected Cross-Site Scripting via 'shortcode_id' Parameter

The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and…

hostel | Remote | Cross-Site Scripting

Apr 18, 2026 Apr 22, 2026

Apr 18, 2026

Apr 22, 2026

6.4 MEDIUM

CVE-2026-1559 — Youzify <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_p…

The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization a…

youzify | Remote | Cross-Site Scripting

Apr 18, 2026 Apr 22, 2026

Apr 18, 2026

Apr 22, 2026

Showing 20 of 6144 Results

Browse by Apps

Latest CVE Feed

Cookie Preferences