Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.9 MEDIUM
CVE-2026-14342 — Mail Mint <= 1.24.2 - Authenticated (Administrator+) SQL Injection via 'contact_ids' Para…

The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to time-based SQL Injection via the 'contact_ids' parameter in all versions up to…

Remote | Injection
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.8 CRITICAL
CVE-2026-14245 — miniOrange OTP Login, Verification and SMS Notifications <= 5.5.1 - Authentication Bypass…

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including…

Remote | Authentication
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.4 MEDIUM
CVE-2026-13771 — Customer Reviews for WooCommerce <= 5.113.0 - Authenticated (Contributor+) Stored Cross-S…

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'color' Shortcode Attribute in all versions up to, and including, 5.113.0 due to insufficien…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.3 MEDIUM
CVE-2026-13450 — GamiPress <= 7.9.4 - Insecure Direct Object Reference to Unauthenticated Sensitive Inform…

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and inclu…

Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.1 MEDIUM
CVE-2026-13334 — Mang Board WP <= 2.3.4 - Reflected Cross-Site Scripting via 'stag' Parameter

The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'stag' parameter in all versions up to, and including, 2.3.4 due to insufficient input sanitization and …

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.4 MEDIUM
CVE-2026-13253 — Post Grid Gutenberg Blocks for News, Magazines, Blog Websites <= 5.0.31 - Authenticated (…

The Ultimate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'moreResultsText' block attribute of the ultimate-post/advanced-search block in versions up to and includin…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.6 MEDIUM
CVE-2026-13080 — WPFunnels <= 3.12.7 - Authenticated (Administrator+) Local File Inclusion via 'logKey' Pa…

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.12.7 via the 'logKey…

Remote | Path Traversal
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.5 MEDIUM
CVE-2026-13011 — ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support <= …

The ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to…

Remote | Injection
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.3 MEDIUM
CVE-2026-12418 — User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Re…

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, a…

Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.3 MEDIUM
CVE-2026-12406 — User Frontend <= 4.3.7 - Missing Authorization to Unauthenticated Arbitrary Attachment De…

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including…

Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.4 MEDIUM
CVE-2026-12170 — AcyMailing <= 10.10.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ali…

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alignment' attribute in all v…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
4.3 MEDIUM
CVE-2026-11359 — Memberships and User Profiles for WooCommerce <= 3.4 - Missing Authorization to Authentic…

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and in…

Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.3 CRITICAL
CVE-2026-47840 — LDAP StartTLS unconditionally disables hostname verification

A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user passwo…

cf-deployment | Remote | Authentication
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.7 HIGH
CVE-2026-47831 — Cryptographically Weak Password Generation in bosh-windows-stemcell-builder Allows Remote…

Use of a cryptographically weak random number generator in the GenerateRandomPassword function in bosh-windows-stemcell-builder allows a remote attacker to brute-force the resulting SSH login via TCP…

| Cryptography
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.8 HIGH
CVE-2026-47830 — Incorrect Permission Assignment Allows Local Privilege Escalation to SYSTEM via Executabl…

Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-ag…

| Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.3 HIGH
CVE-2026-47829 — Argument Injection in BOSH CLI Allows Local Command Execution on Operator Workstations vi…

Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the locally-spawned ssh process when an operator runs bosh ssh -c, bosh logs -f, or other no…

Remote | Injection
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.9 HIGH
CVE-2026-47828 — Missing TLS Certificate Verification in BOSH CLI Allows Root Code Execution via Man-in-th…

During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even th…

| Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.8 HIGH
CVE-2026-47826 — blobs.yaml Path Traversal Allows File Writes

The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH CLI tool versions prior t…

Remote | Path Traversal
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-12517 — Fediverse Embeds < 1.5.8 - Unauthenticated SSRF via Site Info Endpoint

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymo…

| Server-Side Request Forgery
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-12516 — Fediverse Embeds < 1.5.8 - Unauthenticated SSRF via Media Proxy

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to ma…

| Server-Side Request Forgery
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
Showing 20 of 7690 Results