Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.7 HIGH
CVE-2026-30824 — Flowise: Missing Authentication on NVIDIA NIM Endpoints

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authenticat…

flowise | Remote | Authentication
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
8.8 HIGH
CVE-2026-30823 — Flowise: IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configura…

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature by…

flowise | Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.3 MEDIUM
CVE-2026-27797 — Homarr: Unauthenticated SSRF in rssFeed.ts

Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to force the Homarr server to perform arbitra…

homarr | Remote | Server-Side Request Forgery
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.3 MEDIUM
CVE-2026-27796 — Homarr: Unauthenticated Information Disclosure (Integration Metadata Leak)

Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of…

homarr | Remote | Information Disclosure
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
8.8 HIGH
CVE-2025-8899 — Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 - Authenticated (Author+) …

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_…

Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
7.7 HIGH
CVE-2026-30822 — Flowise: Mass Assignment in `/api/v1/leads` Endpoint

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when …

flowise | Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
8.2 HIGH
CVE-2026-30821 — Flowise: Arbitrary File Upload via MIME Spoofing

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, all…

flowise | Remote | Authentication
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
8.7 HIGH
CVE-2026-30820 — Flowise Authorization Bypass via Spoofed x-request-from Header

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowin…

flowise | Remote | Authentication
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.9 MEDIUM
CVE-2026-30247 — WeKnora: SSRF via Redirection

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Serv…

weknora | Remote | Server-Side Request Forgery
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
7.2 HIGH
CVE-2026-3352 — Easy PHP Settings <= 1.0.4 - Authenticated (Administrator+) PHP Code Injection via 'wp_me…

The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient i…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.8 MEDIUM
CVE-2026-2722 — Stock Ticker <= 3.26.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via T…

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.26.1 due to insufficient input sanitization and output es…

stock_ticker | Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.8 MEDIUM
CVE-2026-2721 — MailArchiver <= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Se…

The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output esc…

mailarchiver | Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.3 MEDIUM
CVE-2026-2494 — ProfileGrid <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/…

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce va…

profilegrid | Remote | Cross-Site Request Forgery
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.3 MEDIUM
CVE-2026-2488 — ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary M…

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all ve…

profilegrid | Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
6.1 MEDIUM
CVE-2026-2431 — CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to'…

The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.9 MEDIUM
CVE-2026-2429 — Community Events <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_na…

The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV field in the `on_save_changes_venues` function in all versions up to, and including, 1.5.8. This i…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
7.5 HIGH
CVE-2026-2020 — JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'include…

The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization o…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
6.4 MEDIUM
CVE-2026-1902 — Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via …

The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.3 MEDIUM
CVE-2026-1650 — MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Cus…

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and …

Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
7.5 HIGH
CVE-2025-14353 — ZIP Code Based Content Protection <= 1.0.2 - Unauthenticated SQL Injection via 'zipcode' …

The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 via the 'zipcode' parameter. This is due to insufficient escaping…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
Showing 20 of 5092 Results