Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.5 MEDIUM
CVE-2026-28561 — wpForo Forum 2.4.14 Stored XSS via Unescaped Forum Description in Templates

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across …

wpforo_forum | Remote | Cross-Site Scripting
Feb 28, 2026 Mar 05, 2026
Feb 28, 2026
Mar 05, 2026
5.5 MEDIUM
CVE-2026-28560 — wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG …

wpforo_forum | Remote | Cross-Site Scripting
Feb 28, 2026 Mar 04, 2026
Feb 28, 2026
Mar 04, 2026
6.9 MEDIUM
CVE-2026-28559 — wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers requ…

wpforo_forum | Remote | Information Disclosure
Feb 28, 2026 Mar 04, 2026
Feb 28, 2026
Mar 04, 2026
6.4 MEDIUM
CVE-2026-28558 — wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attacker…

wpforo_forum | Remote | Cross-Site Scripting
Feb 28, 2026 Mar 04, 2026
Feb 28, 2026
Mar 04, 2026
7.1 HIGH
CVE-2026-28557 — wpForo Forum 2.4.14 Privilege Escalation via Role Synchronization Handler

wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers …

wpforo_forum | Remote | Authorization
Feb 28, 2026 Mar 04, 2026
Feb 28, 2026
Mar 04, 2026
5.4 MEDIUM
CVE-2026-28556 — wpForo Forum 2.4.14 Missing Authorization via Topic Management Form Handlers

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form…

wpforo_forum | Remote | Authorization
Feb 28, 2026 Mar 04, 2026
Feb 28, 2026
Mar 04, 2026
5.3 MEDIUM
CVE-2026-28555 — wpForo Forum 2.4.14 Missing Authorization via Topic Close AJAX Handler

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid…

wpforo_forum | Remote | Authorization
Feb 28, 2026 Mar 04, 2026
Feb 28, 2026
Mar 04, 2026
5.3 MEDIUM
CVE-2026-28554 — wpForo Forum 2.4.14 Missing Authorization via Post Approval AJAX Handler

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers exp…

wpforo_forum | Remote | Authorization
Feb 28, 2026 Mar 05, 2026
Feb 28, 2026
Mar 05, 2026
9.3 CRITICAL
CVE-2026-3010 — TimePictra Stored Cross-Site Scripting

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimePictra allows Query System for Information.This issue affects TimePictra: fr…

Remote | Cross-Site Scripting
Feb 28, 2026 Mar 02, 2026
Feb 28, 2026
Mar 02, 2026
9.3 CRITICAL
CVE-2026-2844 — TimePictra Authentication Bypass Vulnerability

Missing Authentication for Critical Function vulnerability in Microchip TimePictra allows Configuration/Environment Manipulation.This issue affects TimePictra: from 11.0 through 11.3 SP2.

Remote | Authentication
Feb 28, 2026 Mar 02, 2026
Feb 28, 2026
Mar 02, 2026
7.5 HIGH
CVE-2025-13673 — Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficien…

tutor_lms | Remote | Injection
Feb 28, 2026 Mar 02, 2026
Feb 28, 2026
Mar 02, 2026
7.5 HIGH
CVE-2026-2471 — WP Mail Logging <= 1.15.0 - Unauthenticated PHP Object Injection via Email Log Message Fi…

The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. Th…

wp_mail_logging | Remote | Injection
Feb 28, 2026 Mar 02, 2026
Feb 28, 2026
Mar 02, 2026
6.5 MEDIUM
CVE-2026-1542 — Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection

The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the…

Remote | Injection
Feb 28, 2026 Mar 02, 2026
Feb 28, 2026
Mar 02, 2026
9.3 CRITICAL
CVE-2026-28517 — openDCIM <= 23.04 OS Command Injection via dot Configuration Parameter

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the databas…

Remote | Injection
Feb 27, 2026 Mar 02, 2026
Feb 27, 2026
Mar 02, 2026
9.3 CRITICAL
CVE-2026-28516 — openDCIM <= 23.04 SQL Injection in Config::UpdateParameter

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directl…

Remote | Injection
Feb 27, 2026 Mar 02, 2026
Feb 27, 2026
Mar 02, 2026
9.3 CRITICAL
CVE-2026-28515 — openDCIM <= 23.04 Missing Authorization in install.php

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration f…

Remote | Authorization
Feb 27, 2026 Mar 02, 2026
Feb 27, 2026
Mar 02, 2026
8.7 HIGH
CVE-2026-28426 — Statamic vulnerable to privilege escalation via stored cross-site scripting

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with…

statamic | Remote | Cross-Site Scripting
Feb 27, 2026 Mar 05, 2026
Feb 27, 2026
Mar 05, 2026
8.0 HIGH
CVE-2026-28425 — Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to a…

statamic | Remote | Injection
Feb 27, 2026 Mar 05, 2026
Feb 27, 2026
Mar 05, 2026
6.5 MEDIUM
CVE-2026-28424 — Statamic's missing authorization allows access to email addresses

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint fo…

statamic | Remote | Information Disclosure
Feb 27, 2026 Mar 05, 2026
Feb 27, 2026
Mar 05, 2026
8.6 HIGH
CVE-2026-28423 — Statamic Vulnerable to Server-Side Request Forgery via Glide

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the ima…

statamic | Remote | Server-Side Request Forgery
Feb 27, 2026 Mar 05, 2026
Feb 27, 2026
Mar 05, 2026
Showing 20 of 5067 Results