Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.8 HIGH
CVE-2025-33241 — NVIDIA NeMo Framework Remote Code Execution Vulnerability

NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by loading a maliciously crafted file. A successful exploit of this vulnerability might lead to code…

nemo | Injection
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
7.8 HIGH
CVE-2025-33240 — NVIDIA Megatron Bridge Code Injection Vulnerability

NVIDIA Megatron Bridge contains a vulnerability in a data shuffling tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code executi…

megatron-bridge | Injection
Feb 18, 2026 Feb 26, 2026
Feb 18, 2026
Feb 26, 2026
7.8 HIGH
CVE-2025-33239 — NVIDIA Megatron Bridge Code Injection Vulnerability

NVIDIA Megatron Bridge contains a vulnerability in a data merging tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution…

megatron-bridge | Injection
Feb 18, 2026 Feb 26, 2026
Feb 18, 2026
Feb 26, 2026
7.8 HIGH
CVE-2025-33236 — NVIDIA NeMo Framework Code Injection Vulnerability

NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalat…

nemo | Injection
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
7.3 HIGH
CVE-2025-14340 — Admin Account Takeover via malicious URL payload

Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payl…

Remote | Cross-Site Scripting
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
4.3 MEDIUM
CVE-2026-2386 — The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu,…

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and incl…

Remote | Authorization
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
3.7 LOW
CVE-2026-1582 — WP All Export <= 1.4.14 - Unauthenticated Sensitive Information Exposure via PHP Type Jug…

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type jugglin…

Remote | Authentication
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
6.5 MEDIUM
CVE-2026-1317 — WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+)…

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `fi…

Remote | Injection
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
4.9 MEDIUM
CVE-2025-8781 — Bookster – WordPress Appointment Booking Plugin <= 2.1.1 - Authenticated (Administrator+)…

The Bookster – WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escapin…

bookster | Remote | Injection
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
5.3 MEDIUM
CVE-2025-7630 — OTP Password Brute Forcing in DorukNet's Wispotter

Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing,…

Remote | Authentication
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
6.5 MEDIUM
CVE-2025-14799 — Brevo - Email, SMS, Web Push, Chat, and more. <= 3.3.0 - Unauthenticated Authorization By…

The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use o…

Remote | Authorization
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
7.8 HIGH
CVE-2026-2653 — admesh normals.c stl_check_normal_vector heap-based overflow

A security flaw has been discovered in admesh up to 0.98.5. This issue affects the function stl_check_normal_vector of the file src/normals.c. Performing a manipulation results in heap-based buffer o…

admesh | Memory Corruption
Feb 18, 2026 Feb 20, 2026
Feb 18, 2026
Feb 20, 2026
6.5 MEDIUM
CVE-2026-2426 — WP-DownloadManager <= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary F…

The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insu…

wp-downloadmanager | Remote | Path Traversal
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
6.5 MEDIUM
CVE-2026-1942 — Blog2Social: Social Media Auto Post & Scheduler <= 8.7.4 - Missing Authorization to Authe…

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2s_curation_draft AJAX action in …

blog2social | Remote | Authorization
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
5.3 MEDIUM
CVE-2025-14444 — RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login…

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticit…

registrationmagic | Remote | Authentication
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
5.3 MEDIUM
CVE-2026-2126 — User Submitted Posts <= 20260113 - Incorrect Authorization to Unauthenticated Category Re…

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to…

user_submitted_posts | Remote | Authorization
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
4.4 MEDIUM
CVE-2025-13727 — Video Share VOD <= 2.7.11 - Authenticated (Editor+) Stored Cross-Site Scripting via Custo…

The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insuf…

Remote | Cross-Site Scripting
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
6.4 MEDIUM
CVE-2025-11185 — Complianz | GDPR/CCPA Cookie Consent <= 7.4.3 - Authenticated (Contributor+) Stored Cross…

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due…

Remote | Cross-Site Scripting
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
7.5 HIGH
CVE-2026-2495 — WPNakama <= 0.6.5 - Unauthenticated SQL Injection via 'order' REST API Parameter

The WPNakama – Team and multi-Client Collaboration, Editorial and Project Management plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the '/wp-json/WPNakama/v1/boards'…

Remote | Injection
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
5.4 MEDIUM
CVE-2026-2127 — SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+…

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check …

siteorigin_widgets_bundle | Remote | Authorization
Feb 18, 2026 Feb 18, 2026
Feb 18, 2026
Feb 18, 2026
Showing 20 of 5035 Results