Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
4.8 MEDIUM
CVE-2026-2721 — MailArchiver <= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Se…

The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output esc…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.3 MEDIUM
CVE-2026-2494 — ProfileGrid <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/…

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce va…

Remote | Cross-Site Request Forgery
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.3 MEDIUM
CVE-2026-2488 — ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary M…

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all ve…

Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
6.1 MEDIUM
CVE-2026-2431 — CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to'…

The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.9 MEDIUM
CVE-2026-2429 — Community Events <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_na…

The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV field in the `on_save_changes_venues` function in all versions up to, and including, 1.5.8. This i…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
7.5 HIGH
CVE-2026-2020 — JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'include…

The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization o…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
6.4 MEDIUM
CVE-2026-1902 — Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via …

The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.3 MEDIUM
CVE-2026-1650 — MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Cus…

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and …

Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
7.5 HIGH
CVE-2025-14353 — ZIP Code Based Content Protection <= 1.0.2 - Unauthenticated SQL Injection via 'zipcode' …

The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 via the 'zipcode' parameter. This is due to insufficient escaping…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.1 MEDIUM
CVE-2026-25073 — XikeStor SKS8310-8X Stored XSS via System Name

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary script content thro…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
8.6 HIGH
CVE-2026-25072 — XikeStor SKS8310-8X Predictable Session Identifiers

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable session identifier vulnerability in the /goform/SetLogin endpoint that allows remote attackers to hijack …

Remote | Authentication
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
8.7 HIGH
CVE-2026-25071 — XikeStor SKS8310-8X switch_config.src Missing Authentication

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a missing authentication vulnerability in the /switch_config.src endpoint that allows unauthenticated remote attackers …

Remote | Authentication
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
9.3 CRITICAL
CVE-2026-25070 — XikeStor SKS8310-8X PingTestSet Command Injection

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers …

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.3 MEDIUM
CVE-2026-2371 — Greenshift <= 12.8.3 - Missing Authorization to Unauthenticated Private Reusable Block Di…

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authoriz…

greenshift_-_animation_and_page_builder_blocks | Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.3 MEDIUM
CVE-2026-1981 — Winston AI <= 0.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plug…

The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston_disconnect()…

Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.3 MEDIUM
CVE-2026-1644 — WP Frontend Profile <= 1.3.8 - Cross-Site Request Forgery to Unauthorized User Account Ap…

The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' fu…

Remote | Cross-Site Request Forgery
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
7.5 HIGH
CVE-2026-30244 — Plane: Unauthenticated Workspace Member Information Disclosure

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user…

plane | Remote | Information Disclosure
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.5 HIGH
CVE-2026-30242 — Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspac…

plane | Remote | Server-Side Request Forgery
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
2.7 LOW
CVE-2026-30241 — Mercurius: queryDepth limit bypassed for WebSocket subscriptions

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. Th…

mercurius | Remote | Denial of Service
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
5.1 MEDIUM
CVE-2026-30238 — Group-Office: Reflected XSS in JavaScript context

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the extern…

group_office | Remote | Cross-Site Scripting
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
Showing 20 of 5117 Results