Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.3 HIGH
CVE-2026-2084 — D-Link DIR-823X set_language os command injection

A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os comm…

dir-823x_firmware dir-823x | Remote | Injection
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
9.8 CRITICAL
CVE-2026-2083 — code-projects Social Networking Site delete_post.php sql injection

A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file /delete_post.php. Performing a manipulation of the argument ID results in…

social_networking_site | Remote | Injection
Feb 07, 2026 Feb 12, 2026
Feb 07, 2026
Feb 12, 2026
7.2 HIGH
CVE-2026-2082 — D-Link DIR-823X set_mac_clone os command injection

A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command inje…

dir-823x_firmware dir-823x | Remote | Injection
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
7.2 HIGH
CVE-2026-2081 — D-Link DIR-823X set_password os command injection

A vulnerability was determined in D-Link DIR-823X 250416. The affected element is an unknown function of the file /goform/set_password. This manipulation of the argument http_passwd causes os command…

dir-823x_firmware dir-823x | Remote | Injection
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
8.3 HIGH
CVE-2026-2080 — UTT HiPER 810 formUser setSysAdm command injection

A vulnerability has been found in UTT HiPER 810 1.7.4-141218. This issue affects the function setSysAdm of the file /goform/formUser. The manipulation of the argument passwd1 leads to command injecti…

810_firmware 810 | Remote | Injection
Feb 07, 2026 Feb 13, 2026
Feb 07, 2026
Feb 13, 2026
8.8 HIGH
CVE-2026-2079 — yeqifu warehouse Menu Management MenuController.java deleteMenu improper authorization

A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\repos\warehouse\src…

warehouse | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
5.3 MEDIUM
CVE-2026-1675 — Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Def…

The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass…

Remote | Authorization
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.1 MEDIUM
CVE-2026-1643 — MP-Ukagaka <= 1.5.2 - Reflected Cross-Site Scripting

The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes …

Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.1 MEDIUM
CVE-2026-1634 — Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient inp…

Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.4 MEDIUM
CVE-2026-1613 — Wonka Slide <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Short…

The Wonka Slide plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `list_class` shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitiz…

Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.4 MEDIUM
CVE-2026-1611 — Wikiloops Track Player <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scriptin…

The Wikiloops Track Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wikiloops` shortcode in all versions up to, and including, 1.0.1 due to insufficient inp…

Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.4 MEDIUM
CVE-2026-1608 — Video Onclick <= 0.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Sho…

The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `youtube` shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitiza…

Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.4 MEDIUM
CVE-2026-1573 — OMIGO <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The OMIGO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `omigo_donate_button` shortcode in all versions up to, and including, 3.3 due to insufficient input saniti…

Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.4 MEDIUM
CVE-2026-1570 — Simple Bible Verse via Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site …

The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `verse` shortcode in all versions up to, and including, 1.1 due to insufficient…

Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
4.3 MEDIUM
CVE-2026-1082 — TITLE ANIMATOR <= 1.0 - Cross-Site Request Forgery to Settings Update

The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handle…

Remote | Cross-Site Request Forgery
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.4 MEDIUM
CVE-2026-0555 — Premmerce <= 1.3.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'premme…

The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmerce_wizard_actions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing c…

premmerce | Remote | Cross-Site Scripting
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
6.5 MEDIUM
CVE-2025-15477 — The Bucketlister <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and…

The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping…

Remote | Injection
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
4.3 MEDIUM
CVE-2025-15476 — The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket L…

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and …

Remote | Authorization
Feb 07, 2026 Feb 09, 2026
Feb 07, 2026
Feb 09, 2026
8.8 HIGH
CVE-2026-2078 — yeqifu warehouse Permission Management PermissionController.java deletePermission imprope…

A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\wa…

warehouse | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
8.8 HIGH
CVE-2026-2077 — yeqifu warehouse Role Management RoleController.java deleteRole improper authorization

A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset…

warehouse | Remote | Authorization
Feb 07, 2026 Feb 10, 2026
Feb 07, 2026
Feb 10, 2026
Showing 20 of 5134 Results