Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-46496 — HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution …

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-p…

haxcms-nodejs | Cross-Site Scripting
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46396 — HAX CMS has a stored XSS via <iframe> that allows access to sensitive client-side data an…

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` el…

haxcms-nodejs | Cross-Site Scripting
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46511 — HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSetti…

haxcms-nodejs haxcms-php | Cross-Site Scripting
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-5411 — WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary F…

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and includ…

| Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-5415 — WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary …

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and includ…

| Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-10580 — Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Adm…

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a…

| Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46395 — HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementat…

haxcms-nodejs | Cryptography
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46394 — HAX CMS Vulnerable to Command Injection using Git.php

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The applic…

haxcms-php | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46393 — HAXcms createSite SSRF Enables Arbitrary File Read

HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch …

haxcms-nodejs haxcms-php | Server-Side Request Forgery
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46392 — HAX CMS PHP Has a Stored XSS via Case-Sensitivity Mismatch in HTML Upload Validation

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the file…

haxcms-php | Path Traversal
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46391 — HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching …

| Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.8 HIGH
CVE-2026-50733 — Markdown Preview Enhanced Arbitrary Code Execution via WaveDrom eval()

Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - th…

markdown_preview_enhanced | Remote | Misconfiguration
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.8 HIGH
CVE-2026-49493 — Markdown Preview Enhanced Arbitrary Code Execution via Bitfield interpretJS()

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A…

markdown_preview_enhanced | Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.8 HIGH
CVE-2026-49492 — Markdown Preview Enhanced OS Command Injection in External File and Link Opening

Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename …

markdown_preview_enhanced | Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.0 CRITICAL
CVE-2026-45750 — Termix Vulnerable to Arbitrary Command Execution in File Manager

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix …

Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.1 HIGH
CVE-2026-45749 — Termix's TOTP two-factor authentication can be disabled or bypassed using only the accoun…

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix pr…

Remote | Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.8 CRITICAL
CVE-2026-45748 — Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tu…

Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.0 CRITICAL
CVE-2026-45746 — Termix Vulnerable to Arbitrary Command Execution via Session Hijacking

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Brok…

Remote | Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.0 HIGH
CVE-2026-45745 — Termix has improper certificate validation in Electron desktop client that enables MITM c…

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation,…

Remote | Misconfiguration
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.9 CRITICAL
CVE-2026-45744 — Termix has an OS Command Injection in File Manager resolvePath endpoint

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in Termix is v…

Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
Showing 20 of 7390 Results