Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.4 MEDIUM
CVE-2026-23861 — Dell Unisphere for PowerMax Cross-site Scripting

Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with …

Remote | Cross-Site Scripting
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
6.1 MEDIUM
CVE-2025-7706 — Improper Access Control in TUBITAK BILGEM's Liderahenk

Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion.This issue affects Liderahenk: from 3.0.0…

Remote | Authentication
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
8.3 HIGH
CVE-2026-2615 — Wavlink WL-NU516U1 firewall.cgi singlePortForwardDelete command injection

A flaw has been found in Wavlink WL-NU516U1 up to 20251208. The affected element is the function singlePortForwardDelete of the file /cgi-bin/firewall.cgi. Executing a manipulation of the argument de…

wl-nu516u1_firmware wl-nu516u1 | Remote | Injection
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
4.3 MEDIUM
CVE-2026-2608 — Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and inc…

Remote | Authorization
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
8.3 HIGH
CVE-2026-2247 — SQL Injection in Clickedu's SaaS platform

SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL ge…

Remote | Injection
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
6.5 MEDIUM
CVE-2025-8303 — XSS in EKA Software's Real Estate Script V5 (With Doping Module – Store Module – New Lang…

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EKA Software Computer Information Advertising Services Ltd. Real Estate Script V5 (With Do…

Remote | Cross-Site Scripting
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
8.6 HIGH
CVE-2025-7631 — Time-Based Blind SQLi in Tumeva Internet Technologies' Tumeva Prime News Software

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. …

Remote | Injection
Feb 17, 2026 Mar 09, 2026
Feb 17, 2026
Mar 09, 2026
8.7 HIGH
CVE-2026-25903 — Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. Th…

nifi | Remote | Authorization
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
7.2 HIGH
CVE-2026-1216 — RSS Aggregator <= 5.0.10 - Reflected Cross-Site Scripting via 'template' Parameter

The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitizatio…

wp_rss_aggregator | Remote | Cross-Site Scripting
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
5.8 MEDIUM
CVE-2026-0829 — Frontend File Manager Plugin <= 23.5 - Unauthenticated Arbitrary Email Sending

The Frontend File Manager Plugin WordPress plugin through 23.5 allows unauthenticated users to send emails through the site without any security checks. This lets attackers use the WordPress site as …

frontend_file_manager_plugin | Remote | Authentication
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
5.3 MEDIUM
CVE-2026-1657 — EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upl…

The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX act…

eventprime | Remote | Authentication
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
7.7 HIGH
CVE-2026-2592 — Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Up…

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment call…

Remote | Authorization
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
4.4 MEDIUM
CVE-2026-2002 — Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authentic…

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form_name parameter in all versions up to, and includ…

forminator | Remote | Cross-Site Scripting
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
9.3 CRITICAL
CVE-2026-26220 — LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE

LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive…

Remote | Injection
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
8.8 HIGH
CVE-2025-12062 — WP Maps <= 4.8.6 - Authenticated (Subscriber+) Limited Local File Inclusion

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the…

Remote | Path Traversal
Feb 17, 2026 Feb 18, 2026
Feb 17, 2026
Feb 18, 2026
9.8 CRITICAL
CVE-2026-2439 — Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session i…

Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to gen…

Remote | Cryptography
Feb 16, 2026 Feb 18, 2026
Feb 16, 2026
Feb 18, 2026
9.8 CRITICAL
CVE-2025-15578 — Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely

Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-i…

maypole | Remote | Cryptography
Feb 16, 2026 Mar 04, 2026
Feb 16, 2026
Mar 04, 2026
7.5 HIGH
CVE-2026-2474 — Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer ove…

Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom(). The function does not validate that the length parameter …

crypt\ | Remote | Memory Corruption
Feb 16, 2026 Mar 04, 2026
Feb 16, 2026
Mar 04, 2026
8.8 HIGH
CVE-2026-2001 — WowRevenue <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plug…

The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and in…

Remote | Authorization
Feb 16, 2026 Feb 18, 2026
Feb 16, 2026
Feb 18, 2026
8.3 HIGH
CVE-2026-2567 — Wavlink WL-NU516U1 nas.cgi sub_401218 stack-based overflow

A vulnerability was detected in Wavlink WL-NU516U1 20251208. This vulnerability affects the function sub_401218 of the file /cgi-bin/nas.cgi. Performing a manipulation of the argument User1Passwd res…

wl-nu516u1_firmware wl-nu516u1 | Remote | Memory Corruption
Feb 16, 2026 Feb 18, 2026
Feb 16, 2026
Feb 18, 2026
Showing 20 of 5070 Results