Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
2.3 LOW
CVE-2026-1694 — Server configuration details in HTTP headers

HTTP headers are added by the default configuration of IIS and ASP.net, and are not removed at the deployment phase of the webservices used by the WebVue, WebScheduler, TouchVue and SnapVue features …

pcvue | Remote | Information Disclosure
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
5.3 MEDIUM
CVE-2026-1693 — Use of vulnerable Resource Owner Password Credentials flow

The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 throu…

pcvue | Remote | Authentication
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
5.3 MEDIUM
CVE-2026-1692 — Missing origin validation in GraphicalData web service requests

A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.…

pcvue | Remote | Authentication
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
8.4 HIGH
CVE-2026-25191 — FinalCode Client DLL Hijacking Vulnerability

The installer of FinalCode Client provided by Digital Arts Inc. contains an issue with the DLL search path. If a user is directed to place a malicious DLL file and the installer to the same directory…

| Misconfiguration
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
8.5 HIGH
CVE-2026-23703 — "FinalCode Client by Digital Arts Inc. - Privilege Escalation Vulnerability"

The installer of FinalCode Client provided by Digital Arts Inc. contains an incorrect default permissions vulnerability. A non-administrative user may execute arbitrary code with SYSTEM privilege.

| Misconfiguration
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
8.8 HIGH
CVE-2026-1311 — Worry Proof Backup <= 0.2.4 - Authenticated (Subscriber+) Path Traversal via Backup Upload

The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated a…

Remote | Path Traversal
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
5.3 MEDIUM
CVE-2026-2356 — User Registration & Membership <= 5.1.2 - Insecure Direct Object Reference to Unauthentic…

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including…

Remote | Authorization
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
9.8 CRITICAL
CVE-2026-27975 — Ajenti has a potential Remote Code Execution

Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitrary code on this server. This is fixed in the ver…

ajenti | Remote | Authentication
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
4.8 MEDIUM
CVE-2026-27974 — Audiobooksheld VUlnerable to Stored XSS in WrappingMarquee.js via Audiobook Metadata (Mob…

Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows a…

audiobookshelf | Remote | Cross-Site Scripting
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
4.8 MEDIUM
CVE-2026-27963 — Audiobookshelf has Stored XSS in Tooltip.vue via Audiobook Metadata

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows ar…

audiobookshelf | Remote | Cross-Site Scripting
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
6.5 MEDIUM
CVE-2026-27465 — Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated us…

fleet | Remote | Information Disclosure
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
6.5 MEDIUM
CVE-2026-25963 — Fleet: Authorization Bypass in certificate template batch deletion for team administrators

Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete cert…

fleet | Remote | Authorization
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
5.3 MEDIUM
CVE-2026-24004 — Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollme…

fleet | Remote | Authentication
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
5.5 MEDIUM
CVE-2026-23999 — Fleet: Device lock PIN can be predicted if lock time is known

Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Becau…

fleet | Cryptography
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
8.1 HIGH
CVE-2026-1779 — User Registration & Membership <= 5.1.2 - Authentication Bypass

The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member…

Remote | Authentication
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
6.1 MEDIUM
CVE-2026-2506 — EM Cost Calculator <= 2.3.1 - Unauthenticated Stored Cross-Site Scripting via 'customer_n…

The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the plugin storing attacker-controlled 'customer_name'…

cost_calculator | Remote | Cross-Site Scripting
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
4.4 MEDIUM
CVE-2026-2499 — Custom Logo <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Logo …

The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escapi…

Remote | Cross-Site Scripting
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
4.4 MEDIUM
CVE-2026-2498 — WP Social Meta <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via …

The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output e…

Remote | Cross-Site Scripting
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
4.4 MEDIUM
CVE-2026-2489 — TP2WP Importer <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'W…

The TP2WP Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Watched domains' textarea on the attachment importer settings page in all versions up to, and including, …

Remote | Cross-Site Scripting
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
6.4 MEDIUM
CVE-2026-2029 — Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Contributor+) Stored Cross-S…

The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[labb_pricing_item]` shortcode's `title` and `value` attributes in all versions up to…

beaver_builder_addons | Remote | Cross-Site Scripting
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
Showing 20 of 5066 Results