Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.2 HIGH
CVE-2020-37222 — Kuicms Php EE 2.0 Persistent Cross-Site Scripting via bbs reply

Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoi…

Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.6 HIGH
CVE-2020-37221 — Atomic Alarm Clock 6.3 Stack Overflow via SEH Unicode

Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones Cloc…

| Memory Corruption
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2020-37220 — Huawei HG630 V2 Router Authentication Bypass via Serial Number

Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Attackers can quer…

Remote | Authentication
May 13, 2026 May 26, 2026
May 13, 2026
May 26, 2026
8.7 HIGH
CVE-2020-37219 — Joomla com_fabrik 3.9.11 Directory Traversal via image.php

Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Attackers can send GET reques…

fabrik | Remote | Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.8 HIGH
CVE-2020-37218 — Joomla com_hdwplayer 4.2 SQL Injection via search.php

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the …

hdw_player | Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.1 MEDIUM
CVE-2020-37217 — Easy2Pilot 7 Cross-Site Request Forgery via admin.php

Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attack…

Remote | Cross-Site Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.5 MEDIUM
CVE-2020-37174 — WOOF / Products Filter Professional for WooCommerce 1.2.3 Persistent XSS

WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design …

husky_-_products_filter_professional_for_woocommerce | Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.8 MEDIUM
CVE-2020-37169 — WordPress Plugin ultimate-member 2.1.3 Local File Inclusion

WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-u…

ultimate_member | Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.8 CRITICAL
CVE-2020-37168 — Ecommerce Systempay 1.0 Production Key Brute Force

Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. A…

Remote | Cryptography
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-8463 — Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read…

Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1 as the…

crypt\ | Remote | Memory Corruption
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.0 MEDIUM
CVE-2026-8369 — Improper Input Validation in OpenThread NAT64 Translator

Improper Input Validation in the NAT64 translator in The OpenThread Authors OpenThread before commit 26a882d on all platforms allows an attacker on the adjacent IPv4 network to inject corrupted IPv6 …

| Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.1 HIGH
CVE-2026-4609 — ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary G…

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pm_invite_user function in all versions up t…

profilegrid | Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.5 MEDIUM
CVE-2026-4608 — ProfileGrid <= 5.9.8.4 - Authenticated (Subscriber+) SQL Injection via 'rid' Parameter

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind SQL Injection via the 'rid' parameter in all versions up to, and including, 5.9.8.4 due to insuffic…

profilegrid | Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
4.3 MEDIUM
CVE-2026-4607 — ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Group Setti…

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This is due to the plugin not properl…

profilegrid | Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2026-39806 — HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_…

bandit | Remote | Denial of Service
May 13, 2026 May 21, 2026
May 13, 2026
May 21, 2026
8.7 HIGH
CVE-2026-39803 — HTTP/1 chunked body reader ignores length cap in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1…

bandit | Remote | Denial of Service
May 13, 2026 May 21, 2026
May 13, 2026
May 21, 2026
7.3 HIGH
CVE-2026-37430 — Qihang WMS Arbitrary Code Execution Vulnerability

An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.

Remote | Misconfiguration
May 13, 2026 May 14, 2026
May 13, 2026
May 14, 2026
6.5 MEDIUM
CVE-2026-37429 — Qihang WMS SQL Injection

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive dat…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.5 MEDIUM
CVE-2026-37428 — Qihang WMS SQL Injection Vulnerability

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive dat…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.2 HIGH
CVE-2026-6177 — Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tw…

The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elemen…

custom_twitter_feeds | Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
Showing 20 of 7252 Results