Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.1 MEDIUM
CVE-2024-47097 — Reflected Cross-Site Scripting in Follet School Solutions Destiny

Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do.

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.1 MEDIUM
CVE-2024-47096 — Reflected Cross-Site Scripting in Follet School Solutions Destiny

Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the showSupportExpiredMessage parameter of hand…

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.3 MEDIUM
CVE-2026-9806 — Stored Cross-Site Scripting (XSS) in CTI Transmute Notification Panel via Malicious Conve…

A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert …

Remote | Cross-Site Scripting
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
4.3 MEDIUM
CVE-2026-9618 — PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink

The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to…

Remote | Cross-Site Request Forgery
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.8 HIGH
CVE-2026-9227 — GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_…

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbee_file_and_ext_json function. This is due to a …

Remote | Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
4.3 MEDIUM
CVE-2026-8682 — 3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugi…

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin …

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.6 HIGH
CVE-2026-7862 — Eupago Gateway For Woocommerce < 4.7.2 - Unauthenticated Arbitrary Refund Initiation

The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any Wo…

Remote | Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.5 HIGH
CVE-2026-7797 — Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_wher…

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all version…

simply_schedule_appointments | Remote | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.1 MEDIUM
CVE-2026-7660 — Easy Updates Manager <= 9.0.20 - Reflected Cross-Site Scripting via 'paged' Parameter

The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sani…

easy_updates_manager | Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.3 MEDIUM
CVE-2026-7651 — User Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Obj…

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure…

user_registration_\&_membership | Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.2 HIGH
CVE-2026-7634 — SlimStat Analytics <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent…

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitizatio…

slimstat_analytics | Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
4.3 MEDIUM
CVE-2026-7621 — SMTP2GO for WordPress <= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Lo…

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying th…

smtp2go | Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.3 MEDIUM
CVE-2026-7552 — Geo Mashup <= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosu…

The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to …

geo_mashup | Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.2 HIGH
CVE-2026-7052 — HT Contact Form <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Fi…

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.…

download_contact_form_7_widget_for_elementor_page_builder_\&_gutenberg_blocks | Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.1 HIGH
CVE-2026-6455 — WP Contact Form 7 DB Handler <= 3.0 - Cross-Site Request Forgery to Arbitrary File Deleti…

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and i…

Remote | Cross-Site Request Forgery
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.4 MEDIUM
CVE-2026-6427 — a3 Lazy Load <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Vide…

The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HT…

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.0 HIGH
CVE-2026-44604 — Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directo…

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts t…

enterprise_linux openshift_container_platform satellite enterprise_linux satellite hardened_images | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.3 MEDIUM
CVE-2026-9803 — Keycloak: keycloak: denial of service via malformed authorization header

A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authori…

build_of_keycloak | Remote | Denial of Service
May 28, 2026 Jun 03, 2026
May 28, 2026
Jun 03, 2026
6.8 MEDIUM
CVE-2026-9802 — Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster…

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, w…

build_of_keycloak | Remote | Authentication
May 28, 2026 Jun 03, 2026
May 28, 2026
Jun 03, 2026
4.9 MEDIUM
CVE-2026-9801 — Keycloak: keycloak: denial of service via malformed ldap password policy response

A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromi…

build_of_keycloak | Remote | Denial of Service
May 28, 2026 Jun 03, 2026
May 28, 2026
Jun 03, 2026
Showing 20 of 7094 Results