Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.4 MEDIUM
CVE-2026-8900 — Simple SEO Slideshow <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting …

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization …

Remote | Cross-Site Scripting
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
6.4 MEDIUM
CVE-2026-8893 — Express Payment For Stripe <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scr…

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the [stripe-express] shortcode in versions up to, and including, 1.28.0. T…

Remote | Cross-Site Scripting
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
5.3 MEDIUM
CVE-2026-8608 — Event Monster <= 2.1.0 - Unauthenticated Insufficient Verification of Data Authenticity t…

The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is du…

Remote | Authentication
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
4.3 MEDIUM
CVE-2026-7047 — Frontend User Notes <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification vi…

The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funp_…

Remote | Cross-Site Request Forgery
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
4.9 MEDIUM
CVE-2026-6448 — Quiz and Survey Master (QSM) <= 11.1.2 - Authenticated (Admin+) SQL Injection via 'order'…

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1…

Remote | Injection
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
6.8 MEDIUM
CVE-2026-6242 — Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520…

An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacke…

tapo_c520ws | Injection
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
6.8 MEDIUM
CVE-2026-6241 — Authenticated Format String Vulnerability in ONVIF AddScopes Method on TP-Link Tapo C520WS

An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitizatio…

tapo_c520ws | Injection
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
6.8 MEDIUM
CVE-2026-6240 — Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service on TP-Link Tapo C5…

A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenti…

tapo_c520ws | Memory Corruption
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
6.8 MEDIUM
CVE-2026-6239 — Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C52…

A stack‑based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where the device fails to properly validate the number of XML user nodes during request processi…

tapo_c520ws | Memory Corruption
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
7.0 HIGH
CVE-2026-34123 — Whitelist Validation Bypass in TP-Link Tapo C520WS

On Tapo C520WS v2, restricted accounts (for example, hub users) are intended to execute only a limited set of low‑sensitivity operations. Due to a logic flaw in the device’s API authorization mechani…

tapo_c520ws | Authorization
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
4.3 MEDIUM
CVE-2026-10038 — Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to …

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to A…

Remote | Authorization
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
3.8 LOW
CVE-2025-12656 — Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.128 - Authenticated (Admin…

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_si…

Remote | Path Traversal
Jun 06, 2026 Jun 06, 2026
Jun 06, 2026
Jun 06, 2026
8.8 HIGH
CVE-2026-7654 — Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Cod…

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without…

Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
4.3 MEDIUM
CVE-2026-7523 — Alba Board <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Info…

The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to pe…

Remote | Authorization
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
6.9 MEDIUM
CVE-2026-45409 — Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.e…

Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prio…

Remote | Denial of Service
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.3 HIGH
CVE-2026-11431 — Path Traversal in Altium Projects Service Allows Arbitrary File Read

A path traversal vulnerability exists in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. An authenticated user can supply a crafted path parameter that bypas…

Remote | Path Traversal
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.4 CRITICAL
CVE-2026-11429 — Path Traversal in Altium Git Service Allows Remote Code Execution

A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that us…

Remote | Path Traversal
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.3 HIGH
CVE-2026-11424 — Server-Side Request Forgery in Altium Platform Design GraphQL Service Allows Information …

A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is t…

Remote | Server-Side Request Forgery
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.1 HIGH
CVE-2026-11416 — MoviePilot Path Traversal via Cloud Storage Download Handlers

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured down…

Remote | Path Traversal
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-36785 — Tenda Stack Overflow Denial of Service

Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the page parameter of the fromDhcpListClient function. This vulnerability allows attackers to cau…

| Denial of Service
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
Showing 20 of 7232 Results