Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-45776 — Open XDMoD has Broken Access Control via Client-Controlled Session Variable

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request…

| Authorization
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46357 — HAX CMS NodeJS application Vulnerable to Denial of Service using Malicious Import Request

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site crea…

haxcms-nodejs | Denial of Service
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46493 — haxtheweb/haxcms-php uses insecure method for generating salt

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. Version 26.0.1 fixes the issue.

haxcms-php | Misconfiguration
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46401 — HAX CMS PHP has Insufficient Session Expiration

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after …

| Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.8 HIGH
CVE-2026-5415 — WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary …

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and includ…

Remote | Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.8 HIGH
CVE-2026-5411 — WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary F…

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and includ…

Remote | Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.7 HIGH
CVE-2026-46511 — HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSetti…

haxcms-nodejs haxcms-php | Remote | Cross-Site Scripting
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.3 CRITICAL
CVE-2026-46496 — HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution …

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-p…

haxcms-nodejs | Remote | Cross-Site Scripting
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.4 CRITICAL
CVE-2026-46399 — Authenticated Remote Code Execution via File Overwrite

HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this…

haxcms-nodejs haxcms-php | Remote | Misconfiguration
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.3 CRITICAL
CVE-2026-46396 — HAX CMS has a stored XSS via <iframe> that allows access to sensitive client-side data an…

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` el…

haxcms-nodejs | Remote | Cross-Site Scripting
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.3 CRITICAL
CVE-2026-46395 — HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementat…

haxcms-nodejs | Remote | Cryptography
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
7.7 HIGH
CVE-2026-46394 — HAX CMS Vulnerable to Command Injection using Git.php

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The applic…

haxcms-php | Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
7.1 HIGH
CVE-2026-46393 — HAXcms createSite SSRF Enables Arbitrary File Read

HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch …

haxcms-nodejs haxcms-php | Remote | Server-Side Request Forgery
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.7 HIGH
CVE-2026-46392 — HAX CMS PHP Has a Stored XSS via Case-Sensitivity Mismatch in HTML Upload Validation

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the file…

haxcms-php | Remote | Path Traversal
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.7 HIGH
CVE-2026-46391 — HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching …

Remote | Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
6.9 MEDIUM
CVE-2026-46390 — HAX CMS has Unauthenticated Git Access via User-Controlled Key

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenti…

haxcms-php | Remote | Information Disclosure
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
10.0 CRITICAL
CVE-2026-46389 — UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAut…

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in t…

Remote | Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.8 CRITICAL
CVE-2026-10580 — Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Adm…

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a…

Remote | Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46400 — HAXCMS PHP has a File Upload Validation Bypass

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions…

haxcms-php | Misconfiguration
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46398 — HAX CMS Missing Secure Flag on Cookie

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allow…

haxcms-php | Misconfiguration
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
Showing 20 of 7261 Results