Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.8 HIGH
CVE-2017-20247 — WordPress Plugin PICA Photo Gallery 1.0 SQL Injection

WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid para…

Remote | Injection
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
8.8 HIGH
CVE-2017-20246 — KittyCatfish 2.2 Plugin for WordPress SQL Injection

KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Attackers can i…

Remote | Injection
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
8.8 HIGH
CVE-2017-20245 — Wow Viral Signups 2.1 WordPress Plugin SQL Injection

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST parame…

Remote | Injection
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
8.8 HIGH
CVE-2017-20244 — Wow Forms WordPress Plugin 2.1 SQL Injection

Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. …

wow_forms | Remote | Injection
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
8.8 HIGH
CVE-2017-20243 — WordPress Car Park Booking Plugin SQL Injection via space_id

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code th…

Remote | Injection
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
8.8 HIGH
CVE-2016-20065 — Product Catalog 8 1.2 Plugin WordPress SQL Injection

Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the selec…

Remote | Injection
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
6.9 MEDIUM
CVE-2016-20064 — WP Vault 0.8.6.6 Local File Inclusion via wpv-image Parameter

WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attacke…

| Path Traversal
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
7.1 HIGH
CVE-2016-20063 — Single Personal Message 1.0.3 WordPress Plugin SQL Injection

Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attac…

Remote | Injection
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
8.8 HIGH
CVE-2016-20062 — Simply Poll 1.4.1 Plugin for WordPress SQL Injection

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST pa…

Remote | Injection
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
7.1 HIGH
CVE-2026-49742 — TYPO3 CMS - Broken Access Control in Media Module

Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths …

Remote | Path Traversal
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
8.7 HIGH
CVE-2026-49741 — TYPO3 CMS - Privilege Escalation & SQL Injection in Form Framework

Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persisten…

Remote | Authorization
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
6.3 MEDIUM
CVE-2026-49740 — TYPO3 CMS - Insecure Deserialization in Core API

TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the …

| Injection
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
2.1 LOW
CVE-2026-49738 — TYPO3 CMS - Broken Access Control in File Abstraction Layer

The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/sec…

Remote | Path Traversal
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
5.3 MEDIUM
CVE-2026-47352 — TYPO3 CMS - Broken Access Control in Backend API

Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storag…

Remote | Authorization
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
5.3 MEDIUM
CVE-2026-47351 — TYPO3 CMS - Broken Access Control in Clipboard

Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they we…

Remote | Authorization
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
5.3 MEDIUM
CVE-2026-47350 — TYPO3 CMS - Broken Access Control in DataHandler

Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3.

Remote | Authorization
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
5.3 MEDIUM
CVE-2026-47349 — TYPO3 CMS - Broken Access Control in Recycler

Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4…

Remote | Authorization
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
5.1 MEDIUM
CVE-2026-47348 — TYPO3 CMS - Cross-Site Scripting in Indexed Search

Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search resul…

Remote | Cross-Site Scripting
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
5.3 MEDIUM
CVE-2026-47347 — TYPO3 CMS - Open Redirect in Core Utilities

Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. …

Remote | Server-Side Request Forgery
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
7.6 HIGH
CVE-2026-47346 — TYPO3 CMS - Broken Access Control in Form Framework

Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafte…

Remote | Path Traversal
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
Showing 20 of 6995 Results