Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
4.3 MEDIUM
CVE-2026-6341 — Incomplete group locking implementation

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multip…

mattermost_server legal_hold | Remote | Authorization
May 18, 2026 May 29, 2026
May 18, 2026
May 29, 2026
6.5 MEDIUM
CVE-2026-6340 — Memory Exhaustion via Malicious 7zip File Upload

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exh…

mattermost_server legal_hold | Remote | Denial of Service
May 18, 2026 May 19, 2026
May 18, 2026
May 19, 2026
3.8 LOW
CVE-2026-6334 — OAuth authorization code client binding not enforced during token redemption in Mattermost

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to red…

mattermost_server legal_hold | Remote | Authentication
May 18, 2026 May 29, 2026
May 18, 2026
May 29, 2026
4.3 MEDIUM
CVE-2026-4273 — Insufficient token rotation validation in remote cluster invite confirmation

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an aut…

mattermost_server legal_hold | Remote | Authentication
May 18, 2026 May 19, 2026
May 18, 2026
May 19, 2026
4.3 MEDIUM
CVE-2026-3637 — Mattermost fails to enforce create_post permission when editing posts

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with re…

mattermost_server legal_hold | Remote | Authorization
May 18, 2026 May 19, 2026
May 18, 2026
May 19, 2026
4.8 MEDIUM
CVE-2026-3495 — Unescaped variables during error page composition

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit…

mattermost_server legal_hold | Remote | Cross-Site Scripting
May 18, 2026 May 19, 2026
May 18, 2026
May 19, 2026
6.5 MEDIUM
CVE-2026-2325 — Improper Input Validation in MS Teams Meetings API Handler

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cau…

mattermost_server | Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-28759 — Insufficient authorization in shared channel membership sync allows remote cluster to rem…

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared …

mattermost_server legal_hold | Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.1 HIGH
CVE-2026-6495 — Ajax Load More < 7.8.4 - Reflected XSS

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used again…

ajax_load_more | Remote | Cross-Site Scripting
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.5 HIGH
CVE-2026-6381 — WP Maps < 4.9.3 - Subscriber+ Local File Inclusion

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.

wp_maps | Remote | Path Traversal
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
8.6 HIGH
CVE-2026-6379 — WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' P…

The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection at…

wp_photo_album_plus | Remote | Injection
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
8.8 HIGH
CVE-2026-3220 — Multiple Plugins - Unauthenticated Stored XSS via Minify Library

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Script…

autoptimize | Remote | Cross-Site Scripting
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
5.4 MEDIUM
CVE-2026-1631 — Feeds for YouTube < 2.6.4 - Subscriber+ License Data Deletion

The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and galle…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
Showing 20 of 7373 Results