Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.8 HIGH
CVE-2026-9860 — Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote …

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. Th…

Remote | Misconfiguration
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
5.3 MEDIUM
CVE-2026-12120 — FireBox Popups <= 3.1.7 - Unauthenticated Sensitive Information Exposure in 'form_id' Par…

The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the 'form_id' paramet…

Remote | Information Disclosure
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.9 MEDIUM
CVE-2026-11777 — Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' …

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1…

form_maker | Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.3 MEDIUM
CVE-2026-9199 — Equalize Digital Accessibility Checker <= 1.42.1 - Missing Authorization to Authenticated…

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is…

Remote | Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
8.8 HIGH
CVE-2026-12407 — E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Upda…

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a …

e2pdf | Remote | Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.3 MEDIUM
CVE-2026-10023 — Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct…

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, an…

dokan | Remote | Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
7.8 HIGH
CVE-2026-12505 — Cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upc…

A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, lo…

enterprise_linux openshift_container_platform enterprise_linux | Authentication
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
9.3 CRITICAL
CVE-2026-12569 — Remote Code Execution (RCE) vulnerability in Windchill PDMlink

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * …

Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
9.8 CRITICAL
CVE-2026-38717

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the file upload function. The vulnerability al…

Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
7.5 HIGH
CVE-2026-38718 — InHand Networks IR912/IR915 Buffer Overflow Denial-of-Service Vulnerability

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a buffer overflow vulnerability in the device registration function. This vulnerabi…

Remote | Denial of Service
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
9.8 CRITICAL
CVE-2026-38715 — InHand Networks Command Injection

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability a…

Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
9.8 CRITICAL
CVE-2026-38714 — InHand Networks Command Injection

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulner…

Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
9.8 CRITICAL
CVE-2026-38716 — InHand Networks Command Injection

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This v…

Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
8.2 HIGH
CVE-2026-48764 — TypeBot has SSRF in HTTP request and script fetch flows via DNS rebinding bypass

TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF validation is implemented by resolving a hostname once and checking whether the resolved IP belongs to a forbidden range allowing …

typebot | Remote | Server-Side Request Forgery
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.3 CRITICAL
CVE-2026-48768 — TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized…

TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 ob…

typebot | Remote | Authentication
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.6 HIGH
CVE-2026-53676 — ThingsBoard Prototype Pollution

ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant adminis…

thingsboard | Remote | Information Disclosure
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.5 HIGH
CVE-2026-45357 — LiquidJS: Memory and render limit bypass via unbounded width padding in `date` filter (st…

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %999999…

liquidjs | Remote | Memory Corruption
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
5.3 MEDIUM
CVE-2026-44646 — LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Con…

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn() creates a child Context for the {% render %} tag but does not …

liquidjs | Remote | Misconfiguration
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
6.9 MEDIUM
CVE-2026-54533 — vantage6 node has an Improper Access Control issue

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, malicious algorithms can potentially access other algorithms input and output files. Version 5.0.0 f…

vantage6 | Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
6.9 MEDIUM
CVE-2026-54445 — Vantage6: Set admin user and password from environment or configuration

vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` and password `root`. This is not ideal because attacker…

vantage6 | Remote | Authentication
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Showing 20 of 7580 Results