Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-54411 — Linux-PAM pam_userdb Plaintext Password Recovery Timing Vulnerability

Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or net…

Remote | Information Disclosure
Jun 14, 2026 Jun 14, 2026
Jun 14, 2026
Jun 14, 2026
9.0 HIGH
CVE-2026-54410 — nanoMODBUS TCP Server Off-by-One Buffer Overflow

nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-control…

Remote | Memory Corruption
Jun 14, 2026 Jun 14, 2026
Jun 14, 2026
Jun 14, 2026
0.0 NA
CVE-2026-11527 — Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file ov…

Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle open…

| Injection
Jun 14, 2026 Jun 14, 2026
Jun 14, 2026
Jun 14, 2026
0.0 NA
CVE-2026-11526 — GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-ar…

GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument wit…

| Injection
Jun 14, 2026 Jun 14, 2026
Jun 14, 2026
Jun 14, 2026
0.0 NA
CVE-2025-15546 — Iptanus File Upload < 5.1.7 - File Overwrite via Race Condition

The Iptanus File Upload WordPress plugin before 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a Time-of-Check to Time-of-Use …

| Race Condition
Jun 14, 2026 Jun 14, 2026
Jun 14, 2026
Jun 14, 2026
6.8 MEDIUM
CVE-2026-54421 — OpenStack Ironic Information Disclosure

In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentia…

ironic | Remote | Information Disclosure
Jun 14, 2026 Jun 14, 2026
Jun 14, 2026
Jun 14, 2026
8.5 HIGH
CVE-2026-54420 — LiteSpeed cPanel Plugin Symlink Privilege Escalation

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running Clo…

Remote | Path Traversal
Jun 14, 2026 Jun 14, 2026
Jun 14, 2026
Jun 14, 2026
5.0 MEDIUM
CVE-2026-12176 — SourceCodester CET Automated Grading System with AI Predictive Analytics index.php cross …

A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. The impacted element is an unknown function of the file /index.php. The manipulation of…

cet_automated_grading_system_with_ai_predictive_analytics | Remote | Cross-Site Scripting
Jun 14, 2026 Jun 14, 2026
Jun 14, 2026
Jun 14, 2026
5.8 MEDIUM
CVE-2026-12175 — CodeAstro Student Attendance Management System createStudents.php sql injection

A vulnerability was detected in CodeAstro Student Attendance Management System 1.0. Impacted is an unknown function of the file /attendance-php/Admin/createStudents.php. Performing a manipulation of …

Remote | Injection
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
9.0 HIGH
CVE-2026-12174 — D-Link DCS-935L HTTP rhea snprintf format string

A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation o…

dcs-935l_firmware | Remote | Injection
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
9.8 CRITICAL
CVE-2026-12183 — Nefteprodukttekhnika BUK TS-G Improper Authentication

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax…

Remote | Authentication
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
7.6 HIGH
CVE-2026-6428 — Koha SQL Injection

SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x b…

Remote | Injection
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
7.2 HIGH
CVE-2026-5513 — Online Scheduling and Appointment Booking System – Bookly <= 27.2 - Unauthenticated Store…

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and inclu…

Remote | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
4.3 MEDIUM
CVE-2026-1291 — Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creati…

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all vers…

Remote | Authorization
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
9.4 CRITICAL
CVE-2026-11624 — Model Context Protocol DNS Rebinding Vulnerability

The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users ha…

Remote | Misconfiguration
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
6.4 MEDIUM
CVE-2026-9629 — Canvas <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tag' Bloc…

The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output esca…

Remote | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
6.4 MEDIUM
CVE-2026-3297 — Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.9 - Authenticated (Contrib…

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insuf…

pagelayer | Remote | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
4.3 MEDIUM
CVE-2026-2470 — Pagelayer <= 2.0.9 - Incorrect Authorization to Authenticated (Contributor+) Mail Relay C…

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_sav…

pagelayer | Remote | Authorization
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
6.4 MEDIUM
CVE-2026-9134 — Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel <= 3.1…

The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomple…

Remote | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
7.2 HIGH
CVE-2026-9109 — GPTranslate <= 2.31 - Unauthenticated Stored Cross-Site Scripting via REST API Translatio…

The GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all…

Remote | Cross-Site Scripting
Jun 13, 2026 Jun 13, 2026
Jun 13, 2026
Jun 13, 2026
Showing 20 of 6607 Results