Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-3455 — Mailparser Cross-site Scripting (XSS) Vulnerability

Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker c…

Remote | Cross-Site Scripting
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
4.8 MEDIUM
CVE-2026-3449 — "Once Package Incorrect Control Flow Scoping Vulnerability"

Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pend…

| Misconfiguration
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
9.8 CRITICAL
CVE-2026-1492 — User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Member…

The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privileg…

Remote | Authorization
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
5.6 MEDIUM
CVE-2026-20801 — Gallagher Hanwha VMS and Gallagher NxWitness VMS Unprivileged Access to Live Video Streams

Cleartext Transmission of Sensitive Information (CWE-319) in a component used in the Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations allows unprivileged users with local network access …

Remote | Cryptography
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
2.5 LOW
CVE-2026-20757 — Gallagher Morpho Command Centre Server Denial-of-Service Vulnerability

Improper Locking vulnerability (CWE-667) in Gallagher Morpho integration allows a privileged operator to cause a limited denial-of-service in the Command Centre Server. This issue affects Command …

| Race Condition
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
5.7 MEDIUM
CVE-2025-47147 — Command Centre Mobile Client Cleartext Storage of Sensitive Information

Cleartext Storage of Sensitive Information (CWE-312) in the Command Centre Mobile Client on Android and iOS could allow an attacker with access to a logged-in Operator's mobile device to extract the …

| Cryptography
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
9.8 CRITICAL
CVE-2026-2628 — All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <= 2.2.5 - Authentication Bypass

The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauth…

Remote | Authentication
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
8.8 HIGH
CVE-2026-2448 — Page Builder by SiteOrigin <= 2.33.5 - Authenticated (Contributor+) Local File Inclusion

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for a…

Remote | Path Traversal
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
7.2 HIGH
CVE-2026-2269 — Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 7…

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.0.0.…

Remote | Server-Side Request Forgery
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
6.5 MEDIUM
CVE-2026-1487 — LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insuffic…

Remote | Injection
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
8.2 HIGH
CVE-2026-0754 — SIP Service Providers – Possible Impersonation of Poly Voice Device

An embedded test key and certificate could be extracted from a Poly Voice device using specialized reverse engineering tools. This extracted certificate could be accepted by a SIP service provider if…

| Cryptography
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
8.8 HIGH
CVE-2026-1566 — LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is …

Remote | Authentication
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
5.3 MEDIUM
CVE-2026-1336 — AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.5 - Missing Authorization to …

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the store_data() and ge…

Remote | Authentication
Mar 03, 2026 Mar 03, 2026
Mar 03, 2026
Mar 03, 2026
6.4 MEDIUM
CVE-2026-2583 — Blocksy <= 2.1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via `blocksy…

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization…

Remote | Cross-Site Scripting
Mar 02, 2026 Mar 02, 2026
Mar 02, 2026
Mar 02, 2026
8.7 HIGH
CVE-2026-3338 — PKCS7_verify Signature Validation Bypass in AWS-LC

Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of …

Remote | Cryptography
Mar 02, 2026 Mar 02, 2026
Mar 02, 2026
Mar 02, 2026
8.2 HIGH
CVE-2026-3337 — Timing Side-Channel in AES-CCM Tag Verification in AWS-LC

Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations…

Remote | Cryptography
Mar 02, 2026 Mar 02, 2026
Mar 02, 2026
Mar 02, 2026
8.7 HIGH
CVE-2026-3336 — PKCS7_verify Certificate Chain Validation Bypass in AWS-LC

Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the fin…

Remote | Misconfiguration
Mar 02, 2026 Mar 02, 2026
Mar 02, 2026
Mar 02, 2026
0.0 NA
CVE-2026-2256 — Command injection vulnerability in ModelScope's ms-agent

A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived in…

| Injection
Mar 02, 2026 Mar 02, 2026
Mar 02, 2026
Mar 02, 2026
2.7 LOW
CVE-2026-27631 — Exiv2: Uncaught exception - cannot create std::vector larger than max_size()

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vuln…

Remote | Denial of Service
Mar 02, 2026 Mar 02, 2026
Mar 02, 2026
Mar 02, 2026
2.7 LOW
CVE-2026-27596 — Exiv2: Integer Underflow in LoaderNative::getData() Causes Heap Buffer Overflow

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vuln…

Remote | Memory Corruption
Mar 02, 2026 Mar 02, 2026
Mar 02, 2026
Mar 02, 2026
Showing 20 of 4870 Results