Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.3 MEDIUM
CVE-2026-7533 — Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking…

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth…

Remote | Cross-Site Request Forgery
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.5 MEDIUM
CVE-2026-3173 — Meta Field Block <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributo…

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary …

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
0.0 NA
CVE-2026-7862 — Eupago Gateway For Woocommerce < 4.7.2 - Unauthenticated Arbitrary Refund Initiation

The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any Wo…

| Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.0 HIGH
CVE-2026-44604 — Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directo…

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts t…

| Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.5 MEDIUM
CVE-2026-9796 — Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulner…

A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This…

Remote | Race Condition
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.3 HIGH
CVE-2026-9795 — Keycloak: keycloak: privilege escalation via improper scope mapping enforcement

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, in…

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.3 MEDIUM
CVE-2026-9794 — Keycloak: keycloak: information disclosure via saml ecp endpoint

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced…

Remote | Information Disclosure
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.9 MEDIUM
CVE-2026-9793 — Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing

A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing …

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.5 MEDIUM
CVE-2026-9792 — Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition

A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-…

Remote | Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
4.3 MEDIUM
CVE-2026-9791 — Keycloak-rhel9: organization data leak after feature disabled in keycloak

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Conne…

Remote | Information Disclosure
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
4.3 MEDIUM
CVE-2026-9241 — FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber…

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due …

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
4.3 MEDIUM
CVE-2026-9228 — Timetable and Event Schedule by MotoPress <= 2.4.16 - Insecure Direct Object Reference to…

The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to …

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.8 HIGH
CVE-2026-7802 — Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscrib…

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user …

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.5 MEDIUM
CVE-2026-5737 — Independent Analytics <= 2.14.9 - Unauthenticated Server-Side Request Forgery via Trackin…

The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/searc…

Remote | Server-Side Request Forgery
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
9.0 CRITICAL
CVE-2026-32999 — Comet Backup Code Execution Vulnerability

Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the aff…

Remote | Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
9.4 CRITICAL
CVE-2026-32998 — Veeam Service Provider Console Remote Code Execution Vulnerability

This vulnerability in Veeam Service Provider Console allows for remote code execution.

Remote | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.6 HIGH
CVE-2026-32997 — Veeam Backup & Replication Server Authenticated File Write Vulnerability

A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server.

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.3 HIGH
CVE-2026-32996 — Veeam Agent for Microsoft Windows Local Privilege Escalation Vulnerability

This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation.

| Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.5 HIGH
CVE-2026-32995 — Rocket.Chat Information Disclosure

The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it dir…

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.2 HIGH
CVE-2026-2374 — Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP…

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER['PHP_SELF']` superglobal in all versions up to, and including, 1.8.0. This is due to…

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
Showing 20 of 6569 Results