Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.4 MEDIUM

Dell SmartFabric Storage Software, versions prior to 1.4.5, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A high privileged attacker w…

| Injection
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
9.1 CRITICAL
CVE-2026-33278 — Possible arbitrary code execution during DNSSEC validation

NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying …

| Memory Corruption
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
4.6 MEDIUM
CVE-2026-32792 — Packet of death with DNSCrypt

NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbou…

| Memory Corruption
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
9.3 CRITICAL
CVE-2026-9065 — Surecart - SQL Injection

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/i…

Remote | Injection
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
9.3 CRITICAL
CVE-2026-9059 — NextGEN Gallery - SQL Injection

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The roo…

Remote | Injection
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
4.3 MEDIUM
CVE-2026-6405 — Anomify AI <= 0.3.6 - Cross-Site Request Forgery

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.…

Remote | Cross-Site Request Forgery
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
8.8 HIGH
CVE-2026-5200 — AcyMailing <= 10.8.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Esc…

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. Th…

Remote | Authorization
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
0.0 NA
CVE-2026-7385 — Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attack…

| Information Disclosure
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
4.3 MEDIUM
CVE-2026-6566 — Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference t…

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insuffic…

Remote | Authorization
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
0.0 NA
CVE-2026-5776 — Email Encoder < 2.4.7 - Unauthenticated Stored XSS

The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks

| Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
8.1 HIGH
CVE-2026-47784 — Memcached Timing-Attack in SASL Password Database Authentication

In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.

Remote | Authentication
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
8.1 HIGH
CVE-2026-47783 — Memcached SASL Timing Side-Channel Vulnerability

In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.

Remote | Authentication
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.3 MEDIUM
CVE-2026-44392 — Movable Type Unauthorized Update Vulnerability

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be execute…

| Authorization
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.4 MEDIUM
CVE-2026-2955 — AI Chatbot & Workflow Automation by AIWU <= 1.4.14 - Unauthenticated Stored Cross-Site Sc…

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insuffi…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
8.2 HIGH
CVE-2026-9057 — Security fix for Qlik Talend Administration Center URL access control vulnerability

A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a p…

Remote | Authorization
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.4 MEDIUM
CVE-2026-9056 — Security fix for Qlik Talend Administration Center cross-site scripting vulnerability

A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a differ…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
8.8 HIGH
CVE-2026-7522 — Advanced Database Cleaner – Premium <= 4.1.0 - Authenticated (Subscriber+) Local File Inc…

The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for aut…

Remote | Path Traversal
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
4.3 MEDIUM
CVE-2026-5075 — All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via…

The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal o…

Remote | Information Disclosure
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
7.5 HIGH
CVE-2026-9010 — Boost <= 2.0.3 - Unauthenticated Blind SQL Injection via Multiple Parameters

The Boost plugin for WordPress is vulnerable to time-based SQL Injection via the 'current_url' and 'user_name' parameters in versions up to, and including, 2.0.3 due to insufficient escaping on the u…

Remote | Injection
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
8.7 HIGH
CVE-2026-9003 — TONNET|E-LAN Hybrid Recording System - SQL Injection

E-LAN Hybrid Recording System developed by TONNET has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

Remote | Injection
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
Showing 20 of 6411 Results