Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.4 MEDIUM
CVE-2026-5340 — Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Sh…

The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fancy-img-show` shortcode in all versions up to, and including, 9.1 due to insufficient input …

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.5 MEDIUM
CVE-2026-5028 — Eight Day Week Print Workflow <= 1.2.6 - Authenticated (Subscriber+) SQL Injection via 't…

The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the `pp-get-articles` AJAX action in all versions up to, and includ…

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-4920 — Next Date <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default'…

The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization …

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-4859 — SP Blog Designer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via …

The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the `wpsbd_post_carousel` shortcode in all versions up to, and including, 1.0.0 du…

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.3 MEDIUM
CVE-2026-4663 — iPOSpays Gateways WC <= 1.3.7 - Unauthenticated Missing Authorization to Settings Update …

The iPOSpays Gateways WC plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.3.7. This is due to the plugin exposing a REST API endpoint /wp-json/ipospays/v1…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
4.3 MEDIUM
CVE-2026-4301 — Rate Star Review Vote <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arb…

The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr_review() AJAX handler la…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
4.9 MEDIUM
CVE-2026-3604 — WP SEO Structured Data Schema <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site S…

The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and including, 2.8.1 due to insufficien…

wp_seo_structured_data_schema | Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.2 HIGH
CVE-2026-39432 — WordPress Timetics plugin <= 1.0.53 - Broken Access Control vulnerability

Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Timetics: from n/a through 1.0.53.

wp_timetics | Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-2993 — AI Chatbot & Workflow Automation by AIWU <= 1.4.17 - Unauthenticated SQL Injection in get…

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and …

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-2300 — BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Cust…

The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-base…

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.2 HIGH
CVE-2026-35227 — Improper resource management in CODESYS Modbus TCP Server

An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing le…

codesys_modbus | Remote | Race Condition
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.1 MEDIUM
CVE-2026-1681 — net: Stack Overflow with Ping (to own IP Address) via Shell

Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the d…

zephyr | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.4 MEDIUM
CVE-2026-1185 — Axis SSH Code Execution Vulnerability

A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if …

axis_os | Remote | Misconfiguration
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.7 MEDIUM
CVE-2026-0804 — Axis ACAP Path Traversal Vulnerability

An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axi…

axis_os | Path Traversal
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.0 MEDIUM
CVE-2026-0802 — Axis ACAP Command Injection Vulnerability

An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis d…

axis_os | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.7 MEDIUM
CVE-2026-0541 — Axis ACAP Privilege Escalation Vulnerability

ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be exploited …

axis_os | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
9.1 CRITICAL
CVE-2026-41872 — Kura Sushi Official App EPG Inc. Certificate Validation Weakness

"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notific…

| Cryptography
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
4.6 MEDIUM
CVE-2026-41530 — Chitora Soft Lhaz Path Traversal Vulnerability

The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation fe…

| Path Traversal
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-7287 — Zyxel NWA1100-N HTTP Request Buffer Overflow Denial of Service

** UNSUPPORTED WHEN ASSIGNED ** A buffer overflow vulnerability in the formWep(), formWlAc(), formPasswordSetup(), formUpgradeCert(), and formDelcert() functions of the “webs” binary in Zyxel NWA1100…

Remote | Memory Corruption
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
4.4 MEDIUM
CVE-2026-7257 — Zyxel WRE6505 Sensitive Information Storage Vulnerability

** UNSUPPORTED WHEN ASSIGNED ** An insecure storage of sensitive information vulnerability in the configuration file of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow a local attacker …

| Information Disclosure
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
Showing 20 of 6242 Results