Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-6402 — webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix r…

| Information Disclosure
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-6256 — Credits Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via '…

The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficie…

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-6247 — scratchblocks for WP <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting …

The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due…

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-6237 — Quick Table <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'styl…

The Quick Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute of the 'qtbl' shortcode in all versions up to, and including, 1.0.0 due to insufficient inp…

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-5715 — Voyage Plus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post…

The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insuffic…

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.3 MEDIUM
CVE-2026-5693 — Smart Appointment & Booking <= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary…

The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking(…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-5340 — Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Sh…

The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fancy-img-show` shortcode in all versions up to, and including, 9.1 due to insufficient input …

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.5 MEDIUM
CVE-2026-5028 — Eight Day Week Print Workflow <= 1.2.6 - Authenticated (Subscriber+) SQL Injection via 't…

The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the `pp-get-articles` AJAX action in all versions up to, and includ…

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-4920 — Next Date <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default'…

The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization …

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-4859 — SP Blog Designer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via …

The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the `wpsbd_post_carousel` shortcode in all versions up to, and including, 1.0.0 du…

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.3 MEDIUM
CVE-2026-4663 — iPOSpays Gateways WC <= 1.3.7 - Unauthenticated Missing Authorization to Settings Update …

The iPOSpays Gateways WC plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.3.7. This is due to the plugin exposing a REST API endpoint /wp-json/ipospays/v1…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
4.3 MEDIUM
CVE-2026-4301 — Rate Star Review Vote <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arb…

The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr_review() AJAX handler la…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
4.9 MEDIUM
CVE-2026-3604 — WP SEO Structured Data Schema <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site S…

The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and including, 2.8.1 due to insufficien…

wp_seo_structured_data_schema | Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.2 HIGH
CVE-2026-39432 — WordPress Timetics plugin <= 1.0.53 - Broken Access Control vulnerability

Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Timetics: from n/a through 1.0.53.

wp_timetics | Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-2993 — AI Chatbot & Workflow Automation by AIWU <= 1.4.17 - Unauthenticated SQL Injection in get…

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and …

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.4 MEDIUM
CVE-2026-2300 — BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Cust…

The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-base…

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.2 HIGH
CVE-2026-35227 — Improper resource management in CODESYS Modbus TCP Server

An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing le…

codesys_modbus | Remote | Race Condition
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.1 MEDIUM
CVE-2026-1681 — net: Stack Overflow with Ping (to own IP Address) via Shell

Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the d…

zephyr | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.4 MEDIUM
CVE-2026-1185 — Axis SSH Code Execution Vulnerability

A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if …

axis_os | Remote | Misconfiguration
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.7 MEDIUM
CVE-2026-0804 — Axis ACAP Path Traversal Vulnerability

An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axi…

axis_os | Path Traversal
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
Showing 20 of 6287 Results