Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.2 HIGH
CVE-2026-4329 — Blackhole for Bad Bots <= 3.8 - Unauthenticated Stored Cross-Site Scripting via User-Agen…

The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input …

Remote | Cross-Site Scripting
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
5.3 MEDIUM
CVE-2026-4281 — FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated …

The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the conne…

Remote | Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
6.4 MEDIUM
CVE-2026-4278 — Simple Download Counter <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting…

The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input…

simple_download_counter | Remote | Cross-Site Scripting
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
7.0 HIGH
CVE-2026-33201 — Green House CO., LTD. Digital Photo Frame GH-WDF10A Root Privilege Escalation Vulnerabili…

Digital Photo Frame GH-WDF10A provided by GREEN HOUSE CO., LTD. contains an active debug code vulnerability. If this vulnerability is exploited, files or configurations on the affected device may be …

| Misconfiguration
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
8.8 HIGH
CVE-2026-2931 — Amelia Booking <= 9.1.2 - Authenticated (Customer+) Insecure Direct Object Reference to A…

The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objec…

amelia | Remote | Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
7.5 HIGH
CVE-2026-4839 — SourceCodester Food Ordering System Parameter purchase.php sql injection

A vulnerability has been found in SourceCodester Food Ordering System 1.0. This affects an unknown function of the file /purchase.php of the component Parameter Handler. The manipulation of the argum…

food_ordering_system | Remote | Injection
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
7.5 HIGH
CVE-2026-4838 — SourceCodester Malawi Online Market display.php sql injection

A flaw has been found in SourceCodester Malawi Online Market 1.0. The impacted element is an unknown function of the file /display.php. Executing a manipulation of the argument ID can lead to sql inj…

Remote | Injection
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
5.4 MEDIUM
CVE-2026-4335 — ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting…

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient…

Remote | Cross-Site Scripting
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
6.4 MEDIUM
CVE-2026-4075 — BWL Advanced FAQ Manager Lite <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site S…

The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient…

Remote | Cross-Site Scripting
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
7.2 HIGH
CVE-2026-3328 — Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection vi…

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31…

frontend_admin | Remote | Injection
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
6.1 MEDIUM
CVE-2026-1986 — FloristPress for Woo <= 7.8.2 - Reflected Cross-Site Scripting via 'noresults' Parameter

The FloristPress for Woo – Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, an…

Remote | Cross-Site Scripting
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
6.5 MEDIUM
CVE-2026-4836 — code-projects Accounting System delete.php sql injection

A vulnerability was detected in code-projects Accounting System 1.0. The affected element is an unknown function of the file /my_account/delete.php. Performing a manipulation of the argument cos_id r…

Remote | Injection
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
5.1 MEDIUM
CVE-2026-4835 — code-projects Accounting System Web Application add_costumer.php cross site scripting

A security vulnerability has been detected in code-projects Accounting System 1.0. Impacted is an unknown function of the file /my_account/add_costumer.php of the component Web Application Interface.…

Remote | Cross-Site Scripting
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
8.8 HIGH
CVE-2025-15101 — ASUS Router CSRF Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Web management interface of certain ASUS router models. This vulnerability potentially allows actions to be performed with…

asus_firmware router | Remote | Cross-Site Request Forgery
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
9.8 CRITICAL
CVE-2014-125112 — Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code exec…

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows …

Remote | Injection
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
4.8 MEDIUM
CVE-2026-4833 — Orc discount Markdown markdown.c compile recursion

A weakness has been identified in Orc discount up to 3.0.1.2. This issue affects the function compile of the file markdown.c of the component Markdown Handler. This manipulation causes uncontrolled r…

| Denial of Service
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
6.3 MEDIUM
CVE-2026-4831 — kalcaddle kodbox Password-protected Share auth.class.php can improper authentication

A security flaw has been discovered in kalcaddle kodbox 1.64. Impacted is the function can of the file /workspace/source-code/app/controller/explorer/auth.class.php of the component Password-protecte…

kodbox | Remote | Authentication
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
9.8 CRITICAL
CVE-2026-4484 — Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Esca…

The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the…

Remote | Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
6.3 MEDIUM
CVE-2026-4830 — kalcaddle kodbox Public Share userShare.class.php add privilege escalation

A vulnerability was identified in kalcaddle kodbox 1.64. This issue affects the function Add of the file app/controller/explorer/userShare.class.php of the component Public Share Handler. Such manipu…

kodbox | Remote | Misconfiguration
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
9.8 CRITICAL
CVE-2026-33942 — Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token s…

saloon | Remote | Injection
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
Showing 20 of 6073 Results