Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2025-68074 — WordPress Image Carousel plugin <= 1.0.0.41 - Cross Site Scripting (XSS) vulnerability

Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.

Remote | Cross-Site Scripting
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.5 HIGH
CVE-2025-68064 — WordPress Goya Core plugin < 1.0.9.4 - Local File Inclusion vulnerability

Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.

Remote
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.5 HIGH
CVE-2025-68063 — WordPress Splash - Sport Club WordPress theme for Basketball, Football, Hockey theme <= 4…

Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.

Remote | Path Traversal
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
8.8 HIGH
CVE-2025-68052 — WordPress Eagle Booking plugin <= 1.3.4.3 - Cross Site Request Forgery (CSRF) vulnerabili…

Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.

Remote | Cross-Site Request Forgery
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2025-66123 — WordPress BookPro plugin <= 1.1.0 - Insecure Direct Object References (IDOR) vulnerability

Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.

Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2025-64637 — WordPress Auros Core plugin <= 5.3.1 - Content Injection vulnerability

Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.

Remote | Injection
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
5.3 MEDIUM
CVE-2025-64636 — WordPress Donation Thermometer plugin <= 2.2.7 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.

donation_thermometer | Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
4.3 MEDIUM
CVE-2025-63079 — WordPress Live Copy Paste for Elementor plugin <= 1.5.3 - Broken Access Control vulnerabi…

Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.

Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
4.3 MEDIUM
CVE-2025-63078 — WordPress Restaurant Menu by MotoPress plugin <= 2.4.11 - Broken Access Control vulnerabi…

Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.

restaurant_menu | Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.4 MEDIUM
CVE-2025-63041 — WordPress Forget About Shortcode Buttons plugin <= 2.1.3 - Broken Access Control vulnerab…

Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions.

forget_about_shortcode_buttons | Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
2.1 LOW
CVE-2026-57940 — HTMLy Server-Side Request Forgery

HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly…

Remote | Server-Side Request Forgery
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
9.8 CRITICAL
CVE-2026-57926 — JetBrains YouTrack Prototype Pollution

In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack

youtrack | Remote | Misconfiguration
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-57925 — JetBrains YouTrack Improper Access Control

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags

youtrack | Remote | Authorization
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-57924 — JetBrains YouTrack: Role Configuration Information Disclosure

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details

youtrack | Remote | Information Disclosure
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-57923 — JetBrains YouTrack Improper Authorization

In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings

youtrack | Remote | Authorization
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-57922 — JetBrains YouTrack Project Settings Disclosure

In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible

youtrack | Remote | Information Disclosure
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-57921 — JetBrains YouTrack: Improper Access Control in Comment Templates

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint

youtrack | Remote | Authorization
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
9.8 CRITICAL
CVE-2026-53914 — JetBrains Kotlin Unsafe Deserialization

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata

kotlin | Remote | Injection
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
5.4 MEDIUM
CVE-2026-13426 — Client4 fails to validate path parameters

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API …

Remote | Path Traversal
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.7 HIGH
CVE-2026-57920 — Peplink InControl 2 Access Control Bypass

Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.

intcontrol_2 | Remote | Authorization
Jun 26, 2026 Jul 02, 2026
Jun 26, 2026
Jul 02, 2026
Showing 20 of 8023 Results