Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-12142 — NEX-Forms <= 9.2.2 - Unauthenticated Stored Cross-Site Scripting via '_name[]' Array Para…

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up to, and including, 9.2.2 due to …

| Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-13228 — LatePoint <= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via 'o…

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to …

| Authorization
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-10095 — WP Photo Album Plus <= 9.1.13.005 - Authenticated (Contributor+) Stored Cross-Site Script…

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input saniti…

| Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-14258 — Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in rou…

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass valid…

enterprise_linux enterprise_linux | Denial of Service
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
5.3 MEDIUM
CVE-2026-27435 — WordPress Woffice theme < 5.4.33 - Broken Access Control vulnerability

Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33.

Remote | Authorization
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-12754 — VikBooking Hotel Booking Engine & PMS <= 1.8.12 - Reflected Cross-Site Scripting via 'lay…

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insu…

| Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-13454 — MotoPress Appointment Booking <= 2.4.5 - Authenticated (Staff+) SQL Injection via 's' Par…

The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the use…

| Injection
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
8.9 HIGH
CVE-2026-10538 — Improper deserialization handling in Control-M Components

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise …

Remote | Misconfiguration
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
9.5 CRITICAL
CVE-2026-10539 — Unauthenticated command injection in Control-M/Server communication command

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthoriz…

Remote | Injection
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-12158 — RegistrationMagic <= 6.0.9.1 - Cross-Site Request Forgery to Privilege Escalation via 'rm…

The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorr…

| Cross-Site Request Forgery
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-13733 — Download Manager <= 3.3.60 - Authenticated (Contributor+) Stored Cross-Site Scripting via…

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'no_data_msg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input san…

| Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-11387 — SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and inc…

| Authentication
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-12408 — Slim SEO <= 4.9.8 - Authenticated (Contributor+) Insufficient Authorization to Private Co…

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/…

| Authorization
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-10096 — Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrar…

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user contro…

qi_blocks | Authorization
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-12435 — Motors <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post M…

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not proper…

| Authorization
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
0.0 NA
CVE-2026-12732 — LearnPress <= 4.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class…

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient …

| Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
5.6 MEDIUM
CVE-2026-10540 — Weak password hash protection in Control-M/Entreprise Manager

The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an attacker. Th…

| Cryptography
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
8.7 HIGH
CVE-2026-12577 — DVP80ES3 Improperly Implemented Security Check for Standard vulnerability

DVP80ES3 with Improperly Implemented Security Check for Standard vulnerability.

Remote | Authentication
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
7.5 HIGH
CVE-2026-12576 — DVP80ES3 Improper Enforcement of Message Integrity During Transmission in a Communication…

DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability.

Remote | Cryptography
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
7.5 HIGH
CVE-2026-12575 — DVP80ES3 Improper Resource Shutdown or Release Vulnerability

DVP80ES3 with  Improper Resource Shutdown or Release vulnerability.

Remote | Misconfiguration
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
Showing 20 of 7952 Results