Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-30040 — FastStone Image Viewer Heap Overflow

A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (…

Remote | Memory Corruption
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-24547 — WordPress SiteGround Email Marketing plugin <= 1.7.5 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions.

Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
6.5 MEDIUM
CVE-2025-68075 — WordPress BNE Testimonials plugin <= 2.0.8 - Cross Site Scripting (XSS) vulnerability

Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions.

bne_testimonials | Remote | Cross-Site Scripting
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
6.5 MEDIUM
CVE-2025-68074 — WordPress Image Carousel plugin <= 1.0.0.41 - Cross Site Scripting (XSS) vulnerability

Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.

Remote | Cross-Site Scripting
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.5 HIGH
CVE-2025-68064 — WordPress Goya Core plugin < 1.0.9.4 - Local File Inclusion vulnerability

Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.

Remote
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.5 HIGH
CVE-2025-68063 — WordPress Splash - Sport Club WordPress theme for Basketball, Football, Hockey theme <= 4…

Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.

Remote | Path Traversal
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
8.8 HIGH
CVE-2025-68052 — WordPress Eagle Booking plugin <= 1.3.4.3 - Cross Site Request Forgery (CSRF) vulnerabili…

Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.

Remote | Cross-Site Request Forgery
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2025-66123 — WordPress BookPro plugin <= 1.1.0 - Insecure Direct Object References (IDOR) vulnerability

Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.

Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2025-64637 — WordPress Auros Core plugin <= 5.3.1 - Content Injection vulnerability

Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.

Remote | Injection
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
5.3 MEDIUM
CVE-2025-64636 — WordPress Donation Thermometer plugin <= 2.2.7 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.

donation_thermometer | Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
4.3 MEDIUM
CVE-2025-63079 — WordPress Live Copy Paste for Elementor plugin <= 1.5.3 - Broken Access Control vulnerabi…

Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.

Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
4.3 MEDIUM
CVE-2025-63078 — WordPress Restaurant Menu by MotoPress plugin <= 2.4.11 - Broken Access Control vulnerabi…

Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.

restaurant_menu | Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.4 MEDIUM
CVE-2025-63041 — WordPress Forget About Shortcode Buttons plugin <= 2.1.3 - Broken Access Control vulnerab…

Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions.

forget_about_shortcode_buttons | Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
2.1 LOW
CVE-2026-57940 — HTMLy Server-Side Request Forgery

HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly…

Remote | Server-Side Request Forgery
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
9.8 CRITICAL
CVE-2026-57926 — JetBrains YouTrack Prototype Pollution

In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack

youtrack | Remote | Misconfiguration
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-57925 — JetBrains YouTrack Improper Access Control

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags

youtrack | Remote | Authorization
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-57924 — JetBrains YouTrack: Role Configuration Information Disclosure

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details

youtrack | Remote | Information Disclosure
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-57923 — JetBrains YouTrack Improper Authorization

In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings

youtrack | Remote | Authorization
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-57922 — JetBrains YouTrack Project Settings Disclosure

In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible

youtrack | Remote | Information Disclosure
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-57921 — JetBrains YouTrack: Improper Access Control in Comment Templates

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint

youtrack | Remote | Authorization
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
Showing 20 of 7989 Results