Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.1 HIGH
CVE-2026-49877 — Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console

Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrect…

activemq | Remote | Authorization
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-50734 — Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire…

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All. An unauthenticated network attacker can cause a broker DoS by sending a cra…

activemq | Remote | Denial of Service
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-50750 — Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire…

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Following the fix for CVE-2026-49270 an unauthenticated attacker can now cause bro…

activemq activemq_broker | Remote | Denial of Service
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
6.1 MEDIUM
CVE-2026-52760 — Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS via Unescaped values in ActiveMQ…

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a messa…

activemq | Remote | Cross-Site Scripting
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-53916 — Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: Unbounded header buffer in S…

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. An unauthenticated client that opens a STOMP NIO connection can send header…

activemq | Remote | Memory Corruption
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-53917 — Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker: Unb…

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker. An authenticated user can cause a broker DoS by sen…

activemq activemq_broker | Remote | Denial of Service
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-54475 — Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination owner…

Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that…

activemq activemq_broker | Remote | Authorization
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
6.6 MEDIUM
CVE-2026-45822 — decode-uri-component Denial of Service

decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time:…

Remote | Denial of Service
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
8.4 HIGH
CVE-2026-12578 — DTMSoft - Deserialization of Untrusted Data Vulnerability

The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code.

dtmsoft | Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
4.9 MEDIUM
CVE-2026-9576 — Fluent Booking < 2.1.2 - Calendar Manager+ Sensitive Information Disclosure via Attendee …

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar…

Remote | Authorization
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
6.1 MEDIUM
CVE-2026-56809 — Ricoh Web Image Monitor Reflected Cross-Site Scripting

Multiple laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor contain a reflected cross-site scripting vulnerability. An arbitrary script may be executed on the we…

| Cross-Site Scripting
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
8.6 HIGH
CVE-2026-56808 — AVTECH DGM3103SCT OS Command Injection

DGM3103SCT provided by AVTECH Security Corporation contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who can log in to th…

| Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
8.4 HIGH
CVE-2026-56137 — Gotcha Gotcha Games RPG MAKER OS Command Injection

RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.

| Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-14164 — Libarchive: double-free vulnerability in rar5 decompression logic via dangling filtered_b…

A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking s…

Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
9.3 CRITICAL
CVE-2026-12819 — DVP-12SE Missing Authentication and Unauthorized Write access Vulnerability

Delta Electronics DVP12SE PLC exposes a Modbus TCP service over a specified port without authentication or access control, permitting unauthenticated interaction with security-sensitive PLC functions.

dvp-12se dvp-12se | Remote | Authentication
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
9.3 CRITICAL
CVE-2026-12818 — DVP-12SE Exposure of Sensitive Information Vulnerability

Delta Electronics DVP12SE PLCs are susceptible to a resource allocation vulnerability without limits or throttling (CWE-770) within their Modbus TCP service.

dvp-12se dvp-12se | Remote | Denial of Service
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
8.0 HIGH
CVE-2026-12240 — Export User Data <= 2.2.6 - Authenticated (Subscriber+) PHP Object Injection to Arbitrary…

The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. Th…

Remote | Path Traversal
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
8.6 HIGH
CVE-2026-11590 — WP Support Plus Responsive Ticket System <= 9.1.2 - Unauthenticated SQL Injection via fil…

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform …

Remote | Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-11589 — WP Support Plus Responsive Ticket System <= 9.1.2 - Unauthenticated Stored XSS via File U…

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (…

Remote | Cross-Site Scripting
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
5.9 MEDIUM
CVE-2026-11581 — Kali Forms < 2.4.13 - Contributor+ Stored XSS via Form Field Caption

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries…

Remote | Cross-Site Scripting
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
Showing 20 of 7988 Results