Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-49416 — Integer overflow in vt(4) CONS_HISTORY ioctl

The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller…

| Memory Corruption
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-49414 — ASLR bypass for setuid executables via procctl(2)

The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disabl…

| Memory Corruption
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-49413 — Flaw in Linuxulator execution of setugid binaries

The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector i…

| Authentication
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-49412 — Use-after-free bug in the IPV6_MSFILTER socket option handler

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the mul…

| Memory Corruption
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-45259 — sigqueue(2) missing capability mode restriction

sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal de…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-45258 — Multiple vulnerabilities in the sound(4) mmap path

dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length …

| Memory Corruption
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-49417 — Multiple vulnerabilities in the sound(4) mmap path

Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible th…

| Memory Corruption
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
4.4 MEDIUM
CVE-2026-12399 — Gutenverse <= 3.8.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'fonts[].fo…

The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to i…

Remote | Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
6.5 MEDIUM
CVE-2026-3462 — Frisbii Pay <= 1.8.9 - Missing Authorization to Authenticated (Subscriber+) Payment Token…

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and i…

Remote | Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-12432 — Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated P…

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is regis…

Remote | Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
6.4 MEDIUM
CVE-2026-11597 — Surbma | Infusionsoft Shortcode <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site…

The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to ins…

Remote | Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
6.4 MEDIUM
CVE-2026-13295 — Page Builder by SiteOrigin <= 2.34.3 - Authenticated (Contributor+) Stored Cross-Site Scr…

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanit…

page_builder | Remote | Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
4.3 MEDIUM
CVE-2026-12471 — Spexo <= 2.0.11 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Act…

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possib…

Remote | Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
4.3 MEDIUM
CVE-2026-11773 — Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Cour…

The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not pr…

Remote | Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
4.3 MEDIUM
CVE-2026-9233 — Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contribu…

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not pr…

quiz_and_survey_master | Remote | Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
4.3 MEDIUM
CVE-2026-11364 — Product Specifications for Woocommerce <= 0.8.9 - Missing Authorization to Authenticated …

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a miss…

Remote | Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
6.4 MEDIUM
CVE-2026-11783 — Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (…

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Product SKU in all version…

dokan | Remote | Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-9242 — RegistrationMagic <= 6.0.8.6 - Authenticated (Subscriber+) Authentication Bypass via Forg…

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authent…

registrationmagic | Remote | Authentication
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
4.3 MEDIUM
CVE-2026-11987 — Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (…

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, an…

dokan | Remote | Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-9677 — Shariff for WordPress <= 1.0.11 - Admin+ Stored Cross-Site Scripting

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() funct…

| Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
Showing 20 of 7701 Results