Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-10735 — ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-…

Remote | Supply Chain
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
4.3 MEDIUM
CVE-2026-10552 — Blue Captcha <= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (…

Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.4 MEDIUM
CVE-2026-10531 — AI Share & Summarize < 2.0.4 - Contributor+ Stored XSS via title_style Shortcode Attribute

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and abo…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.2 HIGH
CVE-2026-10092 — Cincopa video and media plug-in <= 1.163 - Unauthenticated Stored Cross-Site Scripting vi…

The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insuffi…

video_and_media_plug-in | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.2 HIGH
CVE-2026-10091 — Email JavaScript Cloak <= 1.03 - Unauthenticated Stored Cross-Site Scripting

The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sa…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.5 MEDIUM
CVE-2026-9539 — libslirp TCP URG OOB Read Information Leak

An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a pr…

| Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-12851 — GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-12850 — GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-12849 — GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
10.0 CRITICAL
CVE-2026-12848 — GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP me…

Remote | Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
10.0 CRITICAL
CVE-2026-12847 — GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP me…

Remote | Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
10.0 CRITICAL
CVE-2026-12846 — GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP me…

Remote | Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.2 MEDIUM
CVE-2026-12488 — GeoVision GV-VMS V20 GV-Cloud memory corruption vulnerability

A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.  A specially crafted network request can lead to a denial of service. An attacker can imperson…

Remote | Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-12486 — GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
10.0 CRITICAL
CVE-2026-12485 — GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP me…

Remote | Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.2 HIGH
CVE-2026-3652 — ARForms <= 7.1.3 - Unauthenticated Stored Cross-Site Scripting via 'value' Parameter

The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value` parameter of the `arf_save_incomplete_form_data` AJAX action in all versions up to, and including, 7.1.3 …

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.4 MEDIUM
CVE-2026-11614 — Xpro Addons <= 1.7.2 - Authenticated (Author+) Stored Cross-Site Scripting via 'custom_at…

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to…

xpro_addons_for_elementor | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.9 HIGH
CVE-2026-12681 — Google go-attestation: Integer Overflow in parseEfiSignatureList

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading entri…

go-attestation | Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-54639 — Style Dictionary - Prototype Pollution in convertTokenData utility function

Style Dictionary, a build system for creating cross-platform styles, has a prototype pollution vulnerability starting in version 4.3.0 and prior to version 5.4.4. Impact users have: direct usage of `…

| Misconfiguration
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.7 HIGH
CVE-2026-7574 — Anthropic Claude Desktop Cowork VM Image Contents Not Validated Before Use

Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1.1617.0, and v1.2278.0) validates only file presence and a version marker strin…

| Misconfiguration
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
Showing 20 of 8023 Results