Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.9 MEDIUM
CVE-2026-11360 — Advanced Order Export For WooCommerce <= 4.0.10 - Authenticated (Shop Manager+) SQL Injec…

The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all versions up to, and including, 4.0.10 due to insufficie…

Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.4 MEDIUM
CVE-2026-11358 — Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <=…

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, …

orbit_fox | Remote | Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.3 MEDIUM
CVE-2026-11357 — Kadence Blocks <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure via…

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editor_assets_v…

gutenberg_blocks_with_ai | Remote | Information Disclosure
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.9 MEDIUM
CVE-2026-10736 — Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insuffici…

tutor_lms | Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.3 MEDIUM
CVE-2026-10623 — PressPrimer Quiz <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) A…

The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the '…

Remote | Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
5.3 MEDIUM
CVE-2026-10029 — Event Koi Lite <= 1.3.13.1 - Missing Authorization to Unauthenticated Sensitive Informati…

The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the g…

Remote | Information Disclosure
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
7.8 HIGH
CVE-2026-12505 — Cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upc…

A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, lo…

Jun 18, 2026 Jun 30, 2026
Jun 18, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-12407 — E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Upda…

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a …

e2pdf | Remote | Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.3 MEDIUM
CVE-2026-10023 — Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct…

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, an…

dokan | Remote | Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
9.8 CRITICAL
CVE-2026-12569 — PTC Windchill and FlexPLM Improper Input Validation Vulnerability - [Actively Exploited]

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * …

windchill_pdmlink flexplm | CISA KEV Remote | Injection
Jun 18, 2026 Jun 30, 2026
Jun 18, 2026
Jun 30, 2026
9.3 CRITICAL
CVE-2026-48768 — TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized…

TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 ob…

typebot | Remote | Authentication
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
8.2 HIGH
CVE-2026-48764 — TypeBot has SSRF in HTTP request and script fetch flows via DNS rebinding bypass

TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF validation is implemented by resolving a hostname once and checking whether the resolved IP belongs to a forbidden range allowing …

typebot | Remote | Server-Side Request Forgery
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
6.9 MEDIUM
CVE-2026-54533 — vantage6 node has an Improper Access Control issue

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, malicious algorithms can potentially access other algorithms input and output files. Version 5.0.0 f…

vantage6 | Remote | Authorization
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
6.9 MEDIUM
CVE-2026-54445 — Vantage6: Set admin user and password from environment or configuration

vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` and password `root`. This is not ideal because attacker…

vantage6 | Remote | Authentication
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
8.6 HIGH
CVE-2026-53676 — ThingsBoard Prototype Pollution

ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant adminis…

thingsboard | Information Disclosure
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
1.9 LOW
CVE-2026-50268 — Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `enc…

| Cryptography
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
4.7 MEDIUM
CVE-2026-50267 — Steeltoe: TLS private keys written to /tmp with default permissions, never deleted

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or …

| Misconfiguration
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
5.9 MEDIUM
CVE-2026-50202 — Steeltoe's static JWKS cache shared across schemes and never invalidated

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.…

Remote | Authentication
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
6.5 MEDIUM
CVE-2026-50201 — Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Manage…

Remote | Authorization
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
7.1 HIGH
CVE-2026-48759 — TypeBot: Cross-Workspace Theme Template IDOR (Modification and Deletion)

TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an Insecure Direct Object Reference vulnerability through cross-workspace Theme Template modification and deletion. The handleSaveThe…

typebot | Remote | Authorization
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
Showing 20 of 8012 Results