Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.2 HIGH
CVE-2026-12095 — Kargo Takip <= 1.2 - Unauthenticated Server-Side Request Forgery via 'api_url' Parameter

The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated att…

Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-12094 — Advanced Contact Form 7 <= 1.0.0 - Missing Authorization to Unauthenticated Arbitrary Con…

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up…

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
4.3 MEDIUM
CVE-2026-11997 — Bulk SEO Image <= 1.1 - Cross-Site Request Forgery to Settings Update

The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings …

Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.4 MEDIUM
CVE-2026-11370 — WP Meta SEO <= 4.5.18 - Authenticated (Contributor+) Server-Side Request Forgery via 'new…

The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated a…

wp_meta_seo | Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 29, 2026
Jun 24, 2026
Jun 29, 2026
2.7 LOW
CVE-2026-10753 — Site Kit by Google < 1.176.0 - Editor+ Email Reporting Settings Update

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing…

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.2 HIGH
CVE-2026-10749 — Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double…

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-10735 — ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-…

Remote | Supply Chain
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
4.3 MEDIUM
CVE-2026-10552 — Blue Captcha <= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (…

Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.4 MEDIUM
CVE-2026-10531 — AI Share & Summarize < 2.0.4 - Contributor+ Stored XSS via title_style Shortcode Attribute

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and abo…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.2 HIGH
CVE-2026-10092 — Cincopa video and media plug-in <= 1.163 - Unauthenticated Stored Cross-Site Scripting vi…

The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insuffi…

video_and_media_plug-in | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.2 HIGH
CVE-2026-10091 — Email JavaScript Cloak <= 1.03 - Unauthenticated Stored Cross-Site Scripting

The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sa…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.5 MEDIUM
CVE-2026-9539 — libslirp TCP URG OOB Read Information Leak

An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a pr…

| Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-12851 — GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-12850 — GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-12849 — GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
10.0 CRITICAL
CVE-2026-12848 — GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP me…

Remote | Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
10.0 CRITICAL
CVE-2026-12847 — GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP me…

Remote | Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
10.0 CRITICAL
CVE-2026-12846 — GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP me…

Remote | Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.2 MEDIUM
CVE-2026-12488 — GeoVision GV-VMS V20 GV-Cloud memory corruption vulnerability

A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.  A specially crafted network request can lead to a denial of service. An attacker can imperson…

Remote | Memory Corruption
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-12486 — GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
Showing 20 of 7983 Results