Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.1 CRITICAL
CVE-2026-50203 — Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local …

A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destin…

apache-airflow-providers-sftp | Remote | Path Traversal
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.1 HIGH
CVE-2026-49778 — WordPress WPFunnels Pro plugin <= 2.9.4 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions.

Remote | Cross-Site Scripting
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2026-49767 — WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability

Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.

wpforo_forum | Remote | Authentication
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.5 HIGH
CVE-2026-49113 — WordPress Cornerstone plugin < 7.8.8 - Arbitrary Code Execution vulnerability

Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.

Remote | Memory Corruption
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2026-49107 — WordPress Thrive Apprentice plugin < 10.8.10.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Thrive Apprentice < 10.8.10.2 versions.

thrive_apprentice | Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.3 CRITICAL
CVE-2026-49084 — WordPress JetEngine plugin < 3.8.9.1 - SQL Injection vulnerability

Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions.

jetengine | Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.2 HIGH
CVE-2026-49081 — WordPress User Registration Stripe plugin <= 1.3.12 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions.

Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.3 CRITICAL
CVE-2026-49080 — WordPress wpDataTables plugin <= 7.3.6 - SQL Injection vulnerability

Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.3 CRITICAL
CVE-2026-49079 — WordPress JetSearch plugin <= 3.5.17 - SQL Injection vulnerability

Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.3 CRITICAL
CVE-2026-49076 — WordPress JetEngine plugin <= 3.8.9.1 - SQL Injection vulnerability

Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions.

jetengine | Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2026-49075 — WordPress JetEngine plugin <= 3.8.9.1 - PHP Object Injection vulnerability

Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.

jetengine | Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.1 HIGH
CVE-2026-49074 — WordPress JetEngine plugin <= 3.8.9.1 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions.

jetengine | Remote | Cross-Site Scripting
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.5 HIGH
CVE-2026-49073 — WordPress Directorist Booking plugin <= 3.0.3 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: fr…

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
6.5 MEDIUM
CVE-2026-49072 — WordPress WooCommerce Anti-Fraud plugin <= 7.2.6 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions.

Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
6.5 MEDIUM
CVE-2026-49071 — WordPress WooCommerce Dropshipping plugin <= 5.2.4 - Broken Authentication vulnerability

Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.

woocommerce_dropshipping | Remote | Authentication
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2026-49058 — WordPress LoginPress Pro plugin <= 6.2.2 - Privilege Escalation vulnerability

Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.

Remote | Authentication
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.5 HIGH
CVE-2026-49057 — WordPress JobSearch plugin <= 3.2.7 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.

jobsearch_wp_job_board jobsearch | Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.5 HIGH
CVE-2026-48967 — WordPress Geo Mashup plugin <= 1.13.19 - SQL Injection vulnerability

Subscriber SQL Injection in Geo Mashup <= 1.13.19 versions.

geo_mashup | Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.5 HIGH
CVE-2026-48929 — Rocket.Chat Unauthenticated File Deletion

Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes a…

rocket.chat | Remote | Authentication
Jun 17, 2026 Jun 18, 2026
Jun 17, 2026
Jun 18, 2026
9.3 CRITICAL
CVE-2026-48875 — WordPress JetSmartFilters plugin <= 3.8.1 - SQL Injection vulnerability

Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Showing 20 of 7983 Results