Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.9 CRITICAL
CVE-2026-57331 — WordPress Paid Videochat Turnkey Site plugin <= 7.4.8 - Arbitrary File Deletion vulnerabi…

Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions.

Remote | Path Traversal
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
6.5 MEDIUM
CVE-2026-57330 — WordPress MasterStudy LMS plugin <= 3.7.27 - Cross Site Scripting (XSS) vulnerability

Subscriber Cross Site Scripting (XSS) in MasterStudy LMS <= 3.7.27 versions.

masterstudy_lms | Remote | Cross-Site Scripting
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
6.5 MEDIUM
CVE-2026-57329 — WordPress WooCommerce Designer Pro plugin <= 1.9.34 - Cross Site Scripting (XSS) vulnerab…

Subscriber Cross Site Scripting (XSS) in WooCommerce Designer Pro <= 1.9.34 versions.

Remote | Cross-Site Scripting
Jun 29, 2026 Jul 01, 2026
Jun 29, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-57328 — WordPress Business Directory plugin <= 6.4.22 - Cross Site Scripting (XSS) vulnerability

Subscriber Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.

Remote | Cross-Site Scripting
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
6.3 MEDIUM
CVE-2026-57327 — WordPress MainWP plugin <= 6.1.1 - Broken Access Control vulnerability

Subscriber Broken Access Control in MainWP <= 6.1.1 versions.

mainwp | Remote | Authorization
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
6.5 MEDIUM
CVE-2026-57326 — WordPress Business Directory plugin <= 6.4.22 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.

Remote | Cross-Site Scripting
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
7.1 HIGH
CVE-2026-57320 — WordPress BEAR plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions.

Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
8.7 HIGH
CVE-2026-56124 — phpUploader < 2.0.2 Unauthenticated Database Exposure via index model

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any…

Remote | Information Disclosure
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
7.5 HIGH
CVE-2026-55844 — Home Assistant: iOS Companion App ignores internal SSID allowlist for connections – possi…

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app us…

home_assistant_companion | Remote | Misconfiguration
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-55607 — Claude Code: Sandbox Escape via Git Worktree Path Confusion Allows Unsandboxed Code Execu…

Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, …

claude_code claude_desktop | Remote | Misconfiguration
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-49049 — Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler

The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.

helix3 | Remote | Authorization
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
6.1 MEDIUM
CVE-2026-46406 — Claude Code: Insecure Temporary File in /copy Command Enables Response Disclosure and Sym…

Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, rand…

claude_code claude_desktop | Information Disclosure
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2026-13579 — itsourcecode Hospital Management System patientchangepassword.php sql injection

A weakness has been identified in itsourcecode Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /patientchangepassword.php. Executing a manipulation of…

hospital_management_system | Remote | Injection
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
5.5 MEDIUM
CVE-2026-13571 — SourceCodester Simple Food Ordering System cart.php logic error

A flaw has been found in SourceCodester Simple Food Ordering System 1.0. The affected element is an unknown function of the file /cart.php. Executing a manipulation of the argument item_price can lea…

simple_food_ordering_system | Remote | Misconfiguration
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
10.0 CRITICAL
CVE-2026-56290 — Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension…

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

Remote | Authentication
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
6.5 MEDIUM
CVE-2026-13578 — itsourcecode Hospital Management System patientdetail.php sql injection

A security flaw has been discovered in itsourcecode Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /patientdetail.php. Performing a manipulatio…

hospital_management_system | Remote | Injection
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
8.4 HIGH
CVE-2026-54371 — attr < 2.6.0 Symlink Traversal Privilege Escalation via getfattr/setfattr

attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr utilities that allows local attackers to escalate privileges by replacing a pathname component with a…

| Path Traversal
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
7.2 HIGH
CVE-2026-54370 — acl < 2.4.0 TOCTOU Symlink Traversal via getfacl/setfacl/chacl

acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symb…

| Race Condition
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
8.4 HIGH
CVE-2026-54369 — acl < 2.4.0 Symlink Traversal Privilege Escalation via libacl Functions

acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows l…

| Path Traversal
Jun 29, 2026 Jul 02, 2026
Jun 29, 2026
Jul 02, 2026
8.1 HIGH
CVE-2026-40524 — FrontAccounting < 2.4.20 SQL Injection via get_gl_transactions()

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without para…

frontaccounting | Remote | Injection
Jun 29, 2026 Jul 01, 2026
Jun 29, 2026
Jul 01, 2026
Showing 20 of 7990 Results