Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-44587 — CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters

CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causin…

carrierwave | Remote | Cross-Site Scripting
Jun 17, 2026 Jun 18, 2026
Jun 17, 2026
Jun 18, 2026
8.8 HIGH
CVE-2026-42629 — WordPress PowerPack Pro for Elementor plugin < v2.13.0 - Broken Authentication vulnerabil…

Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions.

powerpack_addons_for_elementor | Remote | Authentication
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.1 HIGH
CVE-2026-42385 — WordPress Profile Builder Pro plugin <= 3.15.0 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions.

profile_builder | Remote | Cross-Site Scripting
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2026-42380 — WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
6.5 MEDIUM
CVE-2026-42357 — Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access wor…

Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler ver…

dolphinscheduler | Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.1 HIGH
CVE-2026-41557 — WordPress Kapee theme < 1.7.1 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting (XSS) in Kapee < 1.7.1 versions.

Remote | Cross-Site Scripting
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
4.9 MEDIUM
CVE-2026-41280 — Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system l…

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2…

dolphinscheduler | Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.9 CRITICAL
CVE-2026-40783 — WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerabil…

Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.3 HIGH
CVE-2026-40768 — WordPress Salon booking system plugin <= 10.30.24 - Insecure Direct Object References (ID…

Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.

salon_booking_system | Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.1 HIGH
CVE-2026-40765 — WordPress collectchat plugin <= 2.4.9 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting (XSS) in collectchat <= 2.4.9 versions.

collect.chat | Remote | Cross-Site Scripting
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2026-40761 — WordPress Valeska theme <= 1.2.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2026-40760 — WordPress Behold theme <= 1.5 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Behold <= 1.5 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2026-40759 — WordPress Esmée theme <= 1.4 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2026-40758 — WordPress Léonie theme <= 1.2.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2026-40755 — WordPress TechLink theme <= 1.3 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2026-40754 — WordPress Roisin theme <= 1.4 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Roisin <= 1.4 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2026-40753 — WordPress EasyMeals theme <= 1.5.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in EasyMeals <= 1.5.1 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2026-40751 — WordPress Ashtanga theme <= 1.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.9 CRITICAL
CVE-2026-40749 — WordPress Charity Zone theme <= 1.1.1 - Arbitrary File Upload vulnerability

Subscriber Arbitrary File Upload in Charity Zone <= 1.1.1 versions.

Remote | Misconfiguration
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.9 CRITICAL
CVE-2026-40748 — WordPress Kids Gift Shop theme <= 0.5.4 - Arbitrary File Upload vulnerability

Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions.

Remote | Misconfiguration
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Showing 20 of 8012 Results