Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-14181 — @fastify/middie standalone engine vulnerable to Denial of Service via malformed percent-e…

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs suc…

| Denial of Service
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
9.1 CRITICAL
CVE-2026-14198 — @fastify/middie vulnerable to authorization bypass via encoded slash in path parameter va…

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding durin…

| Authorization
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
4.1 MEDIUM
CVE-2026-13323 — Open VSX Registry Uncontrolled Resource Consumption

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment re…

open_vsx | Remote | Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
7.2 HIGH
CVE-2026-12142 — NEX-Forms <= 9.2.2 - Unauthenticated Stored Cross-Site Scripting via '_name[]' Array Para…

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up to, and including, 9.2.2 due to …

Remote | Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
8.8 HIGH
CVE-2026-13228 — LatePoint <= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via 'o…

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to …

Remote | Authorization
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
6.4 MEDIUM
CVE-2026-10095 — WP Photo Album Plus <= 9.1.13.005 - Authenticated (Contributor+) Stored Cross-Site Script…

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input saniti…

Remote | Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-14258 — Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in rou…

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass valid…

enterprise_linux enterprise_linux | Denial of Service
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
5.3 MEDIUM
CVE-2026-27435 — WordPress Woffice theme < 5.4.33 - Broken Access Control vulnerability

Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33.

Remote | Authorization
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
6.1 MEDIUM
CVE-2026-12754 — VikBooking Hotel Booking Engine & PMS <= 1.8.12 - Reflected Cross-Site Scripting via 'lay…

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insu…

Remote | Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-13454 — MotoPress Appointment Booking <= 2.4.5 - Authenticated (Staff+) SQL Injection via 's' Par…

The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the use…

Remote | Injection
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
8.9 HIGH
CVE-2026-10538 — Improper deserialization handling in Control-M Components

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise …

control-m\/server | Remote | Misconfiguration
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
9.5 CRITICAL
CVE-2026-10539 — Unauthenticated command injection in Control-M/Server communication command

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthoriz…

control-m\/server | Remote | Injection
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
8.8 HIGH
CVE-2026-12158 — RegistrationMagic <= 6.0.9.1 - Cross-Site Request Forgery to Privilege Escalation via 'rm…

The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorr…

registrationmagic | Remote | Cross-Site Request Forgery
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
6.4 MEDIUM
CVE-2026-13733 — Download Manager <= 3.3.60 - Authenticated (Contributor+) Stored Cross-Site Scripting via…

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'no_data_msg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input san…

download_manager | Remote | Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2026-11387 — SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and inc…

sms_alert_order_notifications | Remote | Authentication
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
4.3 MEDIUM
CVE-2026-12408 — Slim SEO <= 4.9.8 - Authenticated (Contributor+) Insufficient Authorization to Private Co…

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/…

Remote | Authorization
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
4.3 MEDIUM
CVE-2026-10096 — Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrar…

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user contro…

qi_blocks | Remote | Authorization
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
4.3 MEDIUM
CVE-2026-12435 — Motors <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post M…

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not proper…

Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
6.4 MEDIUM
CVE-2026-12732 — LearnPress <= 4.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class…

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient …

learnpress | Remote | Cross-Site Scripting
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
5.6 MEDIUM
CVE-2026-10540 — Weak password hash protection in Control-M/Entreprise Manager

The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an attacker. Th…

| Cryptography
Jul 01, 2026 Jul 01, 2026
Jul 01, 2026
Jul 01, 2026
Showing 20 of 8023 Results