Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-9677 — Shariff for WordPress <= 1.0.11 - Admin+ Stored Cross-Site Scripting

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() funct…

| Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-10820 — ProfilePress < 4.16.17 - Subscriber+ Subscription Cancellation via IDOR

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription act…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-12404 — NEX-Forms <= 9.2.2 - Missing Authorization to Unauthenticated Sensitive Information Discl…

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly veri…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-13245 — MaxButtons <= 9.8.5 - Reflected Cross-Site Scripting via 'view' Parameter

The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5 due to insufficient input san…

| Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
9.8 CRITICAL
CVE-2026-12415 — Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover vi…

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1…

Remote | Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
5.5 MEDIUM
CVE-2025-59868 — HCL Traveler for Microsoft Outlook (HTMO) is susceptible to sensitive data exposure

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks…

| Information Disclosure
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
4.3 MEDIUM
CVE-2026-13422 — HD Quiz 2.2.0 - 2.2.1 - Cross-Site Request Forgery via Multiple AJAX Handlers

The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This …

hd_quiz | Remote | Cross-Site Request Forgery
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
4.4 MEDIUM
CVE-2026-11356 — Ivory Search <= 5.5.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via '…

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up to, and including,…

Remote | Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
6.5 MEDIUM
CVE-2026-13333 — Groundhogg <= 4.5.5 - Authenticated (Sales Rep+) SQL Injection via 'query[select]' Parame…

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5 due t…

Remote | Injection
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
6.4 MEDIUM
CVE-2026-13335 — CodePeople Post Map for Google Maps <= 1.2.6 - Authenticated (Contributor +) Stored Cross…

The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient inp…

Remote | Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
6.5 MEDIUM
CVE-2026-13331 — Groundhogg <= 4.5.5 - Authenticated (Marketer+) SQL Injection via 'search' Parameter

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to i…

Remote | Injection
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
7.7 HIGH
CVE-2023-37524 — HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET F…

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service.  Since .NET Framework 4.5 has reached end-of-life and no longer receives se…

| Misconfiguration
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
8.6 HIGH
CVE-2026-56414 — H.VIEW HV-500S6 IP Camera Unrestricted Upload of File with Dangerous Type

A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validatin…

Remote | Misconfiguration
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
8.6 HIGH
CVE-2026-55975 — H.VIEW HV-500S6 IP Camera OS Command Injection

A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which are incorporated into a bac…

Remote | XML External Entity
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
9.3 CRITICAL
CVE-2026-31928 — Daktronics Controller Firmware Use of Hard-coded Credentials

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using the…

Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
8.4 HIGH
CVE-2026-33560 — Daktronics Controller Firmware Unrestricted Upload of File with Dangerous Type

The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No fi…

Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
9.8 CRITICAL
CVE-2026-28701 — Daktronics Controller Firmware Path Traversal

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.

Remote | Path Traversal
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
10.0 CRITICAL
CVE-2026-49869 — Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `Authenticatio…

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public confi…

Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.7 HIGH
CVE-2026-45807 — Kestra: Path traversal via URL-encoded "%2E%2E" in execution and namespace file endpoints…

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.par…

Remote | Path Traversal
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.7 HIGH
CVE-2026-49984 — Kestra: Path traversal in `LocalStorage` allows any authenticated user to read arbitrary …

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows…

Remote | Path Traversal
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
Showing 20 of 7882 Results