Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.8 MEDIUM
CVE-2026-1433 — uniFLOW Universal Login Manager (ULM) Standalone Improper Protection of Sensitive Informa…

uniFLOW Universal Login Manager (ULM) Standalone contains an information disclosure vulnerability that may allow an authenticated administrator to access sensitive configuration information through t…

| Information Disclosure
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.7 HIGH
CVE-2026-14809 — PROG MIS|Prog Management System - SQL Injection

Prog Management System developed by PROG MIS has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
9.1 CRITICAL
CVE-2026-6382 — Multiple elFinder Plugins - Authenticated OS Command Injection

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do…

Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
9.8 CRITICAL
CVE-2026-14808 — PROG MIS|Prog Management System - Exposure of Sensitive Information

Prog Management System developed by PROG MIS has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain the database acc…

Remote | Information Disclosure
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
9.8 CRITICAL
CVE-2026-14807 — PROG MIS|ERP App - Use of Hard-coded Credentials

ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and passw…

Remote | Authentication
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
7.5 HIGH
CVE-2026-14802 — react create-react-app react-dev-utils openBrowser.js startBrowserProcess os command inje…

A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a ma…

Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
4.8 MEDIUM
CVE-2026-14801 — GPAC TeXML File load_text.c txtin_probe_duration divide by zero

A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component T…

| Denial of Service
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
5.0 MEDIUM
CVE-2026-14800 — imhamzaazam ecommerceFlask cross-site request forgery

A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request f…

Remote | Cross-Site Request Forgery
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.1 HIGH
CVE-2026-12083 — Admin and Site Enhancements < 8.8.4 - Unauthenticated Administrator-Role Restoration via …

The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a rol…

Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.8 HIGH
CVE-2026-11962 — FileOrganizer < 1.2.0 - Authenticated Arbitrary File Upload via elFinder File Operations

The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access —…

Remote | Authentication
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.8 HIGH
CVE-2026-11855 — Simple Membership < 4.7.5 - Unauthenticated Stored XSS via Stripe Webhook API Version

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputt…

Remote | Cross-Site Scripting
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.0 HIGH
CVE-2026-11766 — Ultimate Member < 2.12.0 - Subscriber+ Stored XSS via Custom Textarea Profile Fields

The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated use…

Remote | Cross-Site Scripting
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.8 HIGH
CVE-2026-10830 — AllCoach < 1.0.2 - Unauthenticated Account Takeover

The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwritin…

Remote | Authentication
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
7.5 HIGH
CVE-2024-6228 — WANotifier < 2.6 - Subscriber+ LFI

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated …

Remote | Path Traversal
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.5 MEDIUM
CVE-2026-14799 — CodeAstro Ecommerce Website my_account.php sql injection

A security flaw has been discovered in CodeAstro Ecommerce Website 1.0. Impacted is an unknown function of the file /customer/my_account.php?my_wishlist. The manipulation of the argument delete_wishl…

ecommerce_website | Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.5 MEDIUM
CVE-2026-14798 — CodeAstro Apartment Visitor Management System visitor-entry.php sql injection

A vulnerability was identified in CodeAstro Apartment Visitor Management System 1.0. This issue affects some unknown processing of the file /apartment-visitor/visitor-entry.php. The manipulation of t…

Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.5 MEDIUM
CVE-2026-14797 — CodeAstro Apartment Visitor Management System edit-apartment.php sql injection

A vulnerability was determined in CodeAstro Apartment Visitor Management System 1.0. This vulnerability affects unknown code of the file /apartment-visitor/edit-apartment.php. Executing a manipulatio…

Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.5 MEDIUM
CVE-2026-14796 — CodeAstro Apartment Visitor Management System report.php sql injection

A vulnerability was found in CodeAstro Apartment Visitor Management System 1.0. This affects an unknown part of the file /apartment-visitor/report.php. Performing a manipulation of the argument fromd…

Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.5 MEDIUM
CVE-2026-14795 — CodeAstro Apartment Visitor Management System action-visitor.php sql injection

A vulnerability has been found in CodeAstro Apartment Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /apartment-visitor/action-visitor.php. Such manip…

Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
5.3 MEDIUM
CVE-2026-14794 — Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorizati…

A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoi…

Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
Showing 20 of 7451 Results