Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
4.8 MEDIUM
CVE-2026-5834 — code-projects Online Shoe Store admin_running.php cross site scripting

A vulnerability was detected in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /admin/admin_running.php. Performing a manipulation of the argument product_name resul…

Remote | Cross-Site Scripting
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
5.3 MEDIUM
CVE-2026-5833 — awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection

A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Id…

| Injection
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
6.4 MEDIUM
CVE-2026-5357 — Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via…

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to i…

Remote | Cross-Site Scripting
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
6.4 MEDIUM
CVE-2026-4429 — OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name…

The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions…

Remote | Cross-Site Scripting
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
5.4 MEDIUM
CVE-2026-4124 — Ziggeo <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modifica…

The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but per…

Remote | Authorization
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
4.4 MEDIUM
CVE-2026-3574 — Experto Dashboard for WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored Cross-…

The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields (including 'Navigation Font Size', 'Navigation Font Weight', '…

Remote | Cross-Site Scripting
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
4.3 MEDIUM
CVE-2026-3568 — MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Ar…

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/f…

Remote | Authorization
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
7.5 HIGH
CVE-2026-5832 — atototo api-lab-mcp HTTP http-server.ts test_http_endpoint server-side request forgery

A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyze_api_spec/generate_test_scenarios/test_http_endpoint of the file src/mcp/http-server.ts of the comp…

Remote | Server-Side Request Forgery
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
6.5 MEDIUM
CVE-2026-5831 — Agions taskflow-ai terminal_execute handlers.ts os command injection

A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impacts an unknown function of the file src/mcp/server/handlers.ts of the component terminal_execute. Performing a manipula…

Remote | Injection
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
9.0 HIGH
CVE-2026-5830 — Tenda AC15 SysToolChangePwd websGetVar stack-based overflow

A vulnerability was identified in Tenda AC15 15.03.05.18. This affects the function websGetVar of the file /goform/SysToolChangePwd. Such manipulation of the argument oldPwd/newPwd/cfmPwd leads to st…

Remote | Memory Corruption
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
7.5 HIGH
CVE-2026-5829 — code-projects Simple IT Discussion Forum content.php sql injection

A vulnerability was determined in code-projects Simple IT Discussion Forum 1.0. The impacted element is an unknown function of the file /pages/content.php. This manipulation of the argument post_id c…

Remote | Injection
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
7.5 HIGH
CVE-2026-5828 — code-projects Simple IT Discussion Forum addcomment.php sql injection

A vulnerability was found in code-projects Simple IT Discussion Forum 1.0. The affected element is an unknown function of the file /functions/addcomment.php. The manipulation of the argument postid r…

Remote | Injection
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
8.8 HIGH
CVE-2026-4326 — Vertex Addons for Elementor <= 1.6.4 - Missing Authorization to Authenticated (Subscriber…

The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activat…

Remote | Authorization
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
7.5 HIGH
CVE-2026-5827 — code-projects Simple IT Discussion Forum question-function.php sql injection

A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0. Impacted is an unknown function of the file /question-function.php. The manipulation of the argument content leads to s…

Remote | Injection
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
5.3 MEDIUM
CVE-2026-5826 — code-projects Simple IT Discussion Forum edit-category.php cross site scripting

A flaw has been found in code-projects Simple IT Discussion Forum 1.0. This issue affects some unknown processing of the file /edit-category.php. Executing a manipulation of the argument Category can…

Remote | Cross-Site Scripting
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
5.3 MEDIUM
CVE-2026-5825 — code-projects Simple Laundry System delmemberinfo.php cross site scripting

A vulnerability was detected in code-projects Simple Laundry System 1.0. This vulnerability affects unknown code of the file /delmemberinfo.php. Performing a manipulation of the argument userid resul…

simple_laundry_system | Remote | Cross-Site Scripting
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
7.5 HIGH
CVE-2026-5824 — code-projects Simple Laundry System userchecklogin.php sql injection

A security vulnerability has been detected in code-projects Simple Laundry System 1.0. This affects an unknown part of the file /userchecklogin.php. Such manipulation of the argument userid leads to …

simple_laundry_system | Remote | Injection
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
6.5 MEDIUM
CVE-2026-5823 — itsourcecode Construction Management System borrowed_tool_report.php sql injection

A weakness has been identified in itsourcecode Construction Management System 1.0. Affected by this issue is some unknown functionality of the file /borrowed_tool_report.php. This manipulation of the…

Remote | Injection
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
9.0 HIGH
CVE-2026-5815 — D-Link DIR-645 hedwig.cgi hedwigcgi_main stack-based overflow

A vulnerability was detected in D-Link DIR-645 1.01/1.02/1.03. Impacted is the function hedwigcgi_main of the file /cgi-bin/hedwig.cgi. The manipulation results in stack-based buffer overflow. The at…

dir-645_firmware | Remote | Memory Corruption
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
7.5 HIGH
CVE-2026-5814 — PHPGurukul Online Course Registration check_availability.php sql injection

A security vulnerability has been detected in PHPGurukul Online Course Registration 3.1. This issue affects some unknown processing of the file /admin/check_availability.php. The manipulation of the …

online_course_registration | Remote | Injection
Apr 09, 2026 Apr 09, 2026
Apr 09, 2026
Apr 09, 2026
Showing 20 of 6606 Results