Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
4.3 MEDIUM
CVE-2026-3903 — Modular Connector <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth

The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonc…

Remote | Cross-Site Request Forgery
Mar 11, 2026 Mar 11, 2026
Mar 11, 2026
Mar 11, 2026
6.4 MEDIUM
CVE-2026-2918 — Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated …

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is d…

happy_addons_for_elementor | Remote | Authorization
Mar 11, 2026 Mar 11, 2026
Mar 11, 2026
Mar 11, 2026
5.4 MEDIUM
CVE-2026-2917 — Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated …

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. T…

happy_addons_for_elementor | Remote | Authorization
Mar 11, 2026 Mar 11, 2026
Mar 11, 2026
Mar 11, 2026
7.5 HIGH
CVE-2026-1708 — Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_wher…

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to…

simply_schedule_appointments | Remote | Injection
Mar 11, 2026 Mar 11, 2026
Mar 11, 2026
Mar 11, 2026
7.8 HIGH
CVE-2024-14026 — QTS, QuTS hero

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then expl…

quts_hero qts | Injection
Mar 11, 2026 Mar 12, 2026
Mar 11, 2026
Mar 12, 2026
6.7 MEDIUM
CVE-2024-14025 — Video Station

An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerabil…

video_station | Injection
Mar 11, 2026 Mar 13, 2026
Mar 11, 2026
Mar 13, 2026
6.7 MEDIUM
CVE-2024-14024 — Video Station

An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then expl…

video_station | Misconfiguration
Mar 11, 2026 Mar 13, 2026
Mar 11, 2026
Mar 13, 2026
9.8 CRITICAL
CVE-2026-3826 — WellChoose|IFTOP - Local File Inclusion

IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server.

organization_portal_system | Remote | Path Traversal
Mar 11, 2026 Mar 17, 2026
Mar 11, 2026
Mar 17, 2026
6.1 MEDIUM
CVE-2026-3825 — WellChoose|IFTOP - Reflected Cross-site Scripting

IFTOP developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing atta…

organization_portal_system | Remote
Mar 11, 2026 Mar 17, 2026
Mar 11, 2026
Mar 17, 2026
6.1 MEDIUM
CVE-2026-3824 — WellChoose|IFTOP - Open redirect

IFTOP developed by WellChoose has an Open redirect vulnerability, allowing authenticated remote attackers to craft a URL that tricks users into visiting malicious website.

organization_portal_system | Remote | Misconfiguration
Mar 11, 2026 Mar 17, 2026
Mar 11, 2026
Mar 17, 2026
6.4 MEDIUM
CVE-2026-3534 — Astra <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta

The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, …

astra | Remote | Cross-Site Scripting
Mar 11, 2026 Mar 11, 2026
Mar 11, 2026
Mar 11, 2026
9.0 HIGH
CVE-2026-31844 — Authenticated SQL Injection in Koha displayby parameter of suggestion.pl

An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter u…

Remote | Injection
Mar 11, 2026 Mar 11, 2026
Mar 11, 2026
Mar 11, 2026
Showing 20 of 6452 Results