Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-15094 — WP Hotel Booking <= 2.3.2 - Reflected Cross-Site Scripting via 'check_in_date' Parameter

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'check_in_date' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanit…

wp_hotel_booking | Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.3 MEDIUM
CVE-2026-60060 — Tera Term TTSSH2 Plugin Out-of-Bounds Memory Access Vulnerability

Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability exists in TTSSH2 plugin of Tera Term provided by TeraTerm Project. When Tera Term attempts to establish an SSH connection t…

| Memory Corruption
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.3 MEDIUM
CVE-2026-58317 — Tera Term TTSSH2 Plugin Unsigned to Signed Conversion Error

Unsigned to Signed Conversion Error (CWE-196) vulnerability exists in TTSSH2 plugin of Tera Term provided by TeraTerm Project. When Tera Term attempts to establish an SSH connection to a server set u…

| Memory Corruption
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.7 MEDIUM
CVE-2026-41993 — TXOne Networks SafePortAgent and StellarProtect Improper Access Control Vulnerability

Improper Access Control vulnerability in the Removable Media Validation function of TXOne Networks products allows a local attacker with administrator privileges to bypass the file lockdown mechanism…

| Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.5 MEDIUM
CVE-2026-21770 — HCL Traveler for Microsoft Outlook (HTMO) is susceptible to DLL hijacking

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a DLL hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content.

| Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.4 MEDIUM
CVE-2026-15759 — ChatHelp <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'number'…

The ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes in …

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.9 MEDIUM
CVE-2026-15457 — Kirki <= 6.0.13 - Authenticated (Editor+) Path Traversal to Arbitrary Directory Deletion …

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This…

Remote | Path Traversal
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.3 MEDIUM
CVE-2026-15349 — ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce <= 1.17.6 - Missing Author…

The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin n…

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.4 MEDIUM
CVE-2026-15161 — Ninja Forms - Excel Export <= 3.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scrip…

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the save_filter() AJAX handler storing the raw…

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.5 MEDIUM
CVE-2026-14503 — pCloud WP Backup <= 2.0.3 - Missing Authorization on the 'start_backup' AJAX Method to A…

The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pcl_ajax_process_request_inner. This makes it possible…

Remote | Information Disclosure
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-13765 — LearnPress <= 4.4.1 - Missing Authorization to Unauthenticated Sensitive Information Expo…

The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1 via the check…

Remote | Information Disclosure
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.8 HIGH
CVE-2026-13352 — Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Res…

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions u…

Remote | Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
5.3 MEDIUM
CVE-2026-8616 — Fense Proxy & VPN Blocker <= 3.0.1 - Missing Authorization to Unauthenticated Plugin Opti…

The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense_bpvt_save_settings() …

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.2 HIGH
CVE-2026-15395 — Kali Forms <= 2.4.18 - Unauthenticated Stored Cross-Site Scripting via 'digitalSignature'…

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18…

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.3 MEDIUM
CVE-2026-15160 — Ninja Forms - Excel Export <= 3.3.6 - Missing Authorization to Authenticated (Subscriber+…

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_tmp_name' parameter. This makes it pos…

Remote | Path Traversal
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.3 MEDIUM
CVE-2026-15159 — Ninja Forms - Excel Export <= 3.3.6 - Insecure Direct Object Reference to Authenticated (…

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_form_id' parameter due to…

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.1 MEDIUM
CVE-2026-11324 — WooCommerce Placetopay Gateway <= 3.2.2 - Reflected Cross-Site Scripting via 'redirect-ur…

The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and includ…

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.1 HIGH
CVE-2026-62387 — Grav < 1.0.0-rc.16 CORS Misconfiguration via API Plugin

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: * as its default CORS configuration on all responses, including authenticated endpoints and prefl…

grav | Remote | Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.2 HIGH
CVE-2026-62386 — Grav < 1.0.0-rc.16 Authentication Bypass via token URL Parameter

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route (JwtAuthenticator::extractBearerToken fallback). …

grav | Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.3 CRITICAL
CVE-2026-62241 — clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery

clawvet self-hosted API server (apps/api) before 0.7.5 hard-codes a fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and ships it as the default in .env.example. Because GET /api/v1/sc…

Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
Showing 20 of 8126 Results