Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-44618 — Apache CXF: XXE vulnerability in WS-Transfer functionality

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this is…

| XML External Entity
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
0.0 NA
CVE-2026-44930 — Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.  Users are recommende…

| Injection
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
6.5 MEDIUM
CVE-2026-4635 — Persistent notification timing attack causing server denial of service

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to c…

Remote | Denial of Service
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
5.9 MEDIUM
CVE-2026-3473 — Improper file ownership validation in the Boards API allows unauthorised file access

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and down…

Remote | Authorization
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
4.3 MEDIUM
CVE-2026-4646 — Insufficient input validation in GitHub plugin API causes denial of service

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to cr…

Remote | Denial of Service
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
4.3 MEDIUM
CVE-2026-3636 — Sanitize team member data returned by API

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allow…

Remote | Information Disclosure
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
7.5 HIGH
CVE-2026-5740 — Unauthenticated WebSocket binary frame causes denial of service in Mattermost Server

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unaut…

Remote | Denial of Service
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
4.9 MEDIUM
CVE-2026-5308 — Missing request body size limits on Zoom plugin HTTP endpoints

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a den…

Remote | Denial of Service
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
6.5 MEDIUM
CVE-2026-5755 — Denial of service via crafted TIFF file upload

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, whic…

Remote | Denial of Service
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
2.3 LOW
CVE-2026-25608 — Lack of traffic encryption in STER

STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authen…

Remote | Cryptography
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
5.7 MEDIUM
CVE-2026-25607 — Weak password encoding in STER

Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded. This issue was fixed in version…

| Cryptography
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
8.7 HIGH
CVE-2026-25606 — SQL Injection in STER

A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated …

Remote | Injection
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
7.5 HIGH
CVE-2026-9011 — Ditty <= 3.1.65 - Missing Authorization to Unauthenticated Sensitive Information Disclosu…

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly…

Remote | Authorization
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
4.3 MEDIUM
CVE-2026-8692 — Vedrixa Forms <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary F…

The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due …

Remote | Authorization
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
5.3 MEDIUM
CVE-2026-8684 — MotoPress Hotel Booking <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary Boo…

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is aut…

Remote | Authorization
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
7.5 HIGH
CVE-2026-8679 — AudioIgniter Music Player <= 2.0.2 - Unauthenticated Insecure Direct Object Reference to …

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to temp…

Remote | Authorization
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
5.4 MEDIUM
CVE-2026-8381 — Broken Access Control in TeamViewer DEX Platform (On Premises)

A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an a…

Remote | Authorization
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
5.4 MEDIUM
CVE-2026-7798 — FluentCRM <= 2.9.87 - Unauthenticated Blind Server-Side Request Forgery via 'SubscribeURL…

The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions…

Remote | Server-Side Request Forgery
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
4.3 MEDIUM
CVE-2026-7636 — Slider by Soliloquy <= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via RES…

The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. …

Remote | Information Disclosure
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
4.3 MEDIUM
CVE-2026-7615 — Widget Context <= 1.3.3 - Cross-Site Request Forgery to Settings Update via 'wl' Parameter

The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on the save_widge…

Remote | Cross-Site Request Forgery
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
Showing 20 of 6112 Results