Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-3117 — Instance and webhook GitLab plugin commands were able to be run by non-admin users

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or se…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-28732 — Slash command trigger-word update allowed command hijacking

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with…

Remote | Authentication
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
0.0 NA
CVE-2026-8788 — Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sour…

| Injection
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-6342 — Group prefix matching bypass for subscriptions

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via …

Remote | Misconfiguration
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-6341 — Incomplete group locking implementation

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multip…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-6340 — Memory Exhaustion via Malicious 7zip File Upload

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exh…

Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
3.1 LOW
CVE-2026-6334 — OAuth authorization code client binding not enforced during token redemption in Mattermost

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to red…

Remote | Authentication
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
3.7 LOW
CVE-2026-4273 — Insufficient token rotation validation in remote cluster invite confirmation

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an aut…

Remote | Authentication
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-3637 — Mattermost fails to enforce create_post permission when editing posts

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with re…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
3.8 LOW
CVE-2026-3495 — Unescaped variables during error page composition

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit…

Remote | Cross-Site Scripting
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-2325 — Improper Input Validation in MS Teams Meetings API Handler

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cau…

Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-28759 — Insufficient authorization in shared channel membership sync allows remote cluster to rem…

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared …

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
0.0 NA
CVE-2026-6495 — Ajax Load More < 7.8.4 - Reflected XSS

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used again…

| Cross-Site Scripting
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
0.0 NA
CVE-2026-6381 — WP Maps < 4.9.3 - Subscriber+ Local File Inclusion

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.

| Path Traversal
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
0.0 NA
CVE-2026-6379 — WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' P…

The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection at…

| Injection
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
0.0 NA
CVE-2026-3220 — Multiple Plugins - Unauthenticated Stored XSS via Minify Library

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Script…

| Cross-Site Scripting
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
0.0 NA
CVE-2026-1631 — Feeds for YouTube < 2.6.4 - Subscriber+ License Data Deletion

The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and galle…

| Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.5 MEDIUM
CVE-2026-8786 — Tencent WeKnora Config API Endpoint initialization.go getKnowledgeBaseForInitialization a…

A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.5 HIGH
CVE-2026-8785 — projectworlds hospital-management-system-in-php GET Parameter update_info.php getAllPatie…

A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Affected by this vulnerability is the function getAllPatientDetail of the file update_info.php of the component GET Param…

Remote | Injection
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.2 MEDIUM
CVE-2026-8784 — npitre cramfs-tools cramfsck.c change_file_status symlink

A vulnerability was detected in npitre cramfs-tools up to 2.2. Affected is the function change_file_status of the file cramfsck.c. Performing a manipulation results in symlink following. The attack r…

| Path Traversal
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
Showing 20 of 6166 Results