Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.4 MEDIUM
CVE-2020-37233 — WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the fi…

Remote | Cross-Site Scripting
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
8.5 HIGH
CVE-2020-37232 — Advanced System Care Service 13.0.0.157 Unquoted Service Path Privilege Escalation

Advanced System Care Service 13.0.0.157 contains an unquoted service path vulnerability in the AdvancedSystemCareService13 service binary path that allows local attackers to escalate privileges. Atta…

| Misconfiguration
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
8.5 HIGH
CVE-2020-37231 — Privacy Drive 3.17.0 Unquoted Service Path Privilege Escalation

Privacy Drive 3.17.0 contains an unquoted service path vulnerability in the pdsvc.exe service binary that allows local attackers to escalate privileges by exploiting the service startup process. Atta…

| Misconfiguration
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
8.5 HIGH
CVE-2020-37230 — Syncplify.me Server! 5.0.37 Unquoted Service Path Privilege Escalation

Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path…

| Misconfiguration
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
8.5 HIGH
CVE-2020-37229 — OKI sPSV Port Manager 1.0.41 Unquoted Service Path Privilege Escalation

OKI sPSV Port Manager 1.0.41 contains an unquoted service path vulnerability in the sPSVOpLclSrv service that allows local attackers to escalate privileges by inserting executable files into the unqu…

| Misconfiguration
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
9.8 CRITICAL
CVE-2020-37228 — iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass

iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retr…

Remote | Authentication
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
8.8 HIGH
CVE-2020-37227 — WordPress Plugin HS Brand Logo Slider 2.1 Unrestricted File Upload

HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can…

Remote | Misconfiguration
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
0.0 NA
CVE-2026-46719 — Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject add…

| Injection
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
4.3 MEDIUM
CVE-2025-4202 — Multicollab: Content Team Collaboration and Editorial Workflow <= 5.2 - Missing Authoriza…

The Multicollab: Content Team Collaboration and Editorial Workflow plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf_add_comment' fu…

Remote | Authorization
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
8.2 HIGH
CVE-2026-8657 — Apache jsondiffpatch Prototype Pollution Vulnerability

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform pro…

Remote | Injection
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
6.1 MEDIUM
CVE-2026-8656 — Jsondiffpatch Cross-Site Scripting (XSS)

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an appli…

Remote | Cross-Site Scripting
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
5.3 MEDIUM
CVE-2026-8681 — Essential Chat Support <= 1.0.1 - Missing Authorization to Unauthenticated Settings Reset…

The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is auth…

Remote | Authorization
May 16, 2026 May 16, 2026
May 16, 2026
May 16, 2026
0.0 NA
CVE-2026-8704 — Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be …

Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified.

| Misconfiguration
May 15, 2026 May 16, 2026
May 15, 2026
May 16, 2026
0.0 NA
CVE-2026-8700 — Crypt::DSA versions before 1.20 for Perl generate seeds using rand

Crypt::DSA versions before 1.20 for Perl generate seeds using rand. Seeds were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.

| Cryptography
May 15, 2026 May 16, 2026
May 15, 2026
May 16, 2026
6.5 MEDIUM
CVE-2026-45667 — Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, GET /api/v1/memories/ef is accessible without authentication and executes request.ap…

open_webui | Remote | Authentication
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
6.5 MEDIUM
CVE-2026-45666 — Open WebUI: Indirect Object Reference (IDOR) in user notes

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowin…

open_webui | Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
8.1 HIGH
CVE-2026-45665 — Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due…

open_webui | Remote | Cross-Site Scripting
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.4 MEDIUM
CVE-2026-45365 — Open WebUI: Authenticated users can bypass model access control via exposed query paramet…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions…

open_webui | Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
6.5 MEDIUM
CVE-2026-45351 — Open WebUI: Exposure of System Prompt to Regular User [Non-Admin]

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into the application, a http://IP:8080/api/mode…

open_webui | Remote | Information Disclosure
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
7.1 HIGH
CVE-2026-45350 — Open WebUI: Chat completion API allows tool restrictions to be bypassed

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass to…

open_webui | Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
Showing 20 of 6220 Results