Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.3 MEDIUM
CVE-2026-6400 — Child Height Predictor by Ostheimer <= 1.3 - Cross-Site Request Forgery to Settings Updat…

The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the opti…

Remote | Cross-Site Request Forgery
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
4.4 MEDIUM
CVE-2026-6399 — General Options <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via…

The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitize_text_field() for output escaping in the…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.4 MEDIUM
CVE-2026-6397 — Sticky <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'readmoret…

The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `cvmh-sticky` shortcode `readmoretext` attribute in versions up to and including 2.5.6. This is due to insufficien…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.1 MEDIUM
CVE-2026-6395 — Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Setti…

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of n…

Remote | Cross-Site Request Forgery
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.4 MEDIUM
CVE-2026-6394 — Nexa Blocks <= 1.1.1 - Unauthenticated Blind Server-Side Request Forgery via 'demo_json_f…

The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due…

Remote | Server-Side Request Forgery
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.1 MEDIUM
CVE-2026-6391 — Sentence To SEO (keywords, description and tags) <= 1.0 - Cross-Site Request Forgery to S…

The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect no…

Remote | Cross-Site Request Forgery
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.5 MEDIUM
CVE-2026-6072 — Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key …

The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin prote…

Remote | Authorization
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.4 MEDIUM
CVE-2026-5293 — 診断ジェネレータ作成プラグイン <= 1.4.16 - Authenticated (Subscriber+) Stored Cross-Site Scripting via '…

The 診断ジェネレータ作成プラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing autho…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
3.1 LOW
CVE-2026-45232 — Rsync < 3.4.3 Off-by-One Stack Write via HTTP Proxy

Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memor…

Remote | Memory Corruption
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.9 MEDIUM
CVE-2026-43620 — Rsync < 3.4.3 Out-of-Bounds Array Read via recv_files()

Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Atta…

Remote | Memory Corruption
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
7.2 HIGH
CVE-2026-43619 — Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat …

| Race Condition
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
8.1 HIGH
CVE-2026-43618 — Rsync < 3.4.3 Integer Overflow Information Disclosure

Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigg…

Remote | Memory Corruption
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.3 MEDIUM
CVE-2026-43617 — Rsync < 3.4.3 Authorization Bypass via Hostname Resolution

Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass host…

Remote | Authorization
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
7.5 HIGH
CVE-2026-3985 — Creative Mail – Easier WordPress & WooCommerce Email Marketing <= 1.6.9 - Unauthenticated…

The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkout_uuid' parameter in all versions up to, and including, 1.6.9. T…

Remote | Injection
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.8 MEDIUM
CVE-2026-45585 — Windows BitLocker Security Feature Bypass Vulnerability

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as &quot;YellowKey&quot;. The proof of concept for this vulnerability has been made public violating coor…

May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.5 MEDIUM
CVE-2026-39309 — Trilium Notes: macOS TCC Bypass via Prompt Spoofing

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to …

| Misconfiguration
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.8 MEDIUM
CVE-2026-35593 — Trilium Notes has Local File Inclusion via upload modified file API endpoint

Trilium Notes is an open-source, cross-platform hierarchical note taking application for building large personal knowledge bases. Versions 0.102.1 and prior are vulnerable to Local File Inclusion, al…

Remote | Path Traversal
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.3 MEDIUM
CVE-2026-34970 — MantisBT Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note's Revisions page after losing access to the parent private issue. Th…

mantisbt | Remote | Authorization
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
4.3 MEDIUM
CVE-2026-34754 — MantisBT allows unauthorized users to upload attachments to restricted issues via REST API

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This is…

mantisbt | Remote | Authorization
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
0.0 NA
CVE-2026-8495 — Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.

| Authorization
May 19, 2026 May 20, 2026
May 19, 2026
May 20, 2026
Showing 20 of 6424 Results