Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.8 MEDIUM
CVE-2024-11399 — Synology BeeDrive Redis-Server Directory Traversal Denial of Service

Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks…

| Denial of Service
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.8 HIGH
CVE-2023-52945 — Synology BeeDrive OpenSSL DLL Uncontrolled Search Path Element Vulnerability

Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors.

| Path Traversal
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
4.3 MEDIUM
CVE-2026-8942 — MetaMagic SEO Plugin <= 1.6 - Cross-Site Request Forgery to Plugin Settings Update via Se…

The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metama…

Remote | Cross-Site Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.1 MEDIUM
CVE-2026-8906 — WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup…

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This ma…

Remote | Cross-Site Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.8 HIGH
CVE-2026-8832 — WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass…

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due…

Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.2 HIGH
CVE-2026-8143 — Booking Calendar – Event Calendar <= 2.1.6 - Unauthenticated Stored Cross-Site Scripting …

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters in all versions up to, and including,…

Remote | Cross-Site Scripting
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.4 MEDIUM
CVE-2026-8042 — Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to in…

Remote | Cross-Site Scripting
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
4.9 MEDIUM
CVE-2026-7618 — EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQ…

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to in…

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.2 HIGH
CVE-2026-6169 — affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runStri…

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
5.3 MEDIUM
CVE-2026-49001 — Cross-Site Request Forgery (CSRF) vulnerability in ZTE ZXUniPOS NDS-LTE product

Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampe…

Remote | Cross-Site Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.8 MEDIUM
CVE-2026-41704 — Compromised VM can make arbitrary blobstore deletes

AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338…

| Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
5.8 MEDIUM
CVE-2026-41009 — Local Blobstore may allow arbitrary reads/deletes

When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_…

| Path Traversal
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.9 MEDIUM
CVE-2026-40826 — Authenticated SQLi in dsgvo_contracts view

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. Th…

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.0 HIGH
CVE-2026-40825 — Authenticated SQLi in accountstatus view

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UP…

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.0 HIGH
CVE-2026-40824 — Authenticated SQLi in accountstatus view

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPD…

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.0 HIGH
CVE-2026-40823 — Authenticated SQLi in DevSerialReset function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL UPDATE command …

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.9 MEDIUM
CVE-2026-40822 — Authenticated SQLi in DevSerialReset function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL SELECT command.…

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.9 MEDIUM
CVE-2026-40821 — Authenticated SQLi in getAccountByID function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command.…

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.7 HIGH
CVE-2026-40819 — Unauthenticated SQLi in sync_data24 task

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the sync_data24 task due to improper neutralization of special elements in a SQL SELECT command. This …

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.7 HIGH
CVE-2026-40818 — Unauthenticated SQLi in _mb24confi_getDevice function function

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24confi_getDevice function due to improper neutralization of special elements in a SQL SELECT c…

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
Showing 20 of 6188 Results