Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-25436 — WordPress Royal Elementor Addons plugin < 1.7.1053 - Broken Access Control vulnerability

Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal Elementor Addons: from n/a bef…

Remote | Authorization
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
5.4 MEDIUM
CVE-2025-68604 — WordPress WPGraphQL plugin <= 2.5.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery. This issue affects WPGraphQL: from n/a through 2.5.3.

wpgraphql | Remote | Cross-Site Request Forgery
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
7.6 HIGH
CVE-2025-68060 — WordPress Team Member plugin <= 8.5 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMart Team Member allows Blind SQL Injection. This issue affects Team Member: from n/a through …

Remote | Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
5.3 MEDIUM
CVE-2025-66105 — WordPress Bus Ticket Booking with Seat Reservation plugin < 5.6.8 - Broken Access Control…

Missing Authorization vulnerability in Magepeople inc. Bus Ticket Booking with Seat Reservation allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bus Ticket…

Remote | Authorization
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
5.9 MEDIUM
CVE-2025-62127 — WordPress WEN Logo Slider plugin <= 3.4.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WEN Themes WEN Logo Slider allows DOM-Based XSS. This issue affects WEN Logo Slider: from n/a th…

Remote | Cross-Site Scripting
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
5.3 MEDIUM
CVE-2025-2514 — Improper Restriction of Excessive Authentication Attempts vulnerability in Hitachi Virtua…

Improper restriction of excessive authentication attempts vulnerability in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platfor…

Remote | Authentication
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.3 HIGH
CVE-2025-1978 — Remote Code Execution Vulnerability in Hitachi Storage Navigator and the maintenance cons…

Remote Code Execution Vulnerability in Hitachi Storage Navigator and the maintenance console in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Vi…

Remote | Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.0 HIGH
CVE-2024-43384 — Phoenix Contact: Improper removal of sensitive information in MGUARD products

A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
5.4 MEDIUM
CVE-2026-4430 — Heap Buffer Overflow in AgileEngine

Out-of-bounds write vulnerability in The Document Foundation LibreOffice via crafted OOXML documents with mismatched encryption salt parameters. This issue affects LibreOffice: from 26.2 before 26.2…

libreoffice | Memory Corruption
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
5.7 MEDIUM
CVE-2026-44406 — DLL Hijacking Vulnerability in ZTE Cloud PC Client uSmartview

ZTE Cloud PC client uSmartView contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privi…

zxcloud_irai | Misconfiguration
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.1 HIGH
CVE-2025-9661 — OS command injection vulneravility in the management gui (maintenance utility) of Hitachi…

OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28. This issue affects Hitachi Virtual Storage Platform On…

Remote | Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
7.1 HIGH
CVE-2026-8063 — Post-auth null pointer dereference when aggregating against a view with empty search pipe…

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whe…

mongodb | Remote | Denial of Service
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.1 HIGH
CVE-2026-7252 — WP-Optimize <= 4.5.2 - Authenticated (Author+) Arbitrary File Deletion via 'original-file…

The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validat…

Remote | Path Traversal
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.8 HIGH
CVE-2026-6692 — Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload via …

The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient fil…

slider_revolution | Remote | Misconfiguration
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
7.5 HIGH
CVE-2026-4348 — BetterDocs Pro <= 3.7.0 - Unauthenticated SQL Injection via Encyclopedia 'limit' Parameter

The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, 3.7.0. This is du…

Remote | Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
7.2 HIGH
CVE-2026-41641 — NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL…

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL …

nocobase | Remote | Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
9.3 CRITICAL
CVE-2026-41586 — ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java d…

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and …

fabric | Remote | Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
5.0 MEDIUM
CVE-2026-41413 — Istio Vulnerable to SSRF via RequestAuthentication jwksUri

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal se…

istio | Remote | Server-Side Request Forgery
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.8 HIGH
CVE-2026-41143 — YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDat…

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'…

yeswiki | Remote | Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.8 HIGH
CVE-2026-41139 — Unsafe array index getter in mathjs

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has…

mathjs | Remote | Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
Showing 20 of 5854 Results