Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.1 HIGH
CVE-2026-57376 — WordPress ElementInvader Addons for Elementor plugin <= 1.4.3 - Cross Site Scripting (XSS…

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows DO…

Remote | Cross-Site Scripting
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
6.5 MEDIUM
CVE-2026-57375 — WordPress MStore API plugin <= 4.18.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in FluxBuilder MStore API mstore-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MStore API: from n/a through <= 4.1…

Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
7.2 HIGH
CVE-2026-57372 — WordPress WPJAM Basic plugin <= 7.0 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery (SSRF) vulnerability in denishua WPJAM Basic wpjam-basic allows Server Side Request Forgery.This issue affects WPJAM Basic: from n/a through <= 7.0.

Remote | Server-Side Request Forgery
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.8 HIGH
CVE-2026-57371 — WordPress WPJAM Basic plugin <= 7.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through <= 7.0.

Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
7.1 HIGH
CVE-2026-57369 — WordPress Themify Builder plugin <= 7.7.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Builder themify-builder allows Reflected XSS.This issue affects Themify Builder…

Remote | Cross-Site Scripting
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
7.1 HIGH
CVE-2026-57368 — WordPress Jobmonster theme <= 4.8.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster noo-jobmonster allows Reflected XSS.This issue affects Jobmonster: from n/a t…

jobmonster | Remote | Cross-Site Scripting
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
6.5 MEDIUM
CVE-2026-57365 — WordPress reCAPTCHA (v2 & v3) for Asgaros Forum plugin <= 1.1.0 - Cross Site Scripting (X…

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 &amp; v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM…

Remote | Cross-Site Scripting
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
6.5 MEDIUM
CVE-2026-57364 — WordPress Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & …

Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment – Instant Payments, Donations, Fundraising with Subscriptions &amp; More better-payment allows Accessing…

Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
7.1 HIGH
CVE-2026-57363 — WordPress ChatBot plugin <= 8.3.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot chatbot allows Stored XSS.This issue affects ChatBot: from n/a through <= 8.…

chatbot | Remote | Cross-Site Scripting
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
0.0 NA
CVE-2026-49876 — Apache Gravitino: Authenticated SSRF in Gravitino JobManager allows server-side HTTP requ…

Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino. T…

gravitino | Server-Side Request Forgery
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
0.0 NA
CVE-2026-41041 — Apache Gravitino: URL path injection via unencoded user-supplied identifiers in MCP REST …

URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from 1.0.0 before 1.2.1. Users are recommended to upgrade to versi…

gravitino | Path Traversal
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.3 CRITICAL
CVE-2026-22103 — Command injection in NPC start web endpoint

The NPC start endpoint on the web server at port 8090 is vulnerable to command injection.

Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.3 CRITICAL
CVE-2026-22102 — Arbitrary file overwrite through certificate update functionality

A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in the Content-Disposition header without verificati…

Remote | Path Traversal
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.6 HIGH
CVE-2026-22100 — Comnand injection in OCPP ReserveLogin message

The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root.

Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.7 HIGH
CVE-2026-22099 — Missing authentication for Bluetooth communication

The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firm…

| Authentication
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.2 CRITICAL
CVE-2026-22098 — Sensitive information is written to logs

Various sensitive information such as passwords and charging card UIDs are written to log files.

Remote | Information Disclosure
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.3 CRITICAL
CVE-2026-22097 — Missing firmware validation allows remote code execution

The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to ar…

Remote | Cryptography
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.3 CRITICAL
CVE-2026-22096 — Missing authentication for webserver endpoints

The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints.

Remote | Authentication
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.3 CRITICAL
CVE-2026-22095 — Command injection in diagnosis web endpoint

The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection.

Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.5 CRITICAL
CVE-2026-22093 — Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app

The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and E…

Remote | Cryptography
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
Showing 20 of 7289 Results