Latest CVE Vulnerabilities

6.5 MEDIUM

CVE-2026-42726 — WordPress AWP Classifieds plugin <= 4.4.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects …

awp_classifieds | Remote | Authorization

May 27, 2026 May 27, 2026

May 27, 2026

6.5 MEDIUM

CVE-2026-42725 — WordPress Checkout Files Upload for WooCommerce plugin <= 2.2.5 - Insecure Direct Object …

Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Contr…

checkout_files_upload_for_woocommerce | Remote | Authorization

May 27, 2026 May 27, 2026

May 27, 2026

6.1 MEDIUM

CVE-2026-3349 — MinhNhut Link Gateway <= 3.6.1 - Reflected Cross-Site Scripting via 'url' Parameter

The MinhNhut Link Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' parameter on the redirect page in all versions up to, and including, 3.6.1 due to insuffic…

Remote | Cross-Site Scripting

May 27, 2026 May 27, 2026

May 27, 2026

4.4 MEDIUM

CVE-2026-3348 — MinhNhut Link Gateway <= 3.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting via P…

The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings (Description, Title, and other fields) in all versions up to, and including, 3.6.…

Remote | Cross-Site Scripting

May 27, 2026 May 27, 2026

May 27, 2026

8.0 HIGH

CVE-2026-3012 — Samba: group policy certificate enrollment uses http:// without validation

A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and…

enterprise_linux openshift_container_platform enterprise_linux libefiboot | Misconfiguration

May 27, 2026 Jun 04, 2026

May 27, 2026

Jun 04, 2026

4.8 MEDIUM

CVE-2026-2288 — myLinksDump <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'link…

The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_title' parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and o…

Remote | Cross-Site Scripting

May 27, 2026 May 27, 2026

May 27, 2026

4.8 MEDIUM

CVE-2026-2280 — rexCrawler <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via Set…

The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output esca…

Remote | Cross-Site Scripting

May 27, 2026 May 27, 2026

May 27, 2026

6.5 MEDIUM

CVE-2025-0898 — Xpro Elementor Addons - Pro <= 1.4.7 - Authenticated (Contributor+) Arbitrary File Read v…

The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authentica…

xpro_addons_for_elementor | Remote | Path Traversal

May 27, 2026 May 27, 2026

May 27, 2026

10.0 CRITICAL

CVE-2026-8054 — Unauthenticated SQL Injection in dotCMS Publish Audit API

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11…

Remote | Injection

May 27, 2026 May 27, 2026

May 27, 2026

9.1 CRITICAL

CVE-2026-49002 — Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product

Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and mo…

Remote | Authorization

May 27, 2026 May 27, 2026

May 27, 2026

6.5 MEDIUM

CVE-2026-48968 — WordPress Master Slider plugin <= 3.10.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS. This issue affects Master Slider: from n/a through 3.…

master_slider | Remote | Cross-Site Scripting

May 27, 2026 May 27, 2026

May 27, 2026

6.5 MEDIUM

CVE-2026-48877 — WordPress GenerateBlocks plugin <= 2.1.0 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0.

generateblocks | Remote | Information Disclosure

May 27, 2026 May 27, 2026

May 27, 2026

7.2 HIGH

CVE-2026-40852 — Command injection via malicious configuration

A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it …

mbnet_mbnet.rokey rex100 mbnet.mini rex200_250 | Remote | Injection

May 27, 2026 May 27, 2026

May 27, 2026

8.4 HIGH

CVE-2026-40851 — Command injection via USB

A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This can result in a total loss of confidentiality, integrity …

mbnet_mbnet.rokey rex100 mbnet.mini rex200_250 | Misconfiguration

May 27, 2026 May 27, 2026

May 27, 2026

8.7 HIGH

CVE-2026-40850 — Unauthenticated SQLi in getAccountData function

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountData function due to improper neutralization of special elements in a SQL SELECT command…