Latest CVE Vulnerabilities

8.8 HIGH

CVE-2026-8832 — WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass…

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due…

wpcode | Remote | Authorization

May 27, 2026 May 27, 2026

May 27, 2026

7.2 HIGH

CVE-2026-8143 — Booking Calendar – Event Calendar <= 2.1.6 - Unauthenticated Stored Cross-Site Scripting …

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters in all versions up to, and including,…

Remote | Cross-Site Scripting

May 27, 2026 May 27, 2026

May 27, 2026

6.4 MEDIUM

CVE-2026-8042 — Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to in…

Remote | Cross-Site Scripting

May 27, 2026 May 27, 2026

May 27, 2026

4.9 MEDIUM

CVE-2026-7618 — EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQ…

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to in…

envialosimple | Remote | Injection

May 27, 2026 May 27, 2026

May 27, 2026

7.2 HIGH

CVE-2026-6169 — affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runStri…

affiliate-toolkit | Remote | Injection

May 27, 2026 May 27, 2026

May 27, 2026

5.3 MEDIUM

CVE-2026-49001 — Cross-Site Request Forgery (CSRF) vulnerability in ZTE ZXUniPOS NDS-LTE product

Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampe…

Remote | Cross-Site Request Forgery

May 27, 2026 May 27, 2026

May 27, 2026

6.8 MEDIUM

CVE-2026-41704 — Compromised VM can make arbitrary blobstore deletes

AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338…

| Authorization

May 27, 2026 May 27, 2026

May 27, 2026

5.8 MEDIUM

CVE-2026-41009 — Local Blobstore may allow arbitrary reads/deletes

When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_…

| Path Traversal

May 27, 2026 May 27, 2026

May 27, 2026

6.9 MEDIUM

CVE-2026-40826 — Authenticated SQLi in dsgvo_contracts view

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. Th…