Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
10.0 CRITICAL
CVE-2026-11420 — Path Traversal in Altium Enterprise Server NIS Allows Unauthenticated Arbitrary File Writ…

Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on…

Remote | Path Traversal
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.4 CRITICAL
CVE-2026-11419 — Path Traversal in Altium Enterprise Server Vault UploadController Allows Arbitrary File W…

A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authen…

Remote | Path Traversal
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
7.0 HIGH
CVE-2026-25622 — Arista Edge Threat Management NGFW Captive Portal Custom Handler Command Injection

A Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an administrative account logg…

Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
7.0 HIGH
CVE-2026-25621 — Arista Edge Threat Management NGFW Reports Application Insecure Input Validation

A Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects versi…

Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
7.0 HIGH
CVE-2026-25620 — Arista Edge Threat Management NGFW Captive Portal Encrypted Password Command Injection

An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely…

Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-45776 — Open XDMoD has Broken Access Control via Client-Controlled Session Variable

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request…

| Authorization
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46357 — HAX CMS NodeJS application Vulnerable to Denial of Service using Malicious Import Request

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site crea…

haxcms-nodejs | Denial of Service
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46493 — haxtheweb/haxcms-php uses insecure method for generating salt

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. Version 26.0.1 fixes the issue.

haxcms-php | Misconfiguration
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
0.0 NA
CVE-2026-46401 — HAX CMS PHP has Insufficient Session Expiration

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after …

| Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.8 HIGH
CVE-2026-5415 — WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary …

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and includ…

Remote | Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.8 HIGH
CVE-2026-5411 — WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary F…

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and includ…

Remote | Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.7 HIGH
CVE-2026-46511 — HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSetti…

haxcms-nodejs haxcms-php | Remote | Cross-Site Scripting
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.3 CRITICAL
CVE-2026-46496 — HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution …

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-p…

haxcms-nodejs | Remote | Cross-Site Scripting
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.4 CRITICAL
CVE-2026-46399 — Authenticated Remote Code Execution via File Overwrite

HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this…

haxcms-nodejs haxcms-php | Remote | Misconfiguration
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.3 CRITICAL
CVE-2026-46396 — HAX CMS has a stored XSS via <iframe> that allows access to sensitive client-side data an…

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` el…

haxcms-nodejs | Remote | Cross-Site Scripting
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
9.3 CRITICAL
CVE-2026-46395 — HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementat…

haxcms-nodejs | Remote | Cryptography
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
7.7 HIGH
CVE-2026-46394 — HAX CMS Vulnerable to Command Injection using Git.php

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The applic…

haxcms-php | Remote | Injection
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
7.1 HIGH
CVE-2026-46393 — HAXcms createSite SSRF Enables Arbitrary File Read

HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch …

haxcms-nodejs haxcms-php | Remote | Server-Side Request Forgery
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.7 HIGH
CVE-2026-46392 — HAX CMS PHP Has a Stored XSS via Case-Sensitivity Mismatch in HTML Upload Validation

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the file…

haxcms-php | Remote | Path Traversal
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
8.7 HIGH
CVE-2026-46391 — HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching …

Remote | Authentication
Jun 05, 2026 Jun 05, 2026
Jun 05, 2026
Jun 05, 2026
Showing 20 of 7266 Results