Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-31924 — Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users …

apisix | Remote | Cryptography
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.5 HIGH
CVE-2026-31923 — Apache APISIX: Openid-connect `tls_verify` field is disabled by default

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue af…

apisix | Remote | Misconfiguration
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
0.0 NA
CVE-2026-31908 — Apache APISIX: forward auth plugin allows header injection

Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2…

apisix | Injection
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
8.8 HIGH
CVE-2026-27668 — RUGGEDCOM CROSSBOW SAM-P Privilege Escalation Vulnerability

A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). User Administrators are allowed to administer groups they belong to. This could …

Remote | Authorization
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
8.8 HIGH
CVE-2026-25654 — SINEC NMS Authentication Bypass Vulnerability

A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate user authorization when processing password reset requests. This could allow an …

sinec_nms | Remote | Authorization
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.3 HIGH
CVE-2026-24032 — SINEC NMS Authentication Bypass Vulnerability

A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3 with UMC). The affected application contains an authentication weakness due to insufficient validation of user identity in th…

sinec_nms | Remote | Authentication
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
6.3 MEDIUM
CVE-2025-40745 — Siemens Certificates Validation Weakness

A vulnerability has been identified in Siemens Software Center (All versions < V3.5.8.2), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Simcenter STAR-CCM+ (A…

software_center simcenter_femap tecnomatix_plant_simulation star-ccm\+ solid_edge_se2025 | Remote | Authentication
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
6.5 MEDIUM
CVE-2026-2582 — Germanized for WooCommerce <= 3.20.5 - Unauthenticated Arbitrary Shortcode Execution

The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the …

Remote | Injection
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.2 HIGH
CVE-2026-3017 — Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts <= 3.0.12 - …

The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserializ…

Remote | Injection
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
4.4 MEDIUM
CVE-2026-4479 — WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Adminis…

The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to ins…

Remote | Cross-Site Scripting
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
6.4 MEDIUM
CVE-2026-4059 — ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'butto…

The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This…

shoplentor | Remote | Cross-Site Scripting
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.2 HIGH
CVE-2026-40315 — PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL que…

PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concate…

praisonaiagents | Injection
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
9.1 CRITICAL
CVE-2026-40313 — PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence

PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/che…

praisonaiagents | Remote | Supply Chain
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
9.1 CRITICAL
CVE-2026-40289 — PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected ext…

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote se…

praisonaiagents | Remote | Authentication
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
9.8 CRITICAL
CVE-2026-40288 — PraisonAI: Critical RCE via `type: job` workflow YAML

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untru…

praisonaiagents | Remote | Injection
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
8.4 HIGH
CVE-2026-40287 — PraisonAI has RCE via Automatic tools.py Import

PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working direct…

praisonaiagents | Supply Chain
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
6.4 MEDIUM
CVE-2026-1607 — Surbma | Booking.com <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vi…

The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to in…

Remote | Cross-Site Scripting
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
9.8 CRITICAL
CVE-2026-6264 — Critical Security fix for the Talend JobServer and Talend Runtime

A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talen…

esb_runtime jobserver | Remote | Authentication
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.2 HIGH
CVE-2026-6227 — BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' …

The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6…

backwpup | Remote | Path Traversal
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.2 HIGH
CVE-2026-4388 — Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix F…

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40.…

form_maker | Remote | Cross-Site Scripting
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
Showing 20 of 6656 Results