Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
2.5 LOW
CVE-2026-6842 — Nano: nano: local attacker can inject malicious .desktop launcher due to insecure directo…

A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows…

| Misconfiguration
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
8.1 HIGH
CVE-2026-6023 — Deserialization of Untrusted Data Vulnerability in Telerik UI for ASP.NET AJAX

In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the c…

Remote | Injection
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
7.5 HIGH
CVE-2026-6022 — Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX

In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to…

Remote | Denial of Service
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-40542 — Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to acc…

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users…

| Authentication
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-31433 — ksmbd: fix potencial OOB in get_file_all_info() for compound requests

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial OOB in get_file_all_info() for compound requests When a compound request consists of QUERY_DIRECTORY + QUERY…

| Memory Corruption
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-31432 — ksmbd: fix OOB write in QUERY_INFO for compound requests

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received,…

| Memory Corruption
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-31431 — crypto: algif_aead - Revert to operating out-of-place

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the assoc…

| Cryptography
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
5.0 MEDIUM
CVE-2026-6845 — Binutils: binutils: denial of service via crafted elf file

A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially c…

| Denial of Service
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-4353 — CI HUB Connector <= 1.2.106 - Authenticated (Contributor+) Stored Cross-Site Scripting vi…

The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `cihub_metadata` shortcode in all versions up to, and including, 1.2.106 due to in…

| Cross-Site Scripting
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-4138 — DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings…

| Cross-Site Request Forgery
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-6294 — Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settin…

The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() fun…

| Cross-Site Request Forgery
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-6236 — Posts map <= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' …

The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization a…

| Cross-Site Scripting
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-4117 — CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtai…

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, wh…

| Authorization
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-4119 — Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrar…

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post…

| Authorization
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-4132 — HTTP Headers <= 1.19.2 - Authenticated (Administrator+) External Control of File Name or …

The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient v…

| Path Traversal
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-2719 — Private WP suite <= 0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting vi…

The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sani…

| Cross-Site Scripting
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-4121 — Kcaptcha <= 1.0.1 - Cross-Site Request Forgery to Settings Update

The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler …

| Cross-Site Request Forgery
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-5748 — Text Snippets <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w'…

The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ts` shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization …

| Cross-Site Scripting
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-4074 — Quran Live Multilanguage <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Script…

The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is du…

| Cross-Site Scripting
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
0.0 NA
CVE-2026-4085 — Easy Social Photos Gallery <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scri…

The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to…

| Cross-Site Scripting
Apr 22, 2026 Apr 22, 2026
Apr 22, 2026
Apr 22, 2026
Showing 20 of 6351 Results