Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-9185 — 6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrar…

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_g…

| Authorization
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
0.0 NA
CVE-2026-8909 — WpMobi <= 0.0.3 - Cross-Site Request Forgery via save_general_settings Action

The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralS…

| Cross-Site Request Forgery
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
0.0 NA
CVE-2026-8880 — RomanCart Ecommerce <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting v…

The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute (and other attributes) of the romancart_button shortcode in versions up to, and i…

| Cross-Site Scripting
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
0.0 NA
CVE-2026-8907 — WP-Ultimate-Map <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'z…

The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the process_init() function hook…

| Cross-Site Request Forgery
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
0.0 NA
CVE-2026-10024 — TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripti…

The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sa…

| Cross-Site Scripting
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
0.0 NA
CVE-2026-8499 — Helpfulcrowd Product Reviews <= 1.2.9 - Inccorect Authorization via Type Juggling in 'tok…

The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the `helpfulcrowd_validate_to…

| Authorization
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
0.0 NA
CVE-2026-9662 — Recover Exit For WooCommerce <= 1.0.3 - Unauthenticated Local File Inclusion via 'tpf' Pa…

The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the u…

| Path Traversal
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
0.0 NA
CVE-2026-8940 — WP Meta Sort Posts <= 0.9 - Cross-Site Request Forgery to Plugin Settings Update

The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-leve…

| Cross-Site Request Forgery
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
0.0 NA
CVE-2026-8883 — Global Body Mass Index Calculator <= 1.2 - Authenticated (Contributor+) Stored Cross-Site…

The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, 1.2. This is due to insufficient…

| Cross-Site Scripting
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
0.0 NA
CVE-2026-8841 — Extra Settings for RocketChat <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scr…

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is d…

| Cross-Site Scripting
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
7.2 HIGH
CVE-2026-7556 — FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting v…

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanit…

fv_flowplayer_video_player | Remote | Cross-Site Scripting
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
6.4 MEDIUM
CVE-2026-5714 — Enable Media Replace <= 4.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via '…

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘location_dir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanit…

enable_media_replace | Remote | Cross-Site Scripting
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
5.8 MEDIUM
CVE-2026-11621 — Dcat-Admin User Setting upload editorMDUpload unrestricted upload

A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. This manipulat…

Remote | Misconfiguration
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
5.5 MEDIUM
CVE-2026-11620 — TOTOLINK EX200 vsftpd vsftpd.conf least privilege violation

A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation results in least privilege v…

ex200 | Remote | Authorization
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
6.5 MEDIUM
CVE-2026-11619 — Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization

A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Lega…

erp_crm | Remote | Authorization
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
7.5 HIGH
CVE-2026-11618 — DTStack Taier Source Connection Test Endpoint LoginInterceptor.java preHandle improper au…

A vulnerability was determined in DTStack Taier up to 1.4.0. The affected element is the function preHandle of the file taier-data-develop/src/main/java/com/dtstack/taier/develop/interceptor/LoginInt…

taier | Remote | Authentication
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
0.0 NA
CVE-2026-11623 — tmux image.c image_free use after free

A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach…

| Memory Corruption
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
6.4 MEDIUM
CVE-2026-10862 — Accordions <= 2.3.23 - Authenticated (Custom+) Stored Cross-Site Scripting via Accordion …

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and o…

Remote | Cross-Site Scripting
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
7.8 HIGH
CVE-2026-8795 — Rapid7 Velociraptor YAML Injection via Hostname

A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inse…

velociraptor | Injection
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
4.7 MEDIUM
CVE-2026-44757 — Cross-Site Scripting (XSS) vulnerability in SAP Wily Introscope Enterprise Manager

SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in t…

Remote | Cross-Site Scripting
Jun 09, 2026 Jun 09, 2026
Jun 09, 2026
Jun 09, 2026
Showing 20 of 6967 Results