Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-55740 — SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter

Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter recei…

Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-11358 — Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <=…

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, …

| Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-11402 — Services Section Block <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scriptin…

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and includ…

| Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-11784 — Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <…

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.…

| Cross-Site Request Forgery
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-12093 — Simple Membership <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Ac…

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorize…

| Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-10736 — Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insuffici…

| Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-10623 — PressPrimer Quiz <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) A…

The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the '…

| Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-11360 — Advanced Order Export For WooCommerce <= 4.0.10 - Authenticated (Shop Manager+) SQL Injec…

The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all versions up to, and including, 4.0.10 due to insufficie…

advanced_order_export_for_woocommerce | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-11357 — Kadence Blocks <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure via…

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editor_assets_v…

| Information Disclosure
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-11776 — Form Maker by 10Web <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via 'groupi…

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and includin…

| Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-10029 — Event Koi Lite <= 1.3.13.1 - Missing Authorization to Unauthenticated Sensitive Informati…

The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the g…

| Information Disclosure
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-9860 — Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote …

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. Th…

| Misconfiguration
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-12120 — FireBox Popups <= 3.1.7 - Unauthenticated Sensitive Information Exposure in 'form_id' Par…

The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the 'form_id' paramet…

| Information Disclosure
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-11777 — Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' …

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1…

| Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-9199 — Equalize Digital Accessibility Checker <= 1.42.1 - Missing Authorization to Authenticated…

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is…

| Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-12407 — E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Upda…

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screen_action() function lacking a …

| Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-10023 — Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct…

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, an…

| Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
7.8 HIGH
CVE-2026-12505 — Cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upc…

A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, lo…

enterprise_linux openshift_container_platform enterprise_linux | Authentication
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
9.3 CRITICAL
CVE-2026-12569 — Remote Code Execution (RCE) vulnerability in Windchill PDMlink

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * …

Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-48764 — TypeBot has SSRF in HTTP request and script fetch flows via DNS rebinding bypass

TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF validation is implemented by resolving a hostname once and checking whether the resolved IP belongs to a forbidden range allowing …

| Server-Side Request Forgery
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Showing 20 of 7635 Results