Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-30822 — Flowise: Mass Assignment in `/api/v1/leads` Endpoint

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when …

| Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
0.0 NA
CVE-2026-30821 — Flowise: Arbitrary File Upload via MIME Spoofing

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, all…

| Authentication
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
0.0 NA
CVE-2026-30820 — Flowise Authorization Bypass via Spoofed x-request-from Header

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowin…

| Authentication
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.9 MEDIUM
CVE-2026-30247 — WeKnora: SSRF via Redirection

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Serv…

Remote | Server-Side Request Forgery
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
7.2 HIGH
CVE-2026-3352 — Easy PHP Settings <= 1.0.4 - Authenticated (Administrator+) PHP Code Injection via 'wp_me…

The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient i…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.8 MEDIUM
CVE-2026-2722 — Stock Ticker <= 3.26.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via T…

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.26.1 due to insufficient input sanitization and output es…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.8 MEDIUM
CVE-2026-2721 — MailArchiver <= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Se…

The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output esc…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.3 MEDIUM
CVE-2026-2494 — ProfileGrid <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/…

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce va…

Remote | Cross-Site Request Forgery
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.3 MEDIUM
CVE-2026-2488 — ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary M…

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all ve…

Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
6.1 MEDIUM
CVE-2026-2431 — CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to'…

The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
4.9 MEDIUM
CVE-2026-2429 — Community Events <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_na…

The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV field in the `on_save_changes_venues` function in all versions up to, and including, 1.5.8. This i…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
7.5 HIGH
CVE-2026-2020 — JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'include…

The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization o…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
6.4 MEDIUM
CVE-2026-1902 — Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via …

The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.3 MEDIUM
CVE-2026-1650 — MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Cus…

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and …

Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
7.5 HIGH
CVE-2025-14353 — ZIP Code Based Content Protection <= 1.0.2 - Unauthenticated SQL Injection via 'zipcode' …

The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 via the 'zipcode' parameter. This is due to insufficient escaping…

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.1 MEDIUM
CVE-2026-25073 — XikeStor SKS8310-8X Stored XSS via System Name

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a stored cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary script content thro…

Remote | Cross-Site Scripting
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
8.6 HIGH
CVE-2026-25072 — XikeStor SKS8310-8X Predictable Session Identifiers

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable session identifier vulnerability in the /goform/SetLogin endpoint that allows remote attackers to hijack …

Remote | Authentication
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
8.7 HIGH
CVE-2026-25071 — XikeStor SKS8310-8X switch_config.src Missing Authentication

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a missing authentication vulnerability in the /switch_config.src endpoint that allows unauthenticated remote attackers …

Remote | Authentication
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
9.3 CRITICAL
CVE-2026-25070 — XikeStor SKS8310-8X PingTestSet Command Injection

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers …

Remote | Injection
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
5.3 MEDIUM
CVE-2026-2371 — Greenshift <= 12.8.3 - Missing Authorization to Unauthenticated Private Reusable Block Di…

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authoriz…

Remote | Authorization
Mar 07, 2026 Mar 07, 2026
Mar 07, 2026
Mar 07, 2026
Showing 20 of 5108 Results