Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-9082 — Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.…

Remote | Injection
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.1 MEDIUM
CVE-2026-47099 — TeleJSON < 6.0.0 DOM-based XSS via parse() Function

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload cont…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
10.0 CRITICAL
CVE-2026-45444 — WordPress Gift Cards For WooCommerce Pro plugin <= 4.2.6 - Arbitrary File Upload vulnerab…

Unrestricted Upload of File with Dangerous Type vulnerability in WP Swings Gift Cards For WooCommerce Pro allows Using Malicious Files. This issue affects Gift Cards For WooCommerce Pro: from n/a th…

Remote | Misconfiguration
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
7.4 HIGH
CVE-2026-39850 — Yii 2: Local file inclusion via view parameter name collision

Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls ext…

yii | Remote | Path Traversal
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
9.4 CRITICAL
CVE-2026-39405 — Frappe has Path Transversal via SCORM

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package t…

Remote | Path Traversal
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
8.7 HIGH
CVE-2026-39352 — Frappe has an Arbitrary File Read via Path Traversal in render_include

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.…

Remote | Path Traversal
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
6.8 MEDIUM
CVE-2026-39311 — Trilium Notes: Stored XSS Leads to Unauthorized Remote Code Execution (RCE) via Unsanitiz…

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of S…

Remote | Misconfiguration
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
8.6 HIGH
CVE-2026-39310 — Trilium Notes: Authentication Bypass in Clipper API for Electron (Desktop) Builds

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop (v0.101.3…

Remote | Authentication
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.1 MEDIUM
CVE-2026-35016 — Open ISES Tickets < 3.44.2 Reflected XSS via search.php frm_query Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.1 MEDIUM
CVE-2026-35015 — Open ISES Tickets < 3.44.2 Reflected XSS via do_unit_mail.php the_ticket Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in do_unit_mail.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitize…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.1 MEDIUM
CVE-2026-35014 — Open ISES Tickets < 3.44.2 Reflected XSS via routes_nm.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized v…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.1 MEDIUM
CVE-2026-35013 — Open ISES Tickets < 3.44.2 Reflected XSS via street_view.php thelat and thelng Parameters

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized va…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.1 MEDIUM
CVE-2026-35012 — Open ISES Tickets < 3.44.2 Reflected XSS via add_facnote.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_facnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.1 MEDIUM
CVE-2026-35011 — Open ISES Tickets < 3.44.2 Reflected XSS via opena.php frm_call Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in opena.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.1 MEDIUM
CVE-2026-35010 — Open ISES Tickets < 3.44.2 Reflected XSS via patient_JF.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_JF.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized …

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.1 MEDIUM
CVE-2026-35009 — Open ISES Tickets < 3.44.2 Reflected XSS via add_note.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_note.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized va…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.1 MEDIUM
CVE-2026-35008 — Open ISES Tickets < 3.44.2 Reflected XSS via single.php ticket_id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized valu…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
5.1 MEDIUM
CVE-2026-35007 — Open ISES Tickets < 3.44.2 Reflected XSS via single_unit.php id Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single_unit.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized…

Remote | Cross-Site Scripting
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
9.3 CRITICAL
CVE-2026-33137 — XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, …

Remote | Authentication
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
4.7 MEDIUM
CVE-2026-2813 — Unvalidated Redirect in ArcGIS Server

ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitati…

Remote | Server-Side Request Forgery
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
Showing 20 of 6402 Results