Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.9 MEDIUM
CVE-2019-25544 — Pidgin 2.13.0 Denial of Service via Malformed Username

Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can i…

pidgin | Denial of Service
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.5 MEDIUM
CVE-2026-4515 — Foundation Agents MetaGPT operator.py code_generate code injection

A vulnerability has been found in Foundation Agents MetaGPT up to 0.8.1. This affects the function code_generate of the file metagpt/ext/aflow/scripts/operator.py. The manipulation leads to code inje…

metagpt | Remote | Injection
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.5 MEDIUM
CVE-2026-4514 — PbootCMS Backend UserController.php access control

A flaw has been found in PbootCMS up to 3.2.12. Affected by this issue is some unknown functionality of the file apps/admin/controller/system/UserController.php of the component Backend. Executing a …

pbootcms | Remote | Authorization
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.5 MEDIUM
CVE-2026-4513 — vanna-ai vanna base.py ask sql injection

A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the function ask of the file vanna\legacy\base\base.py. Performing a manipulation results in sql injectio…

Remote | Injection
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.5 MEDIUM
CVE-2026-4511 — vanna-ai vanna legacy exec injection

A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. Affected is the function exec of the file /src/vanna/legacy. Such manipulation leads to injection. The attack can be executed…

Remote | Injection
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
5.3 MEDIUM
CVE-2026-4510 — PbootCMS Parameter MemberController.php alert_location cross site scripting

A weakness has been identified in PbootCMS up to 3.2.12. This impacts the function alert_location of the file apps/home/controller/MemberController.php of the component Parameter Handler. This manipu…

pbootcms | Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
7.5 HIGH
CVE-2026-4373 — JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field

The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' metho…

Remote | Path Traversal
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.5 MEDIUM
CVE-2026-4509 — PbootCMS File Upload file.php incomplete blacklist

A security flaw has been discovered in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function/file.php of the component File Upload. The manipulation of the argument black …

pbootcms | Remote | Path Traversal
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
8.8 HIGH
CVE-2026-4261 — Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator…

The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_…

Remote | Authorization
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
4.4 MEDIUM
CVE-2026-4161 — Review Map by RevuKangaroo <= 1.7 - Authenticated (Administrator+) Stored Cross-Site Scri…

The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.7 due to insufficient input sanitizati…

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
4.3 MEDIUM
CVE-2026-4143 — Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update

The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_p…

Remote | Cross-Site Request Forgery
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
5.3 MEDIUM
CVE-2026-4127 — Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Arbi…

The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_spe…

Remote | Authorization
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.5 MEDIUM
CVE-2026-4087 — Pre* Party Resource Hints <= 1.8.20 - Authenticated (Subscriber+) SQL Injection via 'hint…

The Pre* Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the 'hint_ids' parameter of the pprh_update_hints AJAX action in all versions up to, and including, 1.8.20. This …

Remote | Injection
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.4 MEDIUM
CVE-2026-4086 — WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'c…

The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up t…

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.4 MEDIUM
CVE-2026-4084 — fyyd podcast shortcodes <= 0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripti…

The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1…

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.4 MEDIUM
CVE-2026-4077 — Ecover Builder For Dummies <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Script…

The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due …

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.4 MEDIUM
CVE-2026-4072 — WordPress PayPal Donation <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Script…

The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient inpu…

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.1 MEDIUM
CVE-2026-4069 — Alfie – Feed Plugin <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting …

The Alfie – Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'naam' parameter in all versions up to, and including, 1.2.1. This is due to missing nonce validation…

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.4 MEDIUM
CVE-2026-4067 — Ad Short <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'client'…

The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input…

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.4 MEDIUM
CVE-2026-4022 — Show Posts list <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via S…

The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all…

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
Showing 20 of 5547 Results