Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-33659 — EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Netwo…

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SS…

| Server-Side Request Forgery
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-6218 — aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting

A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site s…

| Cross-Site Scripting
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-32272 — Craft Commerce: Blind SQL Injection via hasVariant/hasProduct

Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct propertie…

| Injection
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-32271 — Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allo…

| Injection
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
6.5 MEDIUM
CVE-2026-6215 — DbGate REST/GraphQL openApiDriver.ts apiServerUrl1 server-side request forgery

A weakness has been identified in DbGate up to 7.1.4. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulatio…

Remote | Server-Side Request Forgery
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
6.5 MEDIUM
CVE-2026-6202 — code-projects Easy Blog Site post.php sql injection

A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection…

Remote | Injection
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
5.5 MEDIUM
CVE-2026-6201 — CodeAstro Online Job Portal Delete Job Posting job-delete.php access control

A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manip…

Remote | Authorization
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
4.6 MEDIUM
CVE-2026-33657 — EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped po…

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-admin…

Remote | Cross-Site Scripting
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
4.3 MEDIUM
CVE-2026-33534 — EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4…

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the inter…

Remote | Server-Side Request Forgery
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
7.5 HIGH
CVE-2026-32605 — Nimiq: Remote crash via off-by-one signer bounds check in proposal buffer

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by …

Remote | Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
1.7 LOW
CVE-2026-32270 — Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can lea…

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users w…

Remote | Information Disclosure
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-31048 — Pyro Pickle Protocol Code Execution Vulnerability

An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message.

| Injection
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-6216 — DbGate SVG Icon String FontIcon.svelte cross site scripting

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such ma…

| Cross-Site Scripting
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
9.0 HIGH
CVE-2026-6200 — Tenda F456 webtypelibrary formwebtypelibrary stack-based overflow

A vulnerability was determined in Tenda F456 1.0.0.5. The affected element is the function formwebtypelibrary of the file /goform/webtypelibrary. This manipulation of the argument menufacturer/Go cau…

Remote | Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
9.0 HIGH
CVE-2026-6199 — Tenda F456 qossetting fromqossetting stack-based overflow

A vulnerability was found in Tenda F456 1.0.0.5. Impacted is the function fromqossetting of the file /goform/qossetting. The manipulation of the argument page results in stack-based buffer overflow. …

Remote | Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
9.0 HIGH
CVE-2026-6198 — Tenda F456 NatStaticSetting fromNatStaticSetting stack-based overflow

A vulnerability has been found in Tenda F456 1.0.0.5. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. The manipulation of the argument page leads to stack-b…

Remote | Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
9.0 HIGH
CVE-2026-6197 — Tenda F456 AdvSetWrlsafeset formWrlsafeset stack-based overflow

A flaw has been found in Tenda F456 1.0.0.5. This vulnerability affects the function formWrlsafeset of the file /goform/AdvSetWrlsafeset. Executing a manipulation of the argument mit_ssid can lead to…

Remote | Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
9.8 CRITICAL
CVE-2026-40044 — Pachno 1.0.6 FileCache Deserialization Remote Code Execution

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write P…

Remote | Injection
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
7.1 HIGH
CVE-2026-40043 — Pachno 1.0.6 Authentication Bypass via runSwitchUser()

Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username c…

Remote | Authentication
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
9.8 CRITICAL
CVE-2026-40042 — Pachno 1.0.6 Wiki TextParser XML External Entity Injection

Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers…

Remote | XML External Entity
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
Showing 20 of 6213 Results