Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-6385 — Ffmpeg: ffmpeg: denial of service and potential arbitrary code execution via signed integ…

A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability i…

Remote | Memory Corruption
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
5.4 MEDIUM
CVE-2026-6383 — Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation

A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This…

Remote | Authorization
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
5.5 MEDIUM
CVE-2026-6245 — Sssd: out-of-bounds read in the sssd

A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Be…

| Denial of Service
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
9.2 CRITICAL
CVE-2026-5189 — Nexus Repository 3 - Hardcoded Credential in Internal Database Component

CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access…

Remote | Authentication
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
8.4 HIGH
CVE-2026-4857 — SailPoint IdentityIQ Debug UI Incorrect Authorization

IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capabil…

Remote | Authorization
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
5.0 MEDIUM
CVE-2026-40256 — Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix C…

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses s…

Remote | Path Traversal
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
4.1 MEDIUM
CVE-2026-39845 — Weblate: SSRF via the webhook add-on using unprotected fetch_url()

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable …

Remote | Server-Side Request Forgery
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
8.2 HIGH
CVE-2026-34632 — Photoshop Installer | CWE-427: Uncontrolled Search Path Element

Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user. A low-privileged l…

| Path Traversal
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
8.8 HIGH
CVE-2026-34393 — Weblate: Privilege escalation in the user API endpoint

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.

Remote | Authorization
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
5.0 MEDIUM
CVE-2026-34244 — Weblate: SSRF via Project-Level Machinery Configuration

Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation servi…

Remote | Server-Side Request Forgery
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
7.7 HIGH
CVE-2026-34242 — Weblate: Arbitrary File Read via Symlink

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has be…

Remote | Path Traversal
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
7.4 HIGH
CVE-2026-33667 — OpenProject: 2FA OTP Verification Missing Rate Limiting

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting,…

Remote | Authentication
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
5.0 MEDIUM
CVE-2026-33440 — Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot UR…

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has…

Remote | Misconfiguration
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
8.0 HIGH
CVE-2026-33435 — Weblate: Remote code execution during backup restoration

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain cir…

Remote | Misconfiguration
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
6.8 MEDIUM
CVE-2026-33220 — Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the …

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been f…

Remote | Authorization
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
0.0 NA
CVE-2025-41118 — Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type …

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent …

| Information Disclosure
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
0.0 NA
CVE-2026-33877 — ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/r…

| Information Disclosure
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
7.3 HIGH
CVE-2026-6384 — Gimp: gimp: arbitrary code execution or denial of service via buffer overflow in gif imag…

A flaw was found in gimp. This buffer overflow vulnerability in the GIF image loading component's `ReadJeffsImage` function allows an attacker to write beyond an allocated buffer by processing a spec…

| Memory Corruption
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
0.0 NA
CVE-2026-6364 — Google Chrome Skia Out-of-Bounds Read

Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security se…

| Memory Corruption
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
0.0 NA
CVE-2026-6319 — Google Chrome Android Use-After-Free RCE

Use after free in Payments in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted…

| Memory Corruption
Apr 15, 2026 Apr 15, 2026
Apr 15, 2026
Apr 15, 2026
Showing 20 of 6516 Results