Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-4486 — D-Link DIR-513 Web Service formEasySetPassword stack-based overflow

A vulnerability was found in D-Link DIR-513 1.10. This affects the function formEasySetPassword of the file /goform/formEasySetPassword of the component Web Service. The manipulation of the argument …

| Memory Corruption
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
0.0 NA
CVE-2026-4485 — itsourcecode College Management System search_student.php sql injection

A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/search_student.php. The manipulation of the argument Searc…

| Injection
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
0.0 NA
CVE-2026-4434 — Windows Remote Management (WinRM) TLS Certificate Validation Bypass

Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.

| Misconfiguration
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
6.1 MEDIUM
CVE-2026-31382 — Gainsight Assist reflected XSS/HTML injection

The error_description parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload.

Remote | Cross-Site Scripting
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.3 MEDIUM
CVE-2026-31381 — Gainsight Assist plugin information disclosure

An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.

Remote | Information Disclosure
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
9.3 CRITICAL
CVE-2026-33136 — WeGIA has Reflected Cross-Site Scripting (XSS) in `listar_memorandos_ativos.php` via `scc…

WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint. An attacker can in…

Remote | Cross-Site Scripting
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
9.3 CRITICAL
CVE-2026-33135 — WeGIA has Reflected Cross-Site Scripting (XSS) in `novo_memorandoo.php` via `sccs` parame…

WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability in the novo_memorandoo.php endpoint. An attacker can inject arbi…

Remote | Cross-Site Scripting
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
9.3 CRITICAL
CVE-2026-33134 — WeGIA has Authenticated Time-Based Blind SQL Injection in `restaurar_produto.php` via `id…

WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurar_produto.php endpoint. The vulnerability …

Remote | Injection
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.6 HIGH
CVE-2026-33133 — WeGIA has an arbitrary SQL execution vulnerability via crafted backup archive

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB() function imports SQL files from uploaded backup archives without any content validation. An attacke…

Remote | Injection
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.3 MEDIUM
CVE-2026-33132 — ZITADEL is missing enforcement of organization scopes

ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applica…

zitadel | Remote | Authentication
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
7.4 HIGH
CVE-2026-33131 — h3 has a middleware bypass with one gadget

H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When …

h3 | Remote | Misconfiguration
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
6.3 MEDIUM
CVE-2026-32595 — Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing a…

Remote | Authentication
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
7.8 HIGH
CVE-2026-32305 — Traefik mTLS bypass via fragmented ClientHello SNI extraction failure

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related…

Remote | Authentication
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
6.5 MEDIUM
CVE-2026-25792 — Greenshot Vulnerable to OS Command Injection via ExternalCommand Plugin

Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbit…

| Misconfiguration
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
6.5 MEDIUM
CVE-2026-33130 — Uptime Kuma: SSTI in Notification Templates Allows Arbitrary File Read (Incomplete Fix fo…

Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The …

Remote | Injection
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.9 MEDIUM
CVE-2026-33129 — h3 has an observable timing discrepancy in basic auth utils

H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==…

h3 | Remote | Authentication
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
7.5 HIGH
CVE-2026-33128 — h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields

H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanit…

h3 | Remote | Injection
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
7.1 HIGH
CVE-2026-33125 — Frigate Broken Access Control: Users assigned the viewer role can delete admin and other …

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accoun…

frigate | Remote | Authorization
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.6 HIGH
CVE-2026-33124 — Frigate has insecure password change functionality

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifyi…

Remote | Authentication
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.1 MEDIUM
CVE-2026-33123 — pypdf has inefficient decoding of array-based streams

pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requir…

pypdf | Denial of Service
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
Showing 20 of 5719 Results