Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-27743 — SPIP referer_spam <= 1.2.1 Unauthenticated SQL Injection

The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read t…

spip referer_spam* referer_spam | Remote | Injection
Feb 25, 2026 Mar 03, 2026
Feb 25, 2026
Mar 03, 2026
9.8 CRITICAL
CVE-2026-27641 — Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection

Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and r…

flask-reuploaded | Remote | Path Traversal
Feb 25, 2026 Feb 27, 2026
Feb 25, 2026
Feb 27, 2026
8.5 HIGH
CVE-2026-27640 — tfplan2md has Sensitive Value Exposure in Generated Reports

tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resou…

tfplan2md tfplan2md | Remote | Information Disclosure
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
8.5 HIGH
CVE-2026-27639 — Mercator vulnerable to stored XSS via unescaped Blade directives in display templates

Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to t…

mercator | Remote | Cross-Site Scripting
Feb 25, 2026 Feb 27, 2026
Feb 25, 2026
Feb 27, 2026
9.8 CRITICAL
CVE-2026-27637 — FreeScout's Predictable Authentication Token Enables Account Takeover

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD…

freescout | Remote | Authentication
Feb 25, 2026 Feb 26, 2026
Feb 25, 2026
Feb 26, 2026
8.8 HIGH
CVE-2026-27636 — FreeScout: Missing .htaccess in Restricted File Extensions Allows Remote Code Execution o…

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htacc…

freescout | Remote | Misconfiguration
Feb 25, 2026 Feb 26, 2026
Feb 25, 2026
Feb 26, 2026
8.2 HIGH
CVE-2026-27627 — Karakeep's Reddit plugin content bypasses DOMPurify sanitization, enabling stored XSS

Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running i…

karakeep | Remote | Cross-Site Scripting
Feb 25, 2026 Mar 10, 2026
Feb 25, 2026
Mar 10, 2026
10.0 CRITICAL
CVE-2026-27597 — @enclave-vm/core is vulnerable to Sandbox Escape

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be us…

enclave | Remote | Misconfiguration
Feb 25, 2026 Feb 27, 2026
Feb 25, 2026
Feb 27, 2026
Showing 20 of 6088 Results