Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-8096 — Kirki <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Subm…

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not p…

Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
7.5 HIGH
CVE-2026-8073 — Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in …

Remote | Path Traversal
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
8.2 HIGH
CVE-2026-41470 — LIVE555 < 2026.04.22 RTSP Server Authorization Bypass via Session Token

LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attack…

Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
5.3 MEDIUM
CVE-2026-34154 — Discourse has a subscription access bypass in its discourse-subscriptions plugin

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain a…

discourse | Remote | Authorization
May 19, 2026 Jun 02, 2026
May 19, 2026
Jun 02, 2026
6.8 MEDIUM
CVE-2026-33741 — EspoCRM: Stored XSS via SVG attachment loading same-origin JavaScript

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later…

espocrm | Remote | Cross-Site Scripting
May 19, 2026 May 20, 2026
May 19, 2026
May 20, 2026
9.9 CRITICAL
CVE-2026-33642 — Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds…

Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned …

kitty | Remote | Memory Corruption
May 19, 2026 May 22, 2026
May 19, 2026
May 22, 2026
6.5 MEDIUM
CVE-2026-33637 — Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix…

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request tar…

faraday | Remote | Server-Side Request Forgery
May 19, 2026 May 21, 2026
May 19, 2026
May 21, 2026
6.5 MEDIUM
CVE-2026-32738 — libheif has a Heap OOB Read/SEGV Crash via Zero samples_per_chunk

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chunk=0 in the stsc box causes an unsigned integer und…

libheif | Remote | Denial of Service
May 19, 2026 May 20, 2026
May 19, 2026
May 20, 2026
Showing 20 of 7588 Results