Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.4 CRITICAL
CVE-2026-33634 — Trivy ecosystem supply chain briefly compromised

Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-actio…

Remote | Supply Chain
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
9.3 CRITICAL
CVE-2026-32913 — OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects

OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger red…

Remote | Server-Side Request Forgery
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.1 HIGH
CVE-2026-32300 — Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modifica…

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the …

Remote | Authorization
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.5 HIGH
CVE-2026-32299 — Connect CMS: Information Disclosure Due to Improper Authorization through the Page Conten…

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the …

Remote | Authorization
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
6.8 MEDIUM
CVE-2026-32279 — Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery (SSRF) is…

Remote | Server-Side Request Forgery
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.2 HIGH
CVE-2026-32278 — Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) iss…

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.7 HIGH
CVE-2026-32277 — Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View

Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions …

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.8 HIGH
CVE-2026-32276 — Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to ex…

Remote | Authentication
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.5 MEDIUM
CVE-2026-29111 — systemd: Local unprivileged user can trigger an assert

systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an ass…

| Memory Corruption
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.3 MEDIUM
CVE-2026-27646 — OpenClaw < 2026.3.7 - Sandbox Escape via /acp spawn Command

OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypas…

| Authorization
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
4.5 MEDIUM
CVE-2026-27183 — OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch

OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The…

| Misconfiguration
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.1 MEDIUM
CVE-2026-1940 — Gstreamer: incomplete fix of cve-2026-1940

An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_…

| Memory Corruption
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
9.1 CRITICAL
CVE-2025-60949 — Census CSWeb leaked configuration files

Census CSWeb 8.0.1 allows "app/config" to be reachable via HTTP in some deployments. A remote, unauthenticated attacker could send requests to configuration files and obtain leaked secrets. Fixed in …

Remote | Misconfiguration
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
4.6 MEDIUM
CVE-2025-60948 — Census CSWeb stored XSS

Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 al…

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.8 HIGH
CVE-2025-60947 — Census CSWeb arbitrary file upload

Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha.

Remote | Misconfiguration
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.8 HIGH
CVE-2025-60946 — Census CSWeb path traversal

Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha.

Remote | Path Traversal
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
6.5 MEDIUM
CVE-2026-4597 — 648540858 wvp-GB28181-pro Stream Proxy Query StreamProxyProvider.java selectAll sql injec…

A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. Impacted is the function selectAll of the file src/main/java/com/genersoft/iot/vmp/streamProxy/dao/provider/StreamProxyPr…

Remote | Injection
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.7 HIGH
CVE-2026-4368 — Race Condition leading to User Session Mixup

Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup

Remote | Race Condition
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
9.3 CRITICAL
CVE-2026-3055 — Insufficient input validation leading to memory overread

Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

Remote | Memory Corruption
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.6 HIGH
CVE-2026-23882 — Blinko: Admin RCE - MCP Server Command Injection

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are execu…

Remote | Injection
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
Showing 20 of 5354 Results