Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.8 HIGH
CVE-2026-4475 — Yi Technology YI Home Camera ipc hard-coded credentials

A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded cred…

| Authentication
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
4.8 MEDIUM
CVE-2026-4474 — itsourcecode University Management System admin_single_student_update.php cross site scri…

A flaw has been found in itsourcecode University Management System 1.0. Impacted is an unknown function of the file /admin_single_student_update.php. This manipulation of the argument st_name causes …

university_management_system | Remote | Cross-Site Scripting
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.1 MEDIUM
CVE-2026-33055 — tar-rs incorrectly ignores PAX size headers if header size is nonzero

tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CV…

Remote | Misconfiguration
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
10.0 CRITICAL
CVE-2026-33054 — Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of …

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_tok…

Remote | Path Traversal
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
6.1 MEDIUM
CVE-2026-33053 — Langflow has Missing Ownership Verification in API Key Deletion (IDOR)

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with…

langflow | Remote | Authorization
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.8 MEDIUM
CVE-2026-4473 — itsourcecode Online Doctor Appointment System appointment_action.php sql injection

A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointment_action.php. The manipulation of the argume…

online_doctor_appointment_system | Remote | Injection
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.3 MEDIUM
CVE-2026-33051 — Craft CMS Vulnerable to Stored XSS in Revision Context Menu

Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the us…

craft_cms | Remote | Cross-Site Scripting
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.1 HIGH
CVE-2026-33043 — AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permi…

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function …

avideo | Remote | Information Disclosure
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.3 MEDIUM
CVE-2026-33041 — AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker c…

avideo | Remote | Information Disclosure
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.7 HIGH
CVE-2026-33040 — libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow

libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and…

libp2p | Remote | Denial of Service
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.6 HIGH
CVE-2026-33039 — AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy

WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(),…

avideo | Remote | Server-Side Request Forgery
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.1 HIGH
CVE-2026-33038 — AVideo affected by unauthenticated application takeover via exposed web installer on unin…

WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfigur…

avideo | Remote | Authentication
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.1 HIGH
CVE-2026-33037 — WWBN AVideo has predictable default admin credentials in official Docker deployment path

WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which …

avideo | Remote | Authentication
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
7.5 HIGH
CVE-2026-33036 — fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limit…

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character refer…

fast-xml-parser | Remote | Denial of Service
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
7.9 HIGH
CVE-2026-32768 — Chall-Manager's invalid NetworkPolicy enables a malicious actor to pivot into another nam…

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance…

chall-manager | Remote | Misconfiguration
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
6.5 MEDIUM
CVE-2026-4472 — itsourcecode Online Frozen Foods Ordering System admin_edit_supplier.php sql injection

A security vulnerability has been detected in itsourcecode Online Frozen Foods Ordering System 1.0. This vulnerability affects unknown code of the file /admin/admin_edit_supplier.php. The manipulatio…

Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.8 MEDIUM
CVE-2026-4471 — itsourcecode Online Frozen Foods Ordering System admin_edit_employee.php sql injection

A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /admin/admin_edit_employee.php. Executing a manipulation of the argume…

Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.8 MEDIUM
CVE-2026-4470 — itsourcecode Online Frozen Foods Ordering System admin_edit_menu.php sql injection

A security flaw has been discovered in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_edit_menu.php. Performing a …

Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.8 MEDIUM
CVE-2026-4469 — itsourcecode Online Frozen Foods Ordering System admin_edit_menu_action.php sql injection

A vulnerability was identified in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_edit_menu_action.php. Such …

Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.3 MEDIUM
CVE-2026-33035 — Unauthenticated Reflected XSS via innerHTML in AVideo

WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's br…

avideo | Remote | Cross-Site Scripting
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
Showing 20 of 5708 Results