Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.6 HIGH
CVE-2026-28507 — Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal

Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in …

Remote | Path Traversal
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.5 HIGH
CVE-2026-28429 — Talishar: Critical Path Traversal in gameName Parameter

Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implemen…

Remote | Path Traversal
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
5.3 MEDIUM
CVE-2026-28428 — Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game A…

Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to per…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.3 MEDIUM
CVE-2026-27605 — Chartbrew: Stored Cross-Site Scripting (XSS) via File Upload API

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project …

Remote | Cross-Site Scripting
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.7 HIGH
CVE-2026-27603 — Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_…

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.8 HIGH
CVE-2026-27005 — Chartbrew: SQL injection in date-type variable handling (applyMysqlOrPostgresVariables)

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.8 HIGH
CVE-2026-25888 — Chartbrew: Remote Code Execution (RCE) via Vulnerable API

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability v…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.2 HIGH
CVE-2026-25887 — Chartbrew: Remote Code Execution (RCE) via MongoDB Dataset Query

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability v…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.5 MEDIUM
CVE-2026-25877 — Chartbrew: Insecure Direct Object Reference (IDOR) in Chart Operations

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks ba…

Remote | Authorization
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.1 HIGH
CVE-2026-29093 — WWBN AVideo: Unauthenticated PHP session store exposed to host network via published memc…

WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while t…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
9.2 CRITICAL
CVE-2026-29046 — TinyWeb: HTTP Header Control Character Injection into CGI Environment

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.8 HIGH
CVE-2026-29041 — Chamilo: Authenticated Remote Code Execution via Unrestricted File Upload

Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
9.3 CRITICAL
CVE-2026-28502 — WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction

WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functional…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
9.8 CRITICAL
CVE-2026-28501 — WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json…

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php component…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
9.3 CRITICAL
CVE-2026-28497 — TinyWeb: Integer Overflow in `_Val` (HTTP Request Smuggling)

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticate…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
4.9 MEDIUM
CVE-2026-27807 — MarkUs: YAML alias (‘billion laughs’) DoS in config upload

MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs allows course instructors to upload YAML files to create/update various entities (e.g…

Remote | XML External Entity
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.5 MEDIUM
CVE-2026-25962 — MarkUs: Zip bomb in config upload enables DoS

MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip files without any size or entry-count limits. For example, ins…

Remote | Denial of Service
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.9 MEDIUM
CVE-2025-59544 — Chamilo: Unauthorized access to update category of any user

Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which …

Remote | Authorization
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
9.0 CRITICAL
CVE-2025-59543 — Chamilo: Account Takeover via Stored XSS in Course Description

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an …

Remote | Cross-Site Scripting
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
9.0 CRITICAL
CVE-2025-59542 — Chamilo: Account Takeover via Stored XSS in Course Learning Paths

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings…

Remote | Cross-Site Scripting
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
Showing 20 of 5204 Results