Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.4 MEDIUM
CVE-2019-25448 — OrientDB 3.0.17 Stored Cross-Site Scripting via User Creation

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Atta…

orientdb | Remote | Cross-Site Scripting
Feb 20, 2026 Feb 24, 2026
Feb 20, 2026
Feb 24, 2026
5.3 MEDIUM
CVE-2019-25447 — OrientDB 3.0.17 Cross-Site Request Forgery

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /databas…

orientdb | Remote | Cross-Site Request Forgery
Feb 20, 2026 Feb 24, 2026
Feb 20, 2026
Feb 24, 2026
9.8 CRITICAL
CVE-2019-25441 — thesystem 1.0 Command Injection via run_command endpoint

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attacker…

password_management_application | Remote | Injection
Feb 20, 2026 Feb 23, 2026
Feb 20, 2026
Feb 23, 2026
8.8 HIGH
CVE-2019-25438 — LabCollector 5.423 SQL Injection via login.php

LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attacker…

labcollector | Remote | Injection
Feb 20, 2026 Mar 02, 2026
Feb 20, 2026
Mar 02, 2026
6.7 MEDIUM
CVE-2019-25437 — Foscam Video Management System 1.1.6.6 Buffer Overflow Denial of Service

Foscam Video Management System 1.1.6.6 contains a buffer overflow vulnerability in the UID field that allows local attackers to crash the application by supplying an excessively long string. Attacker…

| Memory Corruption
Feb 20, 2026 Feb 23, 2026
Feb 20, 2026
Feb 23, 2026
6.5 MEDIUM
CVE-2019-25436 — Sricam DeviceViewer 3.12.0.1 Password Change Security Bypass

Sricam DeviceViewer 3.12.0.1 contains a password change security bypass vulnerability that allows authenticated users to change passwords without proper validation of the old password field. Attacker…

deviceviewer | Remote | Authentication
Feb 20, 2026 Feb 26, 2026
Feb 20, 2026
Feb 26, 2026
8.4 HIGH
CVE-2019-25435 — Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow DEP Bypass

Sricam DeviceViewer 3.12.0.1 contains a local buffer overflow vulnerability in the user management add user function that allows authenticated attackers to execute arbitrary code by bypassing data ex…

deviceviewer | Memory Corruption
Feb 20, 2026 Feb 26, 2026
Feb 20, 2026
Feb 26, 2026
7.5 HIGH
CVE-2019-25434 — SpotAuditor 5.3.1.0 Denial of Service via Registration Name Field

SpotAuditor 5.3.1.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting excessive data in the registration name field. Attackers ca…

spotauditor | Remote | Denial of Service
Feb 20, 2026 Mar 05, 2026
Feb 20, 2026
Mar 05, 2026
8.8 HIGH
CVE-2019-25432 — Part-DB 0.4 Authentication Bypass via login.php

Part-DB 0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to login by injecting SQL syntax into authentication parameters. Attackers can submit a single quote …

part-db | Remote | Authentication
Feb 20, 2026 Feb 23, 2026
Feb 20, 2026
Feb 23, 2026
8.8 HIGH
CVE-2019-25431 — delpino73 Blue-Smiley-Organizer 1.32 SQL Injection via datetime

delpino73 Blue-Smiley-Organizer 1.32 contains an SQL injection vulnerability in the datetime parameter that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL c…

Remote | Injection
Feb 20, 2026 Feb 23, 2026
Feb 20, 2026
Feb 23, 2026
8.8 HIGH
CVE-2018-25158 — Chamilo LMS 1.11.8 Arbitrary File Upload via elfinder

Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files …

Remote | Authentication
Feb 20, 2026 Feb 23, 2026
Feb 20, 2026
Feb 23, 2026
7.1 HIGH
CVE-2026-2858 — wren-lang wren Source File wren_compiler.c peekChar out-of-bounds

A vulnerability was identified in wren-lang wren up to 0.4.0. This affects the function peekChar of the file src/vm/wren_compiler.c of the component Source File Parser. Such manipulation leads to out…

wren | Memory Corruption
Feb 20, 2026 Feb 26, 2026
Feb 20, 2026
Feb 26, 2026
6.1 MEDIUM
CVE-2026-27120 — Leaf-kit html escaping does not work on characters that are part of extended grapheme clu…

Leafkit is a templating language with Swift-inspired syntax. Prior to 1.4.1, htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows byp…

leafkit | Remote | Cross-Site Scripting
Feb 20, 2026 Mar 02, 2026
Feb 20, 2026
Mar 02, 2026
5.3 MEDIUM
CVE-2026-27118 — Cache poisoning in @sveltejs/adapter-vercel

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal qu…

kit | Remote | Misconfiguration
Feb 20, 2026 Feb 23, 2026
Feb 20, 2026
Feb 23, 2026
6.3 MEDIUM
CVE-2026-27113 — Liquid Prompt arbitrary command injection via crafted Git branch names in gitstatusd back…

Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, ar…

| Injection
Feb 20, 2026 Feb 23, 2026
Feb 20, 2026
Feb 23, 2026
9.9 CRITICAL
CVE-2026-27112 — Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints

Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST…

kargo | Remote | Injection
Feb 20, 2026 Feb 25, 2026
Feb 20, 2026
Feb 25, 2026
5.3 MEDIUM
CVE-2026-27111 — Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints

Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates t…

kargo | Remote | Authorization
Feb 20, 2026 Feb 25, 2026
Feb 20, 2026
Feb 25, 2026
6.9 MEDIUM
CVE-2026-27026 — pypdf possibly has long runtimes for malformed FlateDecode streams

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode s…

pypdf | Denial of Service
Feb 20, 2026 Feb 24, 2026
Feb 20, 2026
Feb 24, 2026
6.9 MEDIUM
CVE-2026-27025 — pypdf has possible long runtimes/large memory usage for large /ToUnicode streams

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requir…

pypdf | Denial of Service
Feb 20, 2026 Feb 24, 2026
Feb 20, 2026
Feb 24, 2026
6.9 MEDIUM
CVE-2026-27024 — pypdf has a possible infinite loop when processing TreeObject

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children …

pypdf | Denial of Service
Feb 20, 2026 Feb 24, 2026
Feb 20, 2026
Feb 24, 2026
Showing 20 of 5313 Results