Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.7 MEDIUM
CVE-2026-6550 — Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass…

| Cryptography
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
9.2 CRITICAL
CVE-2026-6257 — Vvveb CMS v1.0.8 Remote Code Execution via Media Management

Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to ren…

Remote | Information Disclosure
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
8.8 HIGH
CVE-2026-6249 — Vvveb CMS 1.0.8 Remote Code Execution via Media Upload

Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshe…

Remote | Injection
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
8.1 HIGH
CVE-2026-5478 — Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Fiel…

The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files …

Remote | Path Traversal
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
9.3 CRITICAL
CVE-2026-32311 — Command Injection and Docker container escape allows root on host machine

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to ma…

Remote | Injection
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
7.7 HIGH
CVE-2026-32135 — NanoMQ has Heap Buffer Overflow in URI Parameter Parsing

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ's REST API…

Remote | Memory Corruption
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
0.0 NA
CVE-2026-29649 — NEMU RISC-V Hypervisor CSR Handling Implementation Flaw

NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode w…

| Misconfiguration
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
0.0 NA
CVE-2026-29645 — NEMU RISC-V Vector Decoder Improper Instruction Validation

NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decodin…

| Misconfiguration
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
8.1 HIGH
CVE-2026-6248 — wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Pr…

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not valid…

Remote | Path Traversal
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
4.5 MEDIUM
CVE-2026-6060 — Possible DoS via SQL Box

A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS…

Remote | Denial of Service
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
5.8 MEDIUM
CVE-2026-41389 — OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Pat…

OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result …

Remote | Path Traversal
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
5.4 MEDIUM
CVE-2026-39112 — Apartment Visitors Management System Cross Site Scripting

Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can injec…

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
7.5 HIGH
CVE-2026-39111 — Apartment Visitors Management System SQL Injection

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the email parameter of the forgot password page (forgot-password.php). This allows an …

Remote | Injection
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
8.2 HIGH
CVE-2026-39110 — Apache Openvisit SQL Injection Vulnerability

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows…

Remote | Injection
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
9.4 CRITICAL
CVE-2026-39109 — Apartment Visitors Management System SQL Injection

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an unauthenticat…

Remote | Injection
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
0.0 NA
CVE-2026-26399 — Arduin_Core_STM32 Stack Use-After-Return Buffer Overflow Vulnerability

A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to…

| Memory Corruption
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
6.4 MEDIUM
CVE-2026-23758 — GFI HelpDesk < 4.99.9 Stored XSS via editsubject Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the …

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
5.4 MEDIUM
CVE-2026-23757 — GFI HelpDesk < 4.99.10 Stored XSS via Reports Module

GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization…

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
5.4 MEDIUM
CVE-2026-23756 — GFI HelpDesk < 4.99.9 Stored XSS via Troubleshooter Step Subject

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and Ed…

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
4.8 MEDIUM
CVE-2026-23753 — GFI HelpDesk < 4.99.9 Stored XSS via charset Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create(…

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
Showing 20 of 6035 Results