Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.3 HIGH
CVE-2026-33975 — twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization

Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 address…

twenty | Remote | Server-Side Request Forgery
May 05, 2026 May 06, 2026
May 05, 2026
May 06, 2026
8.2 HIGH
CVE-2026-33489 — CoreDNS transfer plugin subzone ACL bypass via lexicographic zone comparison

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The l…

coredns | Remote | Misconfiguration
May 05, 2026 May 08, 2026
May 05, 2026
May 08, 2026
5.3 MEDIUM
CVE-2026-33420 — Vaultwarden missing authorization check allows Manager-role users to enumerate all collec…

Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing …

vaultwarden | Remote | Authorization
May 05, 2026 May 08, 2026
May 05, 2026
May 08, 2026
9.4 CRITICAL
CVE-2026-33324 — SQLBot prompt injection allows arbitrary SQL execution and remote code execution

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided que…

sqlbot | Remote | Injection
May 05, 2026 May 08, 2026
May 05, 2026
May 08, 2026
8.7 HIGH
CVE-2026-33190 — CoreDNS TSIG authentication bypass on encrypted DNS transports

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport w…

coredns | Remote | Authentication
May 05, 2026 May 08, 2026
May 05, 2026
May 08, 2026
8.7 HIGH
CVE-2026-32936 — CoreDNS DoH GET path missing size validation causes CPU and memory amplification

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decodi…

coredns | Remote | Denial of Service
May 05, 2026 May 08, 2026
May 05, 2026
May 08, 2026
8.7 HIGH
CVE-2026-32934 — CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QU…

coredns | Remote | Denial of Service
May 05, 2026 May 08, 2026
May 05, 2026
May 08, 2026
5.3 MEDIUM
CVE-2026-32699 — FacturaScripts unauthorized modification of immutable nick field via EditUser controller

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser control…

facturascripts | Remote | Authorization
May 05, 2026 May 06, 2026
May 05, 2026
May 06, 2026
8.2 HIGH
CVE-2026-32603 — Sandboxie kernel driver denial of service via malformed IOCTL from sandboxed process

Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a local denial of service vulnerability exists in the Sandboxie kernel driver. An unprivilege…

sandboxie | Denial of Service
May 05, 2026 May 07, 2026
May 05, 2026
May 07, 2026
6.8 MEDIUM
CVE-2026-31893 — Tunnelblick arbitrary file read via symlink following in tunnelblickd

Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink followin…

tunnelblick | Path Traversal
May 05, 2026 Jun 01, 2026
May 05, 2026
Jun 01, 2026
7.5 HIGH
CVE-2024-52911 — Bitcoin Core Denial of Service Vulnerability

Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14.

Remote
May 05, 2026 May 07, 2026
May 05, 2026
May 07, 2026
Showing 20 of 7151 Results