Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.5 HIGH
CVE-2026-2821 — Fujian Smart Integrated Management Platform System XCamera.ashx sql injection

A weakness has been identified in Fujian Smart Integrated Management Platform System up to 7.5. Impacted is an unknown function of the file /Module/CRXT/Controller/XCamera.ashx. This manipulation of …

Remote | Injection
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
6.4 MEDIUM
CVE-2026-2384 — Quiz Maker <= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shor…

The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sani…

quiz_maker | Remote | Cross-Site Scripting
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
5.3 MEDIUM
CVE-2026-27017 — uTLS has a Chrome Parrot Fingerprint Vulnerability due to GREASE ECH Cipher Suite Mismatch

uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. Versions 1.6.0 through 1.8.0 contain a fingerprint mismatch with C…

utls | Remote | Cryptography
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
8.7 HIGH
CVE-2026-26996 — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a…

minimatch | Remote | Denial of Service
Feb 20, 2026 Mar 06, 2026
Feb 20, 2026
Mar 06, 2026
6.5 MEDIUM
CVE-2026-26994 — uTLS ServerHellos are accepted without checking TLS 1.3 downgrade canaries

uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 do…

utls | Remote | Cryptography
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
5.4 MEDIUM
CVE-2026-26993 — Flare has XSS vulnerability in Raw File Preview

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitiza…

flare | Remote | Cross-Site Scripting
Feb 20, 2026 Mar 03, 2026
Feb 20, 2026
Mar 03, 2026
5.1 MEDIUM
CVE-2026-26992 — LibreNMS has Stored Cross-Site Scripting via unsanitized /port-groups name

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the port group name is not sanitized, allowing attackers with admin privileges to perform S…

librenms | Remote | Cross-Site Scripting
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
5.1 MEDIUM
CVE-2026-26991 — LibreNMS vulnerable to Stored Cross-site Scripting through unsanitized /device-groups name

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. In versions 26.1.1 and below, the device group name is not sanitized, allowing attackers with admin privileges to perform…

librenms | Remote | Cross-Site Scripting
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
7.5 HIGH
CVE-2026-2820 — Fujian Smart Integrated Management Platform System XAccessPermissionPlus.ashx sql injecti…

A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPl…

Remote | Injection
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
6.5 MEDIUM
CVE-2026-2819 — Dromara RuoYi-Vue-Plus Workflow deleteByInstanceIds SaServletFilter authorization

A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workf…

ruoyi-vue-plus | Remote | Authorization
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
5.4 MEDIUM
CVE-2026-27016 — LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags()

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functio…

librenms | Remote | Cross-Site Scripting
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
8.8 HIGH
CVE-2026-26990 — LibreNMS has Time-Based Blind SQL Injection in address-search.inc.php

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address …

librenms | Remote | Injection
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
4.8 MEDIUM
CVE-2026-26989 — LibreNMS has Stored XSS in Alert Rule

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow.…

librenms | Remote | Cross-Site Scripting
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
9.3 CRITICAL
CVE-2026-26988 — LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails t…

librenms | Remote | Injection
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
6.1 MEDIUM
CVE-2026-26987 — LibreNMS affected by reflected XSS via email field

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version…

librenms | Remote | Cross-Site Scripting
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
9.4 CRITICAL
CVE-2026-26980 — Ghost has a SQL Injection in its Content API

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

ghost | Remote | Information Disclosure
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
6.9 MEDIUM
CVE-2026-26977 — Frappe Learning Management System exposes details of unpublished courses to unauthorized …

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished c…

learning | Remote | Authorization
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
7.1 HIGH
CVE-2026-26960 — node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain i…

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points t…

tar | Path Traversal
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
9.3 CRITICAL
CVE-2026-26065 — calibre: Path Traversal can Lead to Arbitrary File Write and Potential Code Execution

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 2…

calibre | Path Traversal
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
9.3 CRITICAL
CVE-2026-26064 — calibre: Path Traversal Vulnerability Enables Arbitrary File Write and Remote Code Execut…

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes …

calibre | Path Traversal
Feb 20, 2026 Feb 20, 2026
Feb 20, 2026
Feb 20, 2026
Showing 20 of 5064 Results