Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.8 HIGH
CVE-2026-3265 — go2ismail Free-CRM Security API improper authorization

A vulnerability was identified in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This affects an unknown part of the file /api/Security/ of the component Security API. The manipul…

free-crm | Remote | Authorization
Feb 26, 2026 Mar 03, 2026
Feb 26, 2026
Mar 03, 2026
8.8 HIGH
CVE-2026-3264 — go2ismail Free-CRM Administrative redirect

A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functionality of the component Administrative Interface. Ex…

free-crm | Remote | Misconfiguration
Feb 26, 2026 Mar 03, 2026
Feb 26, 2026
Mar 03, 2026
8.7 HIGH
CVE-2026-28280 — `osctrl-admin` has Stored Cross-Site Scripting (XSS) in On-Demand Query List

osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissi…

osctrl | Remote | Cross-Site Scripting
Feb 26, 2026 Feb 28, 2026
Feb 26, 2026
Feb 28, 2026
8.4 HIGH
CVE-2026-28279 — `osctrl-admin` Vulnerable to OS Command Injection via Environment Configuration

osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inje…

osctrl | Injection
Feb 26, 2026 Feb 28, 2026
Feb 26, 2026
Feb 28, 2026
7.5 HIGH
CVE-2026-28276 — Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpo…

Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /…

initiative | Remote | Authorization
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
8.1 HIGH
CVE-2026-28275 — Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a re…

initiative | Remote | Authentication
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
8.7 HIGH
CVE-2026-28274 — Initiative Vulnerable to Token Theft via Stored XSS in Document Uploads

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user…

initiative | Remote | Cross-Site Scripting
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
8.8 HIGH
CVE-2026-28269 — Kiteworks Core has an OS Command Injection

Kiteworks is a private data network (PDN). Prior to version 9.2.0, avulnerability in Kiteworks command execution functionality allows authenticated users to redirect command output to arbitrary file …

kiteworks | Remote | Path Traversal
Feb 26, 2026 Mar 03, 2026
Feb 26, 2026
Mar 03, 2026
7.1 HIGH
CVE-2026-28230 — In SteVe, any authenticated charger can terminate any other charger's active transaction …

SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transac…

steve | Remote | Authorization
Feb 26, 2026 Mar 03, 2026
Feb 26, 2026
Mar 03, 2026
6.5 MEDIUM
CVE-2026-28226 — Phishing Club has Authenticated Blind SQL Injection in GetOrphaned Recipient Listing

Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in v…

phishing_club | Remote | Injection
Feb 26, 2026 Mar 03, 2026
Feb 26, 2026
Mar 03, 2026
6.5 MEDIUM
CVE-2026-28225 — Manyfold has IDOR in ModelFilesController

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesCon…

manyfold | Remote | Authorization
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
6.5 MEDIUM
CVE-2026-28217 — IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — includi…

hoppscotch | Remote | Authorization
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
8.3 HIGH
CVE-2026-28216 — hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver…

hoppscotch | Remote | Authorization
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
9.1 CRITICAL
CVE-2026-28215 — hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instan…

hoppscotch | Remote | Authentication
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
9.8 CRITICAL
CVE-2026-28213 — EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset…

EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response return…

evershop | Remote | Authentication
Feb 26, 2026 Feb 28, 2026
Feb 26, 2026
Feb 28, 2026
7.8 HIGH
CVE-2026-28211 — Arbitrary code execution in log reader via untrusted log file

The NVDA Dev & Test Toolbox is an NVDA add-on for gathering tools to help NVDA development and testing. A vulnerability exists in versions 2.0 through 8.0 in the Log Reader feature of this add-on. A …

| Injection
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
5.9 MEDIUM
CVE-2026-28208 — Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtr…

Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker…

junrar | Remote | Path Traversal
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
7.3 HIGH
CVE-2026-28207 — Zen-C Vulnerable to Command Injection via Malicious Output Filename

Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to e…

zen_c | Injection
Feb 26, 2026 Mar 03, 2026
Feb 26, 2026
Mar 03, 2026
4.3 MEDIUM
CVE-2026-27839 — wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lo…

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call…

wger | Remote | Authorization
Feb 26, 2026 Mar 03, 2026
Feb 26, 2026
Mar 03, 2026
3.5 LOW
CVE-2026-27838 — wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scop…

wger | Remote | Authorization
Feb 26, 2026 Mar 03, 2026
Feb 26, 2026
Mar 03, 2026
Showing 20 of 5064 Results