Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.9 CRITICAL
CVE-2026-24849 — OpenEMR Arbitrary File Read Vulnerability

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, the `disposeDocument()` method in `EtherFaxActions.php` allows authent…

openemr | Remote | Path Traversal
Feb 25, 2026 Feb 25, 2026
Feb 25, 2026
Feb 25, 2026
6.1 MEDIUM
CVE-2026-24847 — OpenEMR has Open Redirect in Eye Exam Form

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Eye Exam form module allows any authenticated user to be redirecte…

openemr | Remote | Misconfiguration
Feb 25, 2026 Feb 26, 2026
Feb 25, 2026
Feb 26, 2026
6.1 MEDIUM
CVE-2026-21443 — OpenEMR allows inconsistent escaping of translation function output

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()` translation function returns unescaped strings. While wrapp…

openemr | Remote | Cross-Site Scripting
Feb 25, 2026 Feb 26, 2026
Feb 25, 2026
Feb 26, 2026
8.7 HIGH
CVE-2025-69231 — OpenEMR has a Stored XSS in GAD-7 Form that Enables Session Hijacking and Privilege Escal…

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety asses…

openemr | Remote | Cross-Site Scripting
Feb 25, 2026 Feb 25, 2026
Feb 25, 2026
Feb 25, 2026
7.2 HIGH
CVE-2025-68277 — OpenEMR allows links sent via Secure Messaging to be opened in OpenEMR and Portal

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, when a link is sent via Secure Messaging, clicking the link opens the …

openemr | Information Disclosure
Feb 25, 2026 Feb 25, 2026
Feb 25, 2026
Feb 25, 2026
8.1 HIGH
CVE-2025-67752 — OpenEMR Has Disabled SSL Certificate Verification in HTTP Client

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper (`oeHttp`/`oeHttpRequest`) disables SSL/…

openemr | Remote | Misconfiguration
Feb 25, 2026 Feb 25, 2026
Feb 25, 2026
Feb 25, 2026
7.8 HIGH
CVE-2026-3137 — CodeAstro Food Ordering System food_ordering.exe stack-based overflow

A security vulnerability has been detected in CodeAstro Food Ordering System 1.0. This affects an unknown function of the file food_ordering.exe. Such manipulation leads to stack-based buffer overflo…

food_ordering_system | Memory Corruption
Feb 25, 2026 Feb 25, 2026
Feb 25, 2026
Feb 25, 2026
9.8 CRITICAL
CVE-2026-3135 — itsourcecode News Portal Project add-category.php sql injection

A weakness has been identified in itsourcecode News Portal Project 1.0. The impacted element is an unknown function of the file /admin/add-category.php. This manipulation of the argument Category cau…

news_portal_project | Remote | Injection
Feb 25, 2026 Feb 25, 2026
Feb 25, 2026
Feb 25, 2026
7.1 HIGH
CVE-2026-27598 — Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs direct…

Dagu is a workflow engine with a built-in Web user interface. In versions up to and including 1.16.7, the `CreateNewDAG` API endpoint (`POST /api/v1/dags`) does not validate the DAG name before passi…

dagu | Remote | Path Traversal
Feb 25, 2026 Feb 25, 2026
Feb 25, 2026
Feb 25, 2026
8.5 HIGH
CVE-2025-67491 — OpenEMR has Stored XSS in ub04 helper

OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 …

openemr | Remote | Cross-Site Scripting
Feb 25, 2026 Feb 25, 2026
Feb 25, 2026
Feb 25, 2026
9.8 CRITICAL
CVE-2026-3134 — itsourcecode News Portal Project edit-category.php sql injection

A security flaw has been discovered in itsourcecode News Portal Project 1.0. The affected element is an unknown function of the file /newsportal/admin/edit-category.php. The manipulation of the argum…

news_portal_project | Remote | Injection
Feb 25, 2026 Feb 25, 2026
Feb 25, 2026
Feb 25, 2026
9.8 CRITICAL
CVE-2026-3133 — itsourcecode Document Management System Login loging.php sql injection

A vulnerability has been found in itsourcecode Document Management System 1.0. This issue affects some unknown processing of the file /loging.php of the component Login. The manipulation of the argum…

document_management_system | Remote | Injection
Feb 25, 2026 Feb 25, 2026
Feb 25, 2026
Feb 25, 2026
4.8 MEDIUM
CVE-2026-26351 — GetSimpleCMS-CE < 3.3.22 Stored XSS via components.php

GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provi…

getsimplecms getsimple_cms | Remote | Cross-Site Scripting
Feb 24, 2026 Feb 26, 2026
Feb 24, 2026
Feb 26, 2026
9.3 CRITICAL
CVE-2026-27593 — Statamic is vulnerable to account takeover via password reset link injection

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's…

statamic | Remote | Authentication
Feb 24, 2026 Feb 25, 2026
Feb 24, 2026
Feb 25, 2026
7.5 HIGH
CVE-2026-27572 — Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when t…

wasmtime | Remote | Denial of Service
Feb 24, 2026 Feb 25, 2026
Feb 24, 2026
Feb 25, 2026
6.9 MEDIUM
CVE-2026-27204 — Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exh…

wasmtime | Remote | Denial of Service
Feb 24, 2026 Feb 25, 2026
Feb 24, 2026
Feb 25, 2026
7.5 HIGH
CVE-2026-27195 — Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future

Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` w…

wasmtime | Remote | Denial of Service
Feb 24, 2026 Feb 25, 2026
Feb 24, 2026
Feb 25, 2026
7.5 HIGH
CVE-2026-27117 — bit7z has a path traversal vulnerability

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability ("Zip Slip") exists in bit7z's archive ex…

bit7z | Remote | Path Traversal
Feb 24, 2026 Feb 25, 2026
Feb 24, 2026
Feb 25, 2026
7.5 HIGH
CVE-2026-25899 — Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 1…

fiber | Remote | Denial of Service
Feb 24, 2026 Feb 25, 2026
Feb 24, 2026
Feb 25, 2026
7.7 HIGH
CVE-2026-25891 — Fiber has an Arbitrary File Read in Static Middleware on Windows

Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files …

fiber | Remote | Path Traversal
Feb 24, 2026 Feb 27, 2026
Feb 24, 2026
Feb 27, 2026
Showing 20 of 5387 Results