Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.1 CRITICAL
CVE-2026-27809 — psd-tools: Compression module has unguarded zlib decompression, missing dimension validat…

psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past t…

psd-tools | Remote | Information Disclosure
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
8.6 HIGH
CVE-2026-27808 — Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API

Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server …

mailpit | Remote | Server-Side Request Forgery
Feb 26, 2026 Feb 28, 2026
Feb 26, 2026
Feb 28, 2026
9.3 CRITICAL
CVE-2026-27804 — Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authe…

parse-server | Remote | Authentication
Feb 26, 2026 Mar 04, 2026
Feb 26, 2026
Mar 04, 2026
7.4 HIGH
CVE-2026-27800 — Zed has Zip Slip Path Traversal in Extension Archive Extraction

Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extract_zip()` function in `crates/util/src/a…

zed | Remote | Path Traversal
Feb 26, 2026 Mar 04, 2026
Feb 26, 2026
Mar 04, 2026
4.4 MEDIUM
CVE-2026-27799 — ImageMagick has a heap Buffer Over-read in its DJVU image format handler

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image…

imagemagick magick.net | Memory Corruption
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
7.1 HIGH
CVE-2026-27798 — ImageMagick: Heap Buffer Over-read in WaveletDenoise when processing small images

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing a…

imagemagick magick.net | Memory Corruption
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
6.4 MEDIUM
CVE-2026-27735 — mcp-server-git : Path traversal in git_add allows staging files outside repository bounda…

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that…

Remote | Path Traversal
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
6.6 MEDIUM
CVE-2026-27711 — NanaZip UFS Archive Parser Memory Corruption via Unvalidated Directory Record Length

NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a memory corruption vulnerability in NanaZip’s UFS parser allows a crafted `.uf…

nanazip | Memory Corruption
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
5.1 MEDIUM
CVE-2026-27710 — NanaZip .NET Single-File Parser Integer Underflow Leads to Unbounded Allocation (DoS)

NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a denial-of-service vulnerability exists in NanaZip’s `.NET Single File Applica…

nanazip | Denial of Service
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
6.6 MEDIUM
CVE-2026-27709 — NanaZip .NET Single-File Manifest Parser Vulnerable to Out-of-Bounds Read via Unchecked R…

NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, NanaZip’s `.NET Single File Application` parser has an out-of-bounds read vulne…

nanazip | Memory Corruption
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
8.8 HIGH
CVE-2026-27635 — Manyfold vulnerable to OS command injection via ZIP filename in f3d render

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled,…

manyfold | Remote | Injection
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
8.7 HIGH
CVE-2026-27633 — TinyWeb has Unbounded Content-Length Memory Exhaustion (DoS)

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers …

tinyweb | Remote | Denial of Service
Feb 26, 2026 Feb 28, 2026
Feb 26, 2026
Feb 28, 2026
8.7 HIGH
CVE-2026-27630 — TinyWeb vulnerable to Remote Denial of Service via Thread/Connection Exhaustion (Slowlori…

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thr…

tinyweb | Remote | Denial of Service
Feb 26, 2026 Feb 28, 2026
Feb 26, 2026
Feb 28, 2026
8.8 HIGH
CVE-2026-26186 — Fleet has a SQL injection via backtick escape in ORDER BY parameter

Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query pa…

fleet | Remote | Injection
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
6.5 MEDIUM
CVE-2026-3209 — fosrl Pangolin Role verifyApiKeyRoleAccess access control

A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects the function verifyRoleAccess/verifyApiKeyRoleAccess of the component Role Handler. The manipulation leads to improper …

Remote | Authorization
Feb 25, 2026 Mar 08, 2026
Feb 25, 2026
Mar 08, 2026
10.0 CRITICAL
CVE-2026-27613 — CGI Parameter Injection (Bypass of STRICT_CGI_PARAMS and EscapeShellParam)

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security …

tinyweb | Remote | Authorization
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
8.5 HIGH
CVE-2026-27578 — n8n Vulnerable to Stored XSS via Various Nodes

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts i…

n8n | Remote | Cross-Site Scripting
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
9.9 CRITICAL
CVE-2026-27577 — n8n: Expression Sandbox Escape Leads to RCE

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following C…

n8n | Remote | Injection
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
9.0 CRITICAL
CVE-2026-27498 — n8n has Arbitrary Command Execution via File Write and Git Operations

n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk…

n8n | Remote | Authentication
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
9.4 CRITICAL
CVE-2026-27497 — n8n has Potential Remote Code Execution via Merge Node

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's …

n8n | Remote | Injection
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
Showing 20 of 5066 Results