Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.5 HIGH
CVE-2026-31817 — OliveTin's unsafe parsing of UniqueTrackingId can be used to write files

OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used f…

Remote | Path Traversal
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.3 MEDIUM
CVE-2026-31815 — django-unicorn affected by component state manipulation via unvalidated attribute access

Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during …

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.7 HIGH
CVE-2026-31812 — Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing

Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using v…

Remote | Denial of Service
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.7 HIGH
CVE-2026-28807 — Path Traversal in wisp.serve_static allows arbitrary file read

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static f…

Remote | Path Traversal
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
9.4 CRITICAL
CVE-2026-28806 — Improper authorization in device bulk actions and device update API allows cross-organiza…

Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device b…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.8 HIGH
CVE-2026-27278 — Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current…

| Memory Corruption
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.5 MEDIUM
CVE-2026-27221 — Acrobat Reader | Improper Certificate Validation (CWE-295)

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by an Improper Certificate Validation vulnerability that could result in a Security feature bypass. An attack…

| Cryptography
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.8 HIGH
CVE-2026-27220 — Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current…

| Memory Corruption
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
6.4 MEDIUM
CVE-2026-31809 — SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated X…

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting…

Remote | Cross-Site Scripting
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.3 MEDIUM
CVE-2026-31808 — file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-h…

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input whe…

Remote | Denial of Service
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
6.4 MEDIUM
CVE-2026-31807 — SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers …

Remote | Cross-Site Scripting
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.7 HIGH
CVE-2026-31801 — zot create-only policy allows overwrite attempts of existing latest tag (update permissio…

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.8 HIGH
CVE-2026-31800 — Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic clas…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be re…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
6.9 MEDIUM
CVE-2026-30972 — Parse Server has a rate limit bypass via batch request endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Ex…

Remote | Denial of Service
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.6 HIGH
CVE-2026-30967 — Parse Server OAuth2 authentication adapter account takeover via identity spoofing

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without …

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
10.0 CRITICAL
CVE-2026-30966 — Parse Server role escalation and CLP bypass via direct `_Join` table write

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field m…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
9.9 CRITICAL
CVE-2026-30965 — Parse Server session token exfiltration via `redirectClassNameForKey` query parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an a…

Remote | Information Disclosure
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.1 HIGH
CVE-2026-30962 — Parse Server has a protected fields bypass via logical query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level qu…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.3 MEDIUM
CVE-2026-30954 — LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy()

LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and …

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.7 HIGH
CVE-2026-30953 — LinkAce affected by SSRF via link creation: NoPrivateIpRule not applied to LinkStoreReque…

LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta:…

Remote | Server-Side Request Forgery
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
Showing 20 of 5387 Results