Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-3209 — fosrl Pangolin Role verifyApiKeyRoleAccess access control

A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects the function verifyRoleAccess/verifyApiKeyRoleAccess of the component Role Handler. The manipulation leads to improper …

Remote | Authorization
Feb 25, 2026 Mar 08, 2026
Feb 25, 2026
Mar 08, 2026
10.0 CRITICAL
CVE-2026-27613 — CGI Parameter Injection (Bypass of STRICT_CGI_PARAMS and EscapeShellParam)

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security …

tinyweb | Remote | Authorization
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
8.5 HIGH
CVE-2026-27578 — n8n Vulnerable to Stored XSS via Various Nodes

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could inject arbitrary scripts i…

n8n | Remote | Cross-Site Scripting
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
9.9 CRITICAL
CVE-2026-27577 — n8n: Expression Sandbox Escape Leads to RCE

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following C…

n8n | Remote | Injection
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
9.0 CRITICAL
CVE-2026-27498 — n8n has Arbitrary Command Execution via File Write and Git Operations

n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk…

n8n | Remote | Authentication
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
9.4 CRITICAL
CVE-2026-27497 — n8n has Potential Remote Code Execution via Merge Node

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's …

n8n | Remote | Injection
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
9.9 CRITICAL
CVE-2026-27495 — n8n has a Sandbox Escape in its JavaScript Task Runner

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could exploit a vulnerability in…

n8n | Remote | Misconfiguration
Feb 25, 2026 Mar 04, 2026
Feb 25, 2026
Mar 04, 2026
9.9 CRITICAL
CVE-2026-27494 — n8n has Arbitrary File Read via Python Code Node Sandbox Escape

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could use the Python Code node t…

n8n | Remote | Injection
Feb 25, 2026 Mar 05, 2026
Feb 25, 2026
Mar 05, 2026
9.5 CRITICAL
CVE-2026-27493 — n8n has Unauthenticated Expression Evaluation via Form Node

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, a second-order expression injection vulnerability existed in n8n's Form nodes that could allow an un…

n8n | Remote | Injection
Feb 25, 2026 Mar 05, 2026
Feb 25, 2026
Mar 05, 2026
5.4 MEDIUM
CVE-2026-2694 — The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) E…

The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all…

Remote | Authorization
Feb 25, 2026 Feb 27, 2026
Feb 25, 2026
Feb 27, 2026
7.5 HIGH
CVE-2026-27951 — FreeRDP has possible Integer overflow in Stream_EnsureCapacity

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and serv…

freerdp | Remote | Denial of Service
Feb 25, 2026 Feb 27, 2026
Feb 25, 2026
Feb 27, 2026
7.5 HIGH
CVE-2026-27950 — FreeRDP heap-use-after-free in update_pointer_new(SDL): Fix Applied in the Wrong File

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution…

freerdp | Remote | Memory Corruption
Feb 25, 2026 Feb 27, 2026
Feb 25, 2026
Feb 27, 2026
7.2 HIGH
CVE-2026-27819 — Vikunja has Path Traversal in CLI Restore

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to…

vikunja | Remote | Path Traversal
Feb 25, 2026 Mar 05, 2026
Feb 25, 2026
Mar 05, 2026
7.3 HIGH
CVE-2026-27616 — Vikunja Vulnerable to Stored Cross-Site Scripting (XSS) via Unsanitized SVG Attachment Up…

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports …

vikunja | Remote | Cross-Site Scripting
Feb 25, 2026 Mar 05, 2026
Feb 25, 2026
Mar 05, 2026
9.1 CRITICAL
CVE-2026-27575 — Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength re…

vikunja | Remote | Authentication
Feb 25, 2026 Mar 05, 2026
Feb 25, 2026
Mar 05, 2026
9.6 CRITICAL
CVE-2026-27148 — Storybook Dev Server Vulnerable to WebSocket Hijacking

Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev s…

storybook | Remote | Cross-Site Scripting
Feb 25, 2026 Mar 10, 2026
Feb 25, 2026
Mar 10, 2026
6.1 MEDIUM
CVE-2026-27116 — Vikunja has Reflected HTML Injection via filter Parameter in Projects Module

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rend…

vikunja | Remote | Cross-Site Scripting
Feb 25, 2026 Mar 05, 2026
Feb 25, 2026
Mar 05, 2026
7.5 HIGH
CVE-2026-26986 — FreeRDP has heap-use-after-free in rail_window_free

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rai…

freerdp | Remote | Memory Corruption
Feb 25, 2026 Feb 27, 2026
Feb 25, 2026
Feb 27, 2026
8.1 HIGH
CVE-2026-26985 — LORIS vulnerable to path traversal in electrophysiology_browser

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to …

loris | Remote | Path Traversal
Feb 25, 2026 Mar 05, 2026
Feb 25, 2026
Mar 05, 2026
8.8 HIGH
CVE-2026-26984 — LORIS media module vulnerable to remote code execution

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28…

loris | Remote | Path Traversal
Feb 25, 2026 Mar 05, 2026
Feb 25, 2026
Mar 05, 2026
Showing 20 of 5313 Results