Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
4.3 MEDIUM
CVE-2026-28219 — Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Ban…

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modif…

discourse | Remote | Authorization
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
5.4 MEDIUM
CVE-2026-28218 — Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Quer…

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL que…

discourse | Remote | Authorization
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
4.3 MEDIUM
CVE-2026-27835 — wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout da…

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data bec…

wger | Remote | Authorization
Feb 26, 2026 Mar 03, 2026
Feb 26, 2026
Mar 03, 2026
4.3 MEDIUM
CVE-2026-27457 — Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_quer…

weblate | Remote | Authorization
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
7.5 HIGH
CVE-2026-27449 — Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints

Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing…

Remote | Authorization
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
6.1 MEDIUM
CVE-2026-27154 — Discourse has XSS when editing a malicious post

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_…

discourse | Remote | Cross-Site Scripting
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
2.7 LOW
CVE-2026-27153 — Discourse doesn't prevent moderators from exporting user Chat DMs

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permiss…

discourse | Remote | Authorization
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
7.1 HIGH
CVE-2026-25741 — Zulip Vulnerable to Modification of Payment Method (Stripe Default Card) by Non-Billing U…

Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to…

zulip_server | Remote | Authorization
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
4.9 MEDIUM
CVE-2026-27162 — DIscourse doesn't prevent whispers to leak in excerpts

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but then returning all posts regardless of type, includi…

discourse | Remote | Authorization
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
3.8 LOW
CVE-2026-27152 — DIscourse has DM communication-preference bypass when adding members

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user cou…

discourse | Remote | Authorization
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
2.7 LOW
CVE-2026-27151 — Discourse doesn't validate destination topic when moving posts

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated wr…

discourse | Remote | Authorization
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
3.8 LOW
CVE-2026-27150 — Discourse doesn't ensure guardian check when creating QueryGroupBookmark

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows…

discourse | Remote | Authorization
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
6.5 MEDIUM
CVE-2026-27149 — Discourse has SQL injection in PM tag filtering

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter condi…

discourse | Remote | Injection
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
6.9 MEDIUM
CVE-2026-27021 — Discourse: Poll voters endpoint lacked post visibility checks

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized a…

discourse | Remote | Authorization
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
9.8 CRITICAL
CVE-2026-22207 — OpenViking Missing root_api_key Allows Anonymous ROOT Access

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configur…

Remote | Authorization
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
8.8 HIGH
CVE-2026-22206 — SPIP < 4.4.10 SQL Injection RCE via Union & PHP Tags

SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. At…

spip saisies | Remote | Injection
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
8.7 HIGH
CVE-2026-22205 — SPIP < 4.4.10 Authentication Bypass via PHP Type Juggling

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit l…

spip saisies | Remote | Authentication
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
8.3 HIGH
CVE-2023-31364 — VMware VMX Denial of Service

Improper handling of direct memory writes in the input-output memory management unit could allow a malicious guest virtual machine (VM) to flood a host with writes, potentially causing a fatal machin…

Remote | Memory Corruption
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
9.6 CRITICAL
CVE-2026-27510 — Unitree Go2 Mobile Program Tampering Enables Root RCE

Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protectio…

Remote | Information Disclosure
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
8.5 HIGH
CVE-2026-27509 — Unitree Go2 Missing DDS Authentication Enables Adjacent RCE

Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled…

| Authentication
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
Showing 20 of 5066 Results