Latest CVE Feed
Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation reques…
The SPIP jeux plugin versions prior to 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML ou…
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrust…
The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted requ…
The SPIP referer_spam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read t…
Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and r…
tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resou…
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to t…
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD…
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htacc…
Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running i…
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be us…
A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null p…
A flaw has been found in libvips up to 8.18.0. The affected element is the function vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. Execut…
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arb…
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical stat…
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batc…
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This …
OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dang…
TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting (XSS) vulnerability exists in the file upload module of TypiCMS prior to version 16.1…