Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.5 HIGH
CVE-2026-26275 — httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass

httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to mi…

httpsig-hyper | Remote | Cryptography
Feb 19, 2026 Mar 03, 2026
Feb 19, 2026
Mar 03, 2026
5.6 MEDIUM
CVE-2026-2738 — OpenVPN Buffer Overflow Denial of Service

Buffer overflow in ovpn‑dco‑win version 2.8.0 allows local attackers to cause a system crash by sending too large packets to the remote peer when the AEAD tag appears at the end of the encrypted pack…

ovpn-dco-win | Memory Corruption
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
9.8 CRITICAL
CVE-2026-27476 — RustFly 2.0.0 Command Injection via UDP Remote Control

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send cr…

Remote | Injection
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
6.5 MEDIUM
CVE-2026-27440 — WordPress myCred plugin <= 2.9.7.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.7.6.

Remote | Cross-Site Scripting
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
5.4 MEDIUM
CVE-2026-27387 — WordPress DirectoryPress plugin <= 3.6.26 - Broken Access Control vulnerability

Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a …

directorypress | Remote | Authorization
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
5.9 MEDIUM
CVE-2026-27368 — WordPress Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin <= 6…

Missing Authorization vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Exploiting Incorrectly Configured Access Control Security Levels…

Remote | Authorization
Feb 19, 2026 Feb 25, 2026
Feb 19, 2026
Feb 25, 2026
5.9 MEDIUM
CVE-2026-27360 — WordPress Photo Gallery by 10Web plugin <= 1.8.37 - Cross Site Scripting (XSS) vulnerabil…

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by …

photo_gallery | Remote | Cross-Site Scripting
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
7.5 HIGH
CVE-2026-27343 — WordPress Airtifact theme <= 1.2.91 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Airtifact airtifact allows PHP Local File Inclusion.This issue affec…

Remote | Path Traversal
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
5.3 MEDIUM
CVE-2026-27328 — WordPress EduBlink theme <= 2.0.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in DevsBlink EduBlink edublink allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduBlink: from n/a through <= 2.0.7.

Remote | Authorization
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
4.3 MEDIUM
CVE-2026-27327 — WordPress YayMail – WooCommerce Email Customizer plugin <= 4.3.2 - Broken Access Control …

Missing Authorization vulnerability in YayCommerce YayMail – WooCommerce Email Customizer yaymail allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayMail – …

Remote | Authorization
Feb 19, 2026 Feb 27, 2026
Feb 19, 2026
Feb 27, 2026
7.5 HIGH
CVE-2026-27114 — NanaZip has ROMFS Archive Infinite Loop

NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop in the ROMFS archive parser. Version 6.0.16…

nanazip | Remote | Denial of Service
Feb 19, 2026 Feb 26, 2026
Feb 19, 2026
Feb 26, 2026
5.5 MEDIUM
CVE-2026-27014 — NanZip has ROMFS Archive Infinite Loop / Stack Overflow

NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop, and deeply nested directories cause unbound…

nanazip | Denial of Service
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
7.5 HIGH
CVE-2026-26313 — Go Ethereum affected by DoS via malicious p2p message

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. Th…

go_ethereum | Remote | Denial of Service
Feb 19, 2026 Feb 23, 2026
Feb 19, 2026
Feb 23, 2026
6.5 MEDIUM
CVE-2026-26312 — Stalwart Mail Server has Out-of-Memory Denial of Service via Malformed Nested MIME Messag…

Stalwart is a mail and collaboration server. A denial-of-service vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4 where accessing a specially crafted email containing malfo…

stalwart | Remote | Denial of Service
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
8.5 HIGH
CVE-2026-26286 — SillyTavern has Server-Side Request Forgery (SSRF) via Asset Download Endpoint that Allow…

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prio…

sillytavern | Remote | Server-Side Request Forgery
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
6.6 MEDIUM
CVE-2026-26282 — NanaZip has DotNet Single file OOB Heap Read

NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, NanaZip has an out-of-bounds heap read in `.NET Single File` bundle header parser due to missing…

nanazip | Memory Corruption
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
9.8 CRITICAL
CVE-2025-67305 — RUCKUS Network Director SSH Key Hardcoded Vulnerability

In RUCKUS Network Director (RND) < 4.5.0.56, the OVA appliance contains hardcoded SSH keys for the postgres user. These keys are identical across all deployments, allowing an attacker with network ac…

Remote | Authentication
Feb 19, 2026 Feb 23, 2026
Feb 19, 2026
Feb 23, 2026
7.6 HIGH
CVE-2026-27013 — Fabric.js Affected by Stored XSS via SVG Export

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to ap…

fabric.js | Remote | Cross-Site Scripting
Feb 19, 2026 Feb 23, 2026
Feb 19, 2026
Feb 23, 2026
8.8 HIGH
CVE-2026-26318 — systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixe…

systeminformation | Injection
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
8.4 HIGH
CVE-2026-26280 — Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js …

systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arb…

systeminformation | Injection
Feb 19, 2026 Feb 20, 2026
Feb 19, 2026
Feb 20, 2026
Showing 20 of 5327 Results