Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-30973 — Zip Slip arbitrary file write in @appium/support ZIP extraction

Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractA…

Remote | Path Traversal
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.8 HIGH
CVE-2026-30970 — Session authentication bypass in Coral Server session creation endpoint

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server allowed the creation of agent s…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.6 HIGH
CVE-2026-30969 — Coral Server has insufficient agent authentication in session communication channels

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server did not enforce strong authenti…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.6 HIGH
CVE-2026-30968 — Coral Server has insufficient validation of agent identity for SSE connections

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint (/sse/v1/...) in Coral Serv…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.4 MEDIUM
CVE-2026-30964 — Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypas…

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allo…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
9.4 CRITICAL
CVE-2026-30960 — RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Int…

rssn is a scientific computing library for Rust, combining a high-performance symbolic computation engine with numerical methods support and physics simulations functionalities. The vulnerability exi…

| Injection
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.3 MEDIUM
CVE-2026-30959 — OneUptime has WhatsApp Resend Verification Authorization Bypass

OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp rec…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.2 HIGH
CVE-2026-30958 — OneUptime: Path Traversal — Arbitrary File Read (No Auth)

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files f…

oneuptime | Remote | Path Traversal
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
9.9 CRITICAL
CVE-2026-30957 — OneUptime Synthetic Monitor RCE via exposed Playwright browser object

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on …

oneuptime | Remote | Injection
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
9.9 CRITICAL
CVE-2026-30956 — OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending…

oneuptime | Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.1 HIGH
CVE-2026-30945 — StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with edito…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.8 HIGH
CVE-2026-30944 — StudioCMS Affected by Privilege Escalation via Insecure API Token Generation

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor)…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.3 HIGH
CVE-2026-30942 — Flare has a Path Traversal in /api/avatars/[filename]

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/[filename] allows an…

flare | Remote | Path Traversal
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.7 HIGH
CVE-2026-30941 — Parse Server has a NoSQL injection via token type in password reset and email verificatio…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated atta…

parse-server | Remote | Injection
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.8 HIGH
CVE-2026-30939 — Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server proce…

parse-server | Remote | Denial of Service
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
6.9 MEDIUM
CVE-2026-30938 — Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested obj…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed …

parse-server | Remote | Misconfiguration
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.9 HIGH
CVE-2026-30934 — FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text…

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered…

Remote | Cross-Site Scripting
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.5 HIGH
CVE-2026-30933 — FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share By…

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose to…

Remote | Information Disclosure
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.6 HIGH
CVE-2026-30930 — Glances has SQL Injection via Process Names in TimescaleDB Export

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring dat…

glances | Injection
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.7 HIGH
CVE-2026-30928 — Glances Exposes Unauthenticated Configuration Secrets

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.confi…

glances | Remote | Information Disclosure
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
Showing 20 of 5304 Results