Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.4 CRITICAL
CVE-2026-28806 — Improper authorization in device bulk actions and device update API allows cross-organiza…

Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device b…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.8 HIGH
CVE-2026-27278 — Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current…

| Memory Corruption
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.5 MEDIUM
CVE-2026-27221 — Acrobat Reader | Improper Certificate Validation (CWE-295)

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by an Improper Certificate Validation vulnerability that could result in a Security feature bypass. An attack…

| Cryptography
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.8 HIGH
CVE-2026-27220 — Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current…

| Memory Corruption
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
6.4 MEDIUM
CVE-2026-31809 — SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated X…

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting…

Remote | Cross-Site Scripting
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.3 MEDIUM
CVE-2026-31808 — file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-h…

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input whe…

Remote | Denial of Service
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
6.4 MEDIUM
CVE-2026-31807 — SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers …

Remote | Cross-Site Scripting
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.7 HIGH
CVE-2026-31801 — zot create-only policy allows overwrite attempts of existing latest tag (update permissio…

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.8 HIGH
CVE-2026-31800 — Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic clas…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be re…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
6.9 MEDIUM
CVE-2026-30972 — Parse Server has a rate limit bypass via batch request endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Ex…

Remote | Denial of Service
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.6 HIGH
CVE-2026-30967 — Parse Server OAuth2 authentication adapter account takeover via identity spoofing

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without …

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
10.0 CRITICAL
CVE-2026-30966 — Parse Server role escalation and CLP bypass via direct `_Join` table write

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field m…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
9.9 CRITICAL
CVE-2026-30965 — Parse Server session token exfiltration via `redirectClassNameForKey` query parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an a…

Remote | Information Disclosure
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.1 HIGH
CVE-2026-30962 — Parse Server has a protected fields bypass via logical query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level qu…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.3 MEDIUM
CVE-2026-30954 — LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy()

LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and …

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.7 HIGH
CVE-2026-30953 — LinkAce affected by SSRF via link creation: NoPrivateIpRule not applied to LinkStoreReque…

LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta:…

Remote | Server-Side Request Forgery
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.7 HIGH
CVE-2026-30952 — liquidjs has a path traversal fallback vulnerability

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as st…

liquidjs | Remote | Path Traversal
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.5 HIGH
CVE-2026-30951 — Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to ext…

Remote | Injection
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.6 HIGH
CVE-2026-30949 — Parse Server is missing audience validation in Keycloak authentication adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the az…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.3 HIGH
CVE-2026-30948 — Parse Server has stored cross-site scripting (XSS) via SVG file upload

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any…

Remote | Cross-Site Scripting
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
Showing 20 of 5374 Results