Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.8 HIGH
CVE-2026-30979 — iccDEV has a heap-based buffer overflow in CIccCalculatorFunc::InitSelectOp()

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow in CIccCalculatorFunc::InitSelectOp() triggered wi…

| Memory Corruption
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.8 HIGH
CVE-2026-30978 — Heap-use-after-free in CIccCmm::AddXform()

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference a…

| Memory Corruption
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
2.0 LOW
CVE-2026-30977 — RenderBlocking has Stored XSS in renderblocking-css with Inline Assets mode

RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Asset…

Remote | Cross-Site Scripting
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
4.6 MEDIUM
CVE-2026-30974 — Copyparty volflag `nohtml` did not block javascript in svg files

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with wr…

copyparty | Remote | Cross-Site Scripting
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
6.5 MEDIUM
CVE-2026-30973 — Zip Slip arbitrary file write in @appium/support ZIP extraction

Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractA…

Remote | Path Traversal
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.8 HIGH
CVE-2026-30970 — Session authentication bypass in Coral Server session creation endpoint

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server allowed the creation of agent s…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.6 HIGH
CVE-2026-30969 — Coral Server has insufficient agent authentication in session communication channels

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server did not enforce strong authenti…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.6 HIGH
CVE-2026-30968 — Coral Server has insufficient validation of agent identity for SSE connections

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint (/sse/v1/...) in Coral Serv…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.4 MEDIUM
CVE-2026-30964 — Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypas…

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allo…

Remote | Authentication
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
9.4 CRITICAL
CVE-2026-30960 — RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Int…

rssn is a scientific computing library for Rust, combining a high-performance symbolic computation engine with numerical methods support and physics simulations functionalities. The vulnerability exi…

| Injection
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
5.3 MEDIUM
CVE-2026-30959 — OneUptime has WhatsApp Resend Verification Authorization Bypass

OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp rec…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.2 HIGH
CVE-2026-30958 — OneUptime: Path Traversal — Arbitrary File Read (No Auth)

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files f…

oneuptime | Remote | Path Traversal
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
9.9 CRITICAL
CVE-2026-30957 — OneUptime Synthetic Monitor RCE via exposed Playwright browser object

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on …

oneuptime | Remote | Injection
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
9.9 CRITICAL
CVE-2026-30956 — OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending…

oneuptime | Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
7.1 HIGH
CVE-2026-30945 — StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with edito…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.8 HIGH
CVE-2026-30944 — StudioCMS Affected by Privilege Escalation via Insecure API Token Generation

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor)…

Remote | Authorization
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.3 HIGH
CVE-2026-30942 — Flare has a Path Traversal in /api/avatars/[filename]

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/[filename] allows an…

flare | Remote | Path Traversal
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.7 HIGH
CVE-2026-30941 — Parse Server has a NoSQL injection via token type in password reset and email verificatio…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated atta…

parse-server | Remote | Injection
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
8.8 HIGH
CVE-2026-30939 — Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server proce…

parse-server | Remote | Denial of Service
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
6.9 MEDIUM
CVE-2026-30938 — Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested obj…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed …

parse-server | Remote | Misconfiguration
Mar 10, 2026 Mar 10, 2026
Mar 10, 2026
Mar 10, 2026
Showing 20 of 5304 Results