Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.8 MEDIUM
CVE-2026-25905 — Lack of isolation in mcp-run-python leads to MCP server takeover

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may resu…

Remote | Misconfiguration
Feb 09, 2026 Feb 09, 2026
Feb 09, 2026
Feb 09, 2026
5.8 MEDIUM
CVE-2026-25904 — Overly permissive Deno configuration in mcp-run-python leads to SSRF

The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform…

Remote | Server-Side Request Forgery
Feb 09, 2026 Feb 09, 2026
Feb 09, 2026
Feb 09, 2026
8.6 HIGH
CVE-2025-7799 — Reflected XSS in Zirve Information Technologies' e-Taxpayer Accounting Website

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. E-Taxpayer Accounting Website allows Reflected XSS.Thi…

Remote | Cross-Site Scripting
Feb 09, 2026 Feb 09, 2026
Feb 09, 2026
Feb 09, 2026
8.7 HIGH
CVE-2026-2236 — HGiga|C&Cm@il - SQL Injection

C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

Remote | Injection
Feb 09, 2026 Feb 09, 2026
Feb 09, 2026
Feb 09, 2026
7.1 HIGH
CVE-2026-2235 — HGiga|C&Cm@il - SQL Injection

C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.

Remote | Injection
Feb 09, 2026 Feb 09, 2026
Feb 09, 2026
Feb 09, 2026
9.3 CRITICAL
CVE-2026-2234 — HGiga|C&Cm@il - Missing Authentication

C&Cm@il developed by HGiga has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read and modify any user's mail content.

Remote | Authentication
Feb 09, 2026 Feb 09, 2026
Feb 09, 2026
Feb 09, 2026
9.8 CRITICAL
CVE-2026-2223 — code-projects Online Reviewer System index.php sql injection

A security vulnerability has been detected in code-projects Online Reviewer System 1.0. Affected by this issue is some unknown functionality of the file /system/system/students/assessments/pretest/ta…

online_reviewer_system | Remote | Injection
Feb 09, 2026 Feb 10, 2026
Feb 09, 2026
Feb 10, 2026
4.8 MEDIUM
CVE-2026-2222 — code-projects Online Reviewer System btn_functions.php cross site scripting

A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php…

online_reviewer_system | Remote | Cross-Site Scripting
Feb 09, 2026 Feb 10, 2026
Feb 09, 2026
Feb 10, 2026
9.8 CRITICAL
CVE-2026-22906 — Hardcoded Key Allows Credential Disclosure

User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and password…

Remote | Cryptography
Feb 09, 2026 Feb 09, 2026
Feb 09, 2026
Feb 09, 2026
7.5 HIGH
CVE-2026-22905 — Authentication Bypass via URI Traversal

An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access …

Remote | Path Traversal
Feb 09, 2026 Feb 09, 2026
Feb 09, 2026
Feb 09, 2026
9.8 CRITICAL
CVE-2026-22904 — Stack Overflow via Oversized Cookie Fields in lighttpd

Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulti…

Remote | Memory Corruption
Feb 09, 2026 Feb 09, 2026
Feb 09, 2026
Feb 09, 2026
9.8 CRITICAL
CVE-2026-22903 — Stack Overflow via SESSIONID Cookie in lighttpd

An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to …

Remote | Memory Corruption
Feb 09, 2026 Feb 09, 2026
Feb 09, 2026
Feb 09, 2026
Showing 20 of 5392 Results