Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.2 HIGH
CVE-2026-29102 — SuiteCRM has Authenticated RCE in Modules

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) vulnerabilit…

suitecrm | Remote | Authentication
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
4.9 MEDIUM
CVE-2026-29101 — SuiteCRM Vulnerable to Directory Traversal to DoS in Modules

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCR…

suitecrm | Remote | Denial of Service
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
7.1 HIGH
CVE-2026-29100 — SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allo…

suitecrm | Remote | Cross-Site Scripting
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
8.8 HIGH
CVE-2026-29099 — SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality.

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/Outbo…

suitecrm | Remote | Injection
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
4.9 MEDIUM
CVE-2026-29098 — SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuil…

suitecrm | Remote | Path Traversal
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
7.1 HIGH
CVE-2026-29097 — SuiteCRM Server-Side Request Forgery and Denial of Service via RSS Feed Dashlet

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability…

suitecrm | Remote | Server-Side Request Forgery
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
8.1 HIGH
CVE-2026-29096 — SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Repo…

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), t…

suitecrm | Remote | Injection
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
9.1 CRITICAL
CVE-2026-22732 — Under Some Conditions Spring Security HTTP Headers Are not Written

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security…

spring_security | Remote | Misconfiguration
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
8.2 HIGH
CVE-2026-22731 — Authentication Bypass under Actuator Health groups paths

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, alrea…

spring_boot | Remote | Authentication
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
8.8 HIGH
CVE-2026-4342 — ingress-nginx comment-based nginx configuration injection

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of…

ingress-nginx | Remote | Injection
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
1.2 LOW
CVE-2026-4159 — wc_PKCS7_DecodeEnvelopedData 1 byte out-of-bounds read

1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_Decode…

wolfssl | Memory Corruption
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
5.4 MEDIUM
CVE-2026-33410 — Discourse hardens chat DM channel creation and expansion

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direc…

discourse | Remote | Authorization
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
2.7 LOW
CVE-2026-33394 — Discourse leaks PM post edits to moderators

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of…

discourse | Remote | Information Disclosure
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
4.3 MEDIUM
CVE-2026-33393 — Discourse fixes loose hostname matching in spam host allowlist

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary val…

discourse | Remote | Misconfiguration
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
6.5 MEDIUM
CVE-2026-33355 — Discourse filters whisper posts from private-posts feed

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regu…

discourse | Remote | Authorization
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
5.3 MEDIUM
CVE-2026-32815 — SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Info…

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&i…

siyuan | Remote | Authentication
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
9.3 CRITICAL
CVE-2026-32754 — FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!})

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notificatio…

freescout | Remote | Cross-Site Scripting
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
8.5 HIGH
CVE-2026-32753 — FreeScout: Stored XSS through SVG file upload with filter bypass

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload an…

freescout | Remote | Cross-Site Scripting
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
0.0 NONE
CVE-2026-32752 — FreeScout: Broken Access Control in ThreadPolicy — Any User Can Read/Edit All Customer Me…

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit() method contains a broken access control vulnerability that a…

freescout | Remote | Authorization
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
5.1 MEDIUM
CVE-2026-32751 — SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Inter…

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamen…

siyuan | Remote | Cross-Site Scripting
Mar 19, 2026 Mar 20, 2026
Mar 19, 2026
Mar 20, 2026
Showing 20 of 5700 Results