Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.4 HIGH
CVE-2026-32945 — PJSIP is vulnerable to Heap-based Buffer Overflow through DNS parser

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpa…

pjsip | Remote | Memory Corruption
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.0 HIGH
CVE-2026-32942 — PJSIP has ICE session use-after-free race conditions

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race …

pjsip | Remote | Memory Corruption
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
7.1 HIGH
CVE-2026-32941 — Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports

Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM (Out-of-Memory) vulnerability in the Sliver C2 server's mTLS and WireGua…

sliver | Remote | Denial of Service
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
9.3 CRITICAL
CVE-2026-32940 — SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for C…

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses …

siyuan | Remote | Cross-Site Scripting
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
7.7 HIGH
CVE-2026-32939 — DataEase is Vulnerable to H2 JDBC RCE Bypass

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsi…

dataease | Remote | Misconfiguration
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
9.9 CRITICAL
CVE-2026-32938 — SiYuan has an Arbitrary File Read in its Desktop Publish Service

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the worksp…

siyuan | Remote | Path Traversal
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.3 MEDIUM
CVE-2026-32114 — Discourse's unscoped status lookups leak restricted metadata

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, there is an Insecure Direct Object Reference (IDOR) vulnerability that allows any authent…

discourse | Remote | Authorization
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.8 MEDIUM
CVE-2026-4467 — Comfast CF-AC100 mbox-config command injection

A vulnerability was found in Comfast CF-AC100 2.6.0.8. This impacts an unknown function of the file /cgi-bin/mbox-config?method=SET&section=wireless_device_dissoc. The manipulation results in command…

cf-ac100_firmware | Remote | Injection
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.7 HIGH
CVE-2026-33063 — free5GC AUSF UE Authentication Panic on Nil SuciSupiMap Interface Conversion

free5GC is an open source 5G core network. free5GC AUSF prior to version 1.4.2 has is an Improper Null Check vulnerability leading to Denial of Service. All deployments of free5GC v4.0.1 using the AU…

free5gc | Remote | Denial of Service
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.7 HIGH
CVE-2026-33062 — free5GC NRF Discovery EncodeGroupId Function Panics on Malformed group-id-list Parameter

free5GC is an open source 5G core network. free5GC NRF prior to version 1.4.2 has an Improper Input Validation vulnerability leading to Denial of Service. All deployments of free5GC using the NRF dis…

free5gc | Remote | Denial of Service
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
7.1 HIGH
CVE-2026-32937 — free5GC CHF has Out-of-Bounds Slice Access that Leads to DoS

free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated reques…

free5gc | Remote | Denial of Service
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.2 HIGH
CVE-2026-32935 — phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack

phpseclib is a PHP secure communications library. Projects using versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a to padding oracle timing attack when usi…

phpseclib | Remote | Cryptography
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
7.5 HIGH
CVE-2026-32933 — AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion

AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the li…

Remote | Denial of Service
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
9.0 CRITICAL
CVE-2026-32891 — Anchorr Privilege Escalation: Jellyseerr User → Anchorr Admin via Stored XSS

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jell…

Remote | Cross-Site Scripting
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
9.6 CRITICAL
CVE-2026-32890 — Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltr…

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulner…

Remote | Cross-Site Scripting
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
6.5 MEDIUM
CVE-2026-32889 — tinytag: Denial of Service via non-terminating SYLT frame parsing loop

tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 …

Remote | Denial of Service
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
8.8 HIGH
CVE-2026-32888 — Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Function…

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom att…

open_source_point_of_sale | Remote | Injection
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.3 MEDIUM
CVE-2026-31869 — Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_n…

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authentic…

discourse | Remote | Information Disclosure
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.3 MEDIUM
CVE-2026-31805 — Discourse has a poll authorization bypass via post_id array parameter

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove…

discourse | Remote | Authorization
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
5.3 MEDIUM
CVE-2026-30891 — Discourse hasUnauthorized Exposure of Private User Action Types

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a user could access another user's private activity due to insufficient authorization che…

discourse | Remote | Authorization
Mar 20, 2026 Mar 20, 2026
Mar 20, 2026
Mar 20, 2026
Showing 20 of 5727 Results