Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.5 HIGH
CVE-2026-32770 — Parse Server: LiveQuery subscription with invalid regular expression crashes server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing…

parse-server | Remote | Denial of Service
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
4.3 MEDIUM
CVE-2026-32742 — Parse Server session creation endpoint allows overwriting server-generated session fields

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated sessio…

parse-server | Remote | Authentication
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
8.3 HIGH
CVE-2026-32728 — Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing X…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the f…

parse-server | Remote | Cross-Site Scripting
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
4.8 MEDIUM
CVE-2026-32723 — SandboxJS timers have an execution-quota bypass (cross-sandbox currentTicks race)

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string …

sandboxjs | Misconfiguration
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
6.1 MEDIUM
CVE-2026-32722 — Memray-generated HTML reports vulnerable to Stored XSS via unescaped command-line metadata

Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no esc…

memray | Remote | Cross-Site Scripting
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
9.0 CRITICAL
CVE-2026-32703 — OpenProject's repository files are served with the MIME type allowing them to be used to …

OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from…

openproject | Remote | Cross-Site Scripting
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
9.1 CRITICAL
CVE-2026-32698 — OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code …

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When th…

openproject | Remote | Injection
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
6.0 MEDIUM
CVE-2026-32700 — Devise has a confirmable "change email" race condition that permits user to confirm email…

Devise is an authentication solution for Rails based on Warden. Prior to version 5.0.3, a race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own.…

devise | Remote | Race Condition
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
2.7 LOW
CVE-2026-32638 — StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query paramete…

studiocms | Remote | Authorization
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
7.5 HIGH
CVE-2026-32636 — ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due t…

imagemagick | Remote | Memory Corruption
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
8.8 HIGH
CVE-2026-32321 — ClipBucket v5 has time-based Blind SQL Injection in ajax.php that leads to Data Exfiltrat…

ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 #80 within the `actions/ajax.php` endpoint. D…

clipbucket | Remote | Injection
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
7.5 HIGH
CVE-2026-31973 — NULL pointer dereference in samtools cram-size

SAMtools is a program for reading, manipulating and writing bioinformatics file formats. Starting in version 1.17, in the cram-size command, used to write information about how well CRAM files are co…

samtools | Remote | Memory Corruption
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
9.8 CRITICAL
CVE-2026-31972 — samtools mpileup has use-after-free leading to an invalid read

SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The `mpileup` command outputs DNA sequences that have been aligned against a known reference. On each output l…

samtools | Remote | Memory Corruption
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
9.8 CRITICAL
CVE-2026-25873 — OmniGen2-RL Reward Server Unsafe Deserialization RCE

OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary commands by sending malicious HTTP POST re…

Remote | Injection
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
6.5 MEDIUM
CVE-2026-25745 — OpenEMR's Message Update Ignores Patient id

OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint (e.g. PUT or POST) upd…

openemr | Remote | Authorization
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
8.3 HIGH
CVE-2026-4396 — Devolutions Hub Reporting Service TLS Certificate Verification Bypass

Improper certificate validation in Devolutions Hub Reporting Service 2025.3.1.1 and earlier allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.

| Cryptography
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
8.1 HIGH
CVE-2026-31971 — HTSlib CRAM decoder vulnerable to buffer overflow

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. Whe…

htslib | Remote | Memory Corruption
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
8.1 HIGH
CVE-2026-31970 — HTSlib BGZF index file reader has a heap buffer overflow

HTSlib is a library for reading and writing bioinformatics file formats. GZI files are used to index block-compressed GZIP [BGZF] files. In the GZI loading function, `bgzf_index_load_hfile()`, it wa…

htslib | Remote | Memory Corruption
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
8.1 HIGH
CVE-2026-31969 — HTSlib CRAM decoder has a heap buffer overflow

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. Wh…

htslib | Remote | Memory Corruption
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
8.8 HIGH
CVE-2026-31968 — HTSlib CRAM decoder vulnerable to buffer overflow

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. For…

htslib | Remote | Memory Corruption
Mar 18, 2026 Mar 19, 2026
Mar 18, 2026
Mar 19, 2026
Showing 20 of 5724 Results