Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-40310 — ImageMagick: Heap out-of-bounds write in JP2 encoder

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with w…

| Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-40183 — ImageMagick: Heap buffer overflow when encoding JXL image with a 16-bit float

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the im…

| Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-22563 — "UniFi Play PowerAmp and Audio Port Command Injection Vulnerability"

A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0…

| Injection
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-22562 — "Ubiquiti UniFi Play Path Traversal Remote Code Execution Vulnerability"

A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code exe…

| Path Traversal
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-22566 — Ubiquiti UniFi Play WiFi Credentials Exposure

An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.
 Affected Products: UniFi Play PowerAmp (Version …

| Authorization
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-22565 — "UniFi Play PowerAmp and Audio Port Improper Input Validation Denial of Service"

An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding.
 Affected Products: UniFi Play PowerAmp (Versi…

| Denial of Service
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-22564 — "UniFi Play Improper Access Control SSH Enablement Vulnerability"

An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.
 Affected Products: UniFi Play…

| Authorization
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-40169 — ImageMagick: Heap buffer overflow (WRITE) in the YAML and JSON encoders

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a y…

| Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
5.3 MEDIUM
CVE-2026-6219 — aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injec…

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulati…

| Injection
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
5.3 MEDIUM
CVE-2026-6218 — aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting

A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site s…

Remote | Cross-Site Scripting
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
5.1 MEDIUM
CVE-2026-6216 — DbGate SVG Icon String FontIcon.svelte cross site scripting

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such ma…

Remote | Cross-Site Scripting
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
7.5 HIGH
CVE-2026-33901 — ImageMagick has a Heap Buffer Overflow via MVG decoder

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that cou…

Remote | Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
5.9 MEDIUM
CVE-2026-33900 — ImageMagick has a Heap overflow caused by integer overflow/wraparound in viff encoder on …

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-189 and 6.9.13-44, the viff encoder contains an integer truncation/wraparou…

Remote | Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
5.3 MEDIUM
CVE-2026-33899 — ImageMagick: Heap BufferOverflow write of single zero byte when parsing XML

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single…

Remote | Memory Corruption
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
5.4 MEDIUM
CVE-2026-33740 — EspoCRM: Email importEml can import and delete another user's attachment by raw fileId

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vuln…

Remote | Authorization
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
3.5 LOW
CVE-2026-33659 — EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Netwo…

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SS…

Remote | Server-Side Request Forgery
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
8.7 HIGH
CVE-2026-32272 — Craft Commerce: Blind SQL Injection via hasVariant/hasProduct

Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct propertie…

Remote | Injection
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
7.7 HIGH
CVE-2026-32271 — Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allo…

Remote | Injection
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-31280 — Parani M10 Motorcycle Intercom RFCOMM Service DoS Vulnerability

An issue in the Bluetooth RFCOMM service of Parani M10 Motorcycle Intercom v2.1.3 allows unauthorized attackers to cause a Denial of Service (DoS) via supplying crafted RFCOMM frames.

| Denial of Service
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
0.0 NA
CVE-2026-26460 — Vtiger CRM HTML Injection Vulnerability

A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (ge…

| Cross-Site Scripting
Apr 13, 2026 Apr 13, 2026
Apr 13, 2026
Apr 13, 2026
Showing 20 of 6234 Results