Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-33314 — pyload-ng: Improper Authentication and Origin Validation Error

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external…

| Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
0.0 NA
CVE-2026-32948 — sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on…

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (bran…

| Injection
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.3 HIGH
CVE-2026-33407 — Wallos: SSRF via HTTP Proxy Environment Variable

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without valid…

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.1 HIGH
CVE-2026-33401 — Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and notification endpoints bypass …

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test end…

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
5.4 MEDIUM
CVE-2026-33400 — Wallos: Stored cross-site scripting (XSS) vulnerability in the payment method rename endp…

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authe…

Remote | Cross-Site Scripting
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.7 HIGH
CVE-2026-33399 — Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_…

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
4.9 MEDIUM
CVE-2026-33162 — Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to…

Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
1.3 LOW
CVE-2026-33161 — Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to…

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call asset…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
2.7 LOW
CVE-2026-33160 — Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via …

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-t…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-33159 — Craft CMS: Unauthenticated users could execute project configuration sync operations that…

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, …

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
4.9 MEDIUM
CVE-2026-33158 — Craft CMS: Low-privilege users could read private asset contents when editing an asset (I…

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read priva…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.6 HIGH
CVE-2026-33157 — Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated …

Remote | Injection
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.3 MEDIUM
CVE-2026-32854 — LibVNCServer httpd proxy NULL Pointer Dereference

LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote att…

Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-32853 — LibVNCServer UltraZip Encoding Heap Out-of-bounds Read

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause informati…

Remote | Memory Corruption
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
9.1 CRITICAL
CVE-2026-33340 — LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing …

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
2.1 LOW
CVE-2025-11571 — Command Execution vulnerability in Simplicity Installer

Vulnerable endpoints accept user-controlled input through a URL in JSON format which enables command execution. The commands allowed to execute can open executables. However, the commands cannot pass…

Remote | Injection
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-33700 — Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Proje…

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to th…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.5 HIGH
CVE-2026-33680 — Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission …

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project,…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.4 MEDIUM
CVE-2026-33679 — Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when …

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.1 HIGH
CVE-2026-33678 — Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL p…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
Showing 20 of 5490 Results