Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-40293 — OpenFGA Playground Preshared Key Exposure

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabl…

openfga | Remote | Authorization
Apr 17, 2026 Apr 27, 2026
Apr 17, 2026
Apr 27, 2026
7.5 HIGH
CVE-2026-40286 — WeGIA has Cross-Site Scripting in Controle de Contribuição

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) functi…

wegia | Remote | Cross-Site Scripting
Apr 17, 2026 Apr 20, 2026
Apr 17, 2026
Apr 20, 2026
8.8 HIGH
CVE-2026-40285 — WeGIA has SQL Injection via Session Variable Override in DespachoControle.php

WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the sessi…

wegia | Remote | Injection
Apr 17, 2026 Apr 20, 2026
Apr 17, 2026
Apr 20, 2026
6.8 MEDIUM
CVE-2026-40284 — WeGIA has stored XSS in listar_despachos.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the …

wegia | Remote | Cross-Site Scripting
Apr 17, 2026 Apr 20, 2026
Apr 17, 2026
Apr 20, 2026
6.4 MEDIUM
CVE-2026-40282 — WeGIA has stored XSS in intercorrencia_visualizar.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the…

wegia | Remote | Cross-Site Scripting
Apr 17, 2026 Apr 20, 2026
Apr 17, 2026
Apr 20, 2026
8.1 HIGH
CVE-2026-40196 — HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revoc…

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group,…

homebox | Remote | Authorization
Apr 17, 2026 Apr 24, 2026
Apr 17, 2026
Apr 24, 2026
5.4 MEDIUM
CVE-2026-40155 — Auth0 Next.js SDK has Improper Proxy Cache Lookup

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the prox…

nextjs-auth0 | Remote | Authentication
Apr 17, 2026 Apr 27, 2026
Apr 17, 2026
Apr 27, 2026
7.3 HIGH
CVE-2026-35603 — Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalatio…

Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without va…

windows claude_code | Misconfiguration
Apr 17, 2026 Apr 22, 2026
Apr 17, 2026
Apr 22, 2026
8.8 HIGH
CVE-2026-35512 — xrdp: Heap buffer overflow in EGFX channel

xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-con…

xrdp | Remote | Memory Corruption
Apr 17, 2026 Apr 27, 2026
Apr 17, 2026
Apr 27, 2026
2.3 LOW
CVE-2026-35402 — mcp-neo4j-cypher: SSRF and Data Modification via read_only Mode Bypass Through CALL Proce…

mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentia…

Remote | Misconfiguration
Apr 17, 2026 Apr 29, 2026
Apr 17, 2026
Apr 29, 2026
9.1 CRITICAL
CVE-2026-33689 — xrdp: Pre-authentication out-of-bounds reads in channel parsers

xrdp is an open source RDP server. Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing logic. A remote, unauthenticated attacker can trigger…

xrdp | Remote | Information Disclosure
Apr 17, 2026 Apr 27, 2026
Apr 17, 2026
Apr 27, 2026
6.1 MEDIUM
CVE-2026-33436 — Stirling-PDF: Reflected XSS through crafted filename in file upload functionality

Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML …

stirling_pdf stirling_pdf | Remote | Cross-Site Scripting
Apr 17, 2026 May 13, 2026
Apr 17, 2026
May 13, 2026
6.3 MEDIUM
CVE-2026-33145 — xrdp: Authenticated RCE via unsanitized AlternateShell execution in xrdp-sesman

xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrd…

xrdp | Remote | Injection
Apr 17, 2026 Apr 27, 2026
Apr 17, 2026
Apr 27, 2026
9.4 CRITICAL
CVE-2026-23500 — Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates …

dolibarr_erp\/crm | Remote | Injection
Apr 17, 2026 May 01, 2026
Apr 17, 2026
May 01, 2026
Showing 20 of 6194 Results