Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2019-25438

    LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter... Read more

    Affected Products : labcollector
    • Published: Feb. 20, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection

  • 7.8

    HIGH
    CVE-2026-2034

    Sante DICOM Viewer Pro DCM File Parsing Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro. User interaction is required to exploit ... Read more

    Affected Products : dicom_viewer_pro
    • Published: Feb. 20, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Memory Corruption

  • 6.1

    MEDIUM
    CVE-2026-2506

    The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the plugin storing attacker-controlled 'customer_name' data and rendering it in the admin customer list withou... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.4

    MEDIUM
    CVE-2026-2499

    The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, ... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.4

    MEDIUM
    CVE-2026-2498

    The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attack... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.4

    MEDIUM
    CVE-2026-2489

    The TP2WP Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Watched domains' textarea on the attachment importer settings page in all versions up to, and including, 1.1. This is due to insufficient input sanitization and ... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2026-2029

    The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[labb_pricing_item]` shortcode's `title` and `value` attributes in all versions up to, and including, 3.9.2 due to insufficient input sanitiz... Read more

    Affected Products : beaver_builder_addons
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.6

    HIGH
    CVE-2026-27970

    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internatio... Read more

    Affected Products : angular
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 9.3

    CRITICAL
    CVE-2026-27969

    Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifes... Read more

    Affected Products : vitess
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Path Traversal

  • 4.3

    MEDIUM
    CVE-2026-27968

    Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired ... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2026-27966

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a... Read more

    Affected Products : langflow
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection

  • 8.4

    HIGH
    CVE-2026-27965

    Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is la... Read more

    Affected Products : vitess
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2026-27961

    Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed s... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2026-27959

    Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to ... Read more

    Affected Products : koa
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Information Disclosure

  • 4.9

    MEDIUM
    CVE-2026-27954

    Live Helper Chat is an open-source application that enables live support websites. In versions up to and including 4.52, three chat action endpoints (holdaction.php, blockuser.php, and transferchat.php) load chat objects by ID without calling `erLhcoreCl... Read more

    Affected Products : livehelperchat
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2026-27952

    Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but ... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2026-27948

    Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.... Read more

    Affected Products : copyparty
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2026-27943

    OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or equivalent) without verifying that the form belongs to ... Read more

    Affected Products : openemr
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authorization

  • 2.7

    LOW
    CVE-2026-27942

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOr... Read more

    Affected Products : fast-xml-parser
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Denial of Service

  • 9.9

    CRITICAL
    CVE-2026-27941

    OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. ... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Misconfiguration
Showing 20 of 4946 Results