Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.2 HIGH
CVE-2019-25500 — Simple Job Script SQL Injection via register-recruiters endpoint

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the employerid parameter. Attackers can se…

Remote | Injection
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
8.2 HIGH
CVE-2019-25499 — Simple Job Script SQL Injection via get_job_applications_ajax.php

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter. Attackers can send P…

Remote | Injection
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
8.2 HIGH
CVE-2019-25498 — Simple Job Script SQL Injection via searched Endpoint

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter. Attackers …

Remote | Injection
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
7.7 HIGH
CVE-2026-3125 — SSRF vulnerability in opennextjs-cloudflare via /cdn-cgi/ path normalization bypass

A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/clou…

Remote | Server-Side Request Forgery
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
8.7 HIGH
CVE-2026-3520 — Multer vulnerable to Denial of Service via uncontrolled recursion

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed reques…

| Denial of Service
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
6.9 MEDIUM
CVE-2026-29069 — Craft has an unauthenticated activation email trigger with potential user enumeration

Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission …

craft_cms | Remote | Authentication
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
8.6 HIGH
CVE-2026-28784 — Craft is affected by potential authenticated Remote Code Execution via Twig SSTI

Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in …

craft_cms | Remote | Injection
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
9.4 CRITICAL
CVE-2026-28783 — Craft has a Twig Function Blocklist Bypass

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Clo…

craft_cms | Remote | Injection
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
5.3 MEDIUM
CVE-2026-28782 — Craft has a Permission Bypass and IDOR in Duplicate Entry Action

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the spe…

craft_cms | Remote | Authorization
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
7.1 HIGH
CVE-2026-28781 — Craft Affected by Entries Authorship Spoofing via Mass Assignment

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" perm…

craft_cms | Remote | Authorization
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
9.4 CRITICAL
CVE-2026-28697 — Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injecti…

craft_cms | Remote | Injection
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
8.7 HIGH
CVE-2026-28696 — Craft affected by IDOR via GraphQL @parseRefs

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused …

craft_cms | Remote | Authorization
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
7.5 HIGH
CVE-2026-28695 — Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process g…

Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process…

craft_cms | Remote | Injection
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
4.3 MEDIUM
CVE-2026-23812 — Security Boundary Bypass via Routing Node Impersonation

A vulnerability has been identified where an attacker connecting to an access point as a standard wired or wireless client can impersonate a gateway by leveraging an address-based spoofing technique.…

| Misconfiguration
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
4.3 MEDIUM
CVE-2026-23811 — Unauthorized Bi-Directional Traffic Interception via L2/L3 Manipulation

A vulnerability in the client isolation mechanism may allow an attacker to bypass Layer 2 (L2) communication restrictions between clients and redirect traffic at Layer 3 (L3). In addition to bypassin…

| Misconfiguration
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
4.3 MEDIUM
CVE-2026-23810 — Cross-BSSID GTK Re-encryption and Traffic Injection

A vulnerability in the packet processing logic may allow an authenticated attacker to craft and transmit a malicious Wi-Fi frame that causes an Access Point (AP) to classify the frame as group-addres…

| Injection
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
5.4 MEDIUM
CVE-2026-23809 — MAC Address Spoofing leads to Inter-BSSID Isolation Bypass Resulting in Traffic Redirecti…

A technique has been identified that adapts a known port-stealing method to Wi-Fi environments that use multiple BSSIDs. By leveraging the relationship between BSSIDs and their associated virtual por…

| Misconfiguration
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
5.4 MEDIUM
CVE-2026-23808 — Client Isolation Bypass via GTK Manipulation

A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. Succ…

| Authentication
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
5.4 MEDIUM
CVE-2026-23601 — Frame Injection via Shared GTK Allows Traffic Spoofing and Client Compromise

A vulnerability has been identified in the wireless encryption handling of Wi-Fi transmissions. A malicious actor can generate shared-key authenticated transmissions containing targeted payloads whil…

| Cryptography
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
3.3 LOW
CVE-2026-22760 — Dell Device Management Agent (DDMA) Improper Check for Unusual or Exceptional Conditions …

Dell Device Management Agent (DDMA), versions prior to 26.02, contain an Improper Check for Unusual or Exceptional Conditions vulnerability. A low privileged attacker with local access could potentia…

| Denial of Service
Mar 04, 2026 Mar 04, 2026
Mar 04, 2026
Mar 04, 2026
Showing 20 of 5030 Results