Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-27734 — Beszel Vulnerable to Docker API Path Traversal via Unsanitized Container ID

Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "cont…

Remote | Path Traversal
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
7.3 HIGH
CVE-2026-27707 — Plex-configured Seerr instances vulnerable to unauthenticated account registration via Je…

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/aut…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
2.0 LOW
CVE-2026-26997 — ClipBucket v5 has Stored XSS via Collection name

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59…

clipbucket | Remote | Cross-Site Scripting
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
2.7 LOW
CVE-2026-22717 — VMware Workstation out-of-bound read vulnerability

Out-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the…

workstation | Information Disclosure
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2026-2880 — @fastify/middie has an improper path normalization vulnerability

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router n…

Remote | Authorization
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
5.1 MEDIUM
CVE-2026-27758 — SODOLA SL902-SWTGW124AS <= 200.1.20 Missing CSRF Protections

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a cross-site request forgery vulnerability in its management interface that allows attackers to induce authenticated users into subm…

Remote | Cross-Site Request Forgery
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
7.1 HIGH
CVE-2026-27757 — SODOLA SL902-SWTGW124AS <= 200.1.20 Unverified Password Change

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication vulnerability that allows authenticated users to change account passwords without verifying the current password. …

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.1 MEDIUM
CVE-2026-27756 — SODOLA SL902-SWTGW124AS <= 200.1.20 Reflected XSS in Management Interface

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a reflected cross-site scripting vulnerability in the management interface where user input is not properly encoded before output. A…

Remote | Cross-Site Scripting
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
9.8 CRITICAL
CVE-2026-27755 — SODOLA SL902-SWTGW124AS <= 200.1.20 Predictable Session ID

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge authenticated sessions by computing predictable MD…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.9 MEDIUM
CVE-2026-27754 — SODOLA SL902-SWTGW124AS <= 200.1.20 MD5 Session Token Generation

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predicta…

Remote | Cryptography
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
5.0 MEDIUM
CVE-2026-22716 — VMware Workstation out-of-bounds write vulnerability

Out-of-bound write vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to terminate certain Workstation processes.

workstation | Information Disclosure
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.9 MEDIUM
CVE-2026-27753 — SODOLA SL902-SWTGW124AS <= 200.1.20 Improper Login Rate Limiting

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management inter…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2026-27752 — SODOLA SL902-SWTGW124AS <= 200.1.20 Cleartext Credential Transmission

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit authentication credentials over unencrypted HTTP, allowing attackers to capture credentials. An attacker positioned to observe netw…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
9.8 CRITICAL
CVE-2026-27751 — SODOLA SL902-SWTGW124AS <= 200.1.20 Use of Default Credentials

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative access to the management interface. Attack…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.3 HIGH
CVE-2026-26862 — CleverTap Web SDK DOM-Based XSS

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuil…

Remote | Cross-Site Scripting
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.3 HIGH
CVE-2026-26861 — CleverTap Web SDK Cross-Site Scripting (XSS)

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/native…

Remote | Cross-Site Scripting
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
2.0 LOW
CVE-2026-21619 — Unsafe Deserialization of Erlang Terms in hex_core

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Obje…

rebar3 hex_core hex | Remote | Denial of Service
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2019-25497 — osCommerce 2.3.4.1 SQL Injection via currency Parameter

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send…

oscommerce | Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2019-25496 — osCommerce 2.3.4.1 SQL Injection via products_id Parameter

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can m…

oscommerce | Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2019-25495 — osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can se…

oscommerce | Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
Showing 20 of 4786 Results