Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-33159 — Craft CMS: Unauthenticated users could execute project configuration sync operations that…

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, …

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
4.9 MEDIUM
CVE-2026-33158 — Craft CMS: Low-privilege users could read private asset contents when editing an asset (I…

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read priva…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.6 HIGH
CVE-2026-33157 — Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated …

Remote | Injection
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.3 MEDIUM
CVE-2026-32854 — LibVNCServer httpd proxy NULL Pointer Dereference

LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote att…

Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-32853 — LibVNCServer UltraZip Encoding Heap Out-of-bounds Read

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause informati…

Remote | Memory Corruption
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
9.1 CRITICAL
CVE-2026-33340 — LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing …

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
2.1 LOW
CVE-2025-11571 — Command Execution vulnerability in Simplicity Installer

Vulnerable endpoints accept user-controlled input through a URL in JSON format which enables command execution. The commands allowed to execute can open executables. However, the commands cannot pass…

Remote | Injection
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-33700 — Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Proje…

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to th…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.5 HIGH
CVE-2026-33680 — Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission …

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project,…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.4 MEDIUM
CVE-2026-33679 — Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when …

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.1 HIGH
CVE-2026-33678 — Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL p…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33677 — Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` …

Remote | Information Disclosure
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33676 — Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorizati…

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all relat…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.4 MEDIUM
CVE-2026-33675 — Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading In…

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.g…

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.1 HIGH
CVE-2026-33668 — Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and …

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on …

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33474 — Vikunja Affected by DoS via Image Preview Generation

Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attac…

vikunja | Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
5.7 MEDIUM
CVE-2026-33473 — Vikunja has TOTP Reuse During Validity Window

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 se…

vikunja | Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33336 — Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main Brows…

Remote | Misconfiguration
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.4 MEDIUM
CVE-2026-33335 — Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openE…

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls dire…

Remote | Misconfiguration
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33334 — Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegrati…

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer p…

Remote | Cross-Site Scripting
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
Showing 20 of 5481 Results