Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.1 HIGH
CVE-2026-33329 — FileRise: Path Traversal in `resumableIdentifier` Leading to Arbitrary File Write, Recurs…

FileRise is a self-hosted web file manager / WebDAV server. From version 1.0.1 to before version 3.10.0, the resumableIdentifier parameter in the Resumable.js chunked upload handler (UploadModel::han…

filerise | Remote | Path Traversal
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
4.3 MEDIUM
CVE-2026-33326 — @keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany

Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm t…

keystone | Remote | Authorization
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
9.2 CRITICAL
CVE-2026-33322 — MinIO: JWT Algorithm Confusion in OIDC Authentication

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authenti…

minio | Remote | Authentication
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
6.5 MEDIUM
CVE-2026-33314 — pyload-ng: Improper Authentication and Origin Validation Error

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external…

pyload-ng | Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
6.7 MEDIUM
CVE-2026-32948 — sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on…

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (bran…

| Injection
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
8.8 HIGH
CVE-2026-22559 — "UniFi Network Server Cross-Site Scripting Vulnerability"

An Improper Input Validation vulnerability in UniFi Network Server may allow unauthorized access to an account if the account owner is socially engineered into clicking a malicious link. Affecte…

Remote | Authentication
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
4.3 MEDIUM
CVE-2026-21783 — HCL Traveler is affected by sensitive information disclosure

HCL Traveler is affected by sensitive information disclosure.  The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file …

Remote | Information Disclosure
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
2.9 LOW
CVE-2026-33769 — Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image opt…

\@astrojs\/node | Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
6.5 MEDIUM
CVE-2026-33768 — Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with …

\@astrojs\/node | Remote | Path Traversal
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
7.1 HIGH
CVE-2026-33627 — Parse Server: Auth data exposed via /users/me endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receiv…

parse-server | Remote | Information Disclosure
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
2.1 LOW
CVE-2026-33624 — Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a si…

parse-server | Remote | Authentication
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
8.6 HIGH
CVE-2026-33539 — Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arb…

parse-server | Remote | Injection
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
8.7 HIGH
CVE-2026-33538 — Parse Server: Denial of service via unindexed database query for unconfigured auth provid…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of se…

parse-server | Remote | Denial of Service
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
5.3 MEDIUM
CVE-2026-33527 — Parse Server: Session update endpoint allows overwriting server-generated session fields

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generat…

parse-server | Remote | Authentication
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
8.2 HIGH
CVE-2026-33508 — Parse Server: LiveQuery subscription query depth bypass

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforc…

parse-server | Remote | Denial of Service
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
8.7 HIGH
CVE-2026-33498 — Parse Server: Query condition depth bypass via pre-validation transform pipeline

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP reque…

parse-server | Remote | Denial of Service
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
6.3 MEDIUM
CVE-2026-33429 — Parse Server: Protected field change detection oracle via LiveQuery watch parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watc…

parse-server | Remote | Information Disclosure
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
7.1 HIGH
CVE-2026-33421 — Parse Server: LiveQuery bypasses CLP pointer permission enforcement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does …

parse-server | Remote | Authorization
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
6.5 MEDIUM
CVE-2026-33417 — Wallos: Password Reset Tokens Never Expire

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp …

wallos | Remote | Authentication
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
7.0 HIGH
CVE-2026-33409 — Parse Server: Auth provider validation bypass on login via partial authData

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an a…

parse-server | Remote | Authentication
Mar 24, 2026 Mar 25, 2026
Mar 24, 2026
Mar 25, 2026
Showing 20 of 6015 Results