Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-34528 — File Browser's Signup Grants Execution Permissions When Default Permissions Includes Exec…

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser app…

| Authorization
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
7.3 HIGH
CVE-2026-1345 — Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security V…

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Acce…

Remote | Injection
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
0.0 NA
CVE-2026-34529 — File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Bro…

| Cross-Site Scripting
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
8.1 HIGH
CVE-2026-4101 — Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security V…

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Acce…

Remote | Authentication
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
5.4 MEDIUM
CVE-2026-4364 — Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security V…

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Acce…

Remote | Cross-Site Scripting
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
0.0 NA
CVE-2026-5312 — D-Link DNS-1550-04 dsk_mgr.cgi Get_current_raidtype access control

A weakness has been identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-72…

| Authorization
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
0.0 NA
CVE-2026-34525 — AIOHTTP: Duplicate Host header accepted

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

| Misconfiguration
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
0.0 NA
CVE-2026-34520 — AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header v…

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in res…

| Misconfiguration
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
0.0 NA
CVE-2026-34519 — AIOHTTP: HTTP response splitting via \r in reason phrase

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject e…

| Injection
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
5.5 MEDIUM
CVE-2026-5311 — D-Link DNS-1550-04 file_center.cgi Webdav_Access_List access control

A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, D…

Remote | Authorization
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
9.1 CRITICAL
CVE-2026-34872 — Mbed TLS Finite-Field Diffie-Hellman Lack of Contributory Behavior Vulnerability

An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Crypto 1.0. There is a lack of contributory behavior in FFDH due to improper input validation. Using finite-field Diffie-H…

Remote | Cryptography
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
6.5 MEDIUM
CVE-2026-34750 — Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3…

Remote | Path Traversal
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
5.4 MEDIUM
CVE-2026-34749 — Payload has a CSRF Protection Bypass in Authentication Flow

Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain condi…

Remote | Cross-Site Request Forgery
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
8.7 HIGH
CVE-2026-34748 — @payloadcms/next has Stored XSS in Admin Panel

Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An aut…

Remote | Cross-Site Scripting
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
8.5 HIGH
CVE-2026-34747 — Payload has an SQL Injection via Query Handling

Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL …

Remote | Injection
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
7.7 HIGH
CVE-2026-34746 — Payload has Authenticated SSRF via Upload Functionality

Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Au…

Remote | Server-Side Request Forgery
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
9.1 CRITICAL
CVE-2026-34456 — Reviactyl: OAuth account takeover via auto-linking

Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAut…

Remote | Authentication
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
8.7 HIGH
CVE-2026-34455 — Hi.Events: SQL Injection via Unvalidated sort_by Query Parameter in Multiple Repository C…

Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query para…

Remote | Injection
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
5.1 MEDIUM
CVE-2025-66442 — Mbed TLS and TF-PSA-Crypto RSA Timing Side Channel

In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also af…

| Cryptography
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
0.0 NA
CVE-2026-34518 — AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but re…

| Misconfiguration
Apr 01, 2026 Apr 01, 2026
Apr 01, 2026
Apr 01, 2026
Showing 20 of 6206 Results