Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-33415 — Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content E…

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderat…

| Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-33300 — Discourse: Hidden group names and access metadata are exposed to moderators through the `…

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass …

| Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-33185 — Discourse: Group SMTP test endpoint susceptible to SSRF

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings…

| Server-Side Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-33074 — Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant t…

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to pu…

| Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-32951 — Discourse: Authorization bypass in oneboxer via user-controlled category id

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user ca…

| Information Disclosure
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-32620 — Discourse: Missing post-level authorization allows whisper metadata disclosure

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could ac…

| Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-32619 — Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in p…

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to…

| Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-32618 — Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channe…

| Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-32615 — Discourse: Category group moderators can perform actions on topics in restricted categori…

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderator…

| Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-32607 — Discourse: Stored XSS via unescaped assignee name

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioriti…

| Cross-Site Scripting
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-32273 — Discourse: XSS on category description update via API

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category desc…

| Cross-Site Scripting
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-32243 — Discourse: Stored XSS in discourse-ai shared conversations onebox

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the abi…

| Cross-Site Scripting
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-32113 — Discourse: Open redirect via `sso_destination_url` cookie in `enter`

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in Stat…

| Server-Side Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-32143 — Discourse: Admin-only report can be exported by moderators

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export …

| Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-33073 — discourse-subscriptions plugin leaking stripe API key in multisite environment

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscripti…

| Information Disclosure
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-5206 — code-projects Simple Gym Management System Payment sql injection

A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects unknown code of the component Payment Handler. The manipulation of the argumen…

| Injection
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
8.6 HIGH
CVE-2026-2123 — Privilege escalation vulnerability in Operations Agent

A security audit identified a privilege escalation vulnerability in Operations Agent(<=OA 12.29) on Windows. Under specific conditions Operations Agent may run executables from specific writeable loc…

| Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.5 MEDIUM
CVE-2026-5205 — chatwoot Webhook API trigger.rb Trigger server-side request forgery

A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such man…

Remote | Server-Side Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
9.3 CRITICAL
CVE-2026-34361 — HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for …

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" e…

Remote | Server-Side Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
5.8 MEDIUM
CVE-2026-34360 — HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probi…

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a…

Remote | Server-Side Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
Showing 20 of 6140 Results