Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.1 HIGH
CVE-2026-33938 — Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is rea…

Remote | Injection
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
9.8 CRITICAL
CVE-2026-33937 — Handlebars.js has JavaScript Injection via AST Type Confusion

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string…

Remote | Injection
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
4.7 MEDIUM
CVE-2026-33916 — Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain propert…

Remote | Cross-Site Scripting
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
6.5 MEDIUM
CVE-2026-33907 — Ella Core Panics during NAS Authentication Response/Failure with missing IEs

Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to sen…

ella_core | Denial of Service
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
7.2 HIGH
CVE-2026-33906 — Ella Core has Privilege Escalation via Database Restore by NetworkManager role

Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file wi…

ella_core | Remote | Authorization
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
6.5 MEDIUM
CVE-2026-33904 — Ella Core has a Denial of Service via SCTP connection cleanup deadlock

Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, a deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restar…

ella_core | Denial of Service
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
6.5 MEDIUM
CVE-2026-33903 — Ella Core panics when processing a crafted NGAP LocationReport message

Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing a specially crafted NGAP LocationReport message. An attacker able to send crafted NGAP messages to …

ella_core | Denial of Service
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
7.4 HIGH
CVE-2026-33896 — Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 viola…

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraint…

forge | Remote | Cryptography
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
7.5 HIGH
CVE-2026-33895 — Forge has signature forgery in Ed25519 due to missing S > L check

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures w…

forge | Remote | Cryptography
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
7.5 HIGH
CVE-2026-33894 — Forge has signature forgery in RSA-PKCS due to ASN.1 extra field

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for …

forge | Remote | Cryptography
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
7.5 HIGH
CVE-2026-33891 — Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library…

forge | Remote | Denial of Service
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
5.4 MEDIUM
CVE-2026-33887 — Statamic allows unauthorized content access through missing authorization in its revision…

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisi…

statamic | Remote | Authorization
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
6.5 MEDIUM
CVE-2026-33886 — Statamic's sensitive configuration values are exposed to content editors via Antlers-enab…

Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields c…

statamic | Remote | Information Disclosure
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
6.1 MEDIUM
CVE-2026-33885 — Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could …

statamic | Remote | Server-Side Request Forgery
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
4.3 MEDIUM
CVE-2026-33884 — Statamic's live preview token bypasses content protection for unrelated entries

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview to…

statamic | Remote | Authorization
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
6.1 MEDIUM
CVE-2026-33883 — Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escap…

statamic | Remote | Cross-Site Scripting
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
6.5 MEDIUM
CVE-2026-33882 — Statamic's Markdown preview endpoint exposes sensitive user data

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary …

statamic | Remote | Information Disclosure
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
7.3 HIGH
CVE-2026-33881 — Windmill: Rogue Workspace Admins can inject code via unescaped workspace environment vari…

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals witho…

Remote | Injection
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
2.7 LOW
CVE-2026-33879 — FLIP doesn't have rate limiting or brute-force protection on login

Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login pa…

Remote | Authentication
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
9.3 CRITICAL
CVE-2026-33875 — Authenticator Vulnerable to Authentication Flow Hijack

Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers t…

Remote | Authentication
Mar 27, 2026 Mar 27, 2026
Mar 27, 2026
Mar 27, 2026
Showing 20 of 6046 Results