Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-34401 — XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and…

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by defa…

Remote | XML External Entity
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.9 MEDIUM
CVE-2026-34400 — alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API

Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-su…

Remote | Injection
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
9.0 HIGH
CVE-2026-5213 — D-Link DNS-1550-04 account_mgr.cgi cgi_adduser_to_session stack-based overflow

A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-72…

Remote | Memory Corruption
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
9.0 HIGH
CVE-2026-5212 — D-Link DNS-1550-04 webdav_mgr.cgi Webdav_Upload_File stack-based overflow

A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-72…

Remote | Memory Corruption
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
3.8 LOW
CVE-2026-3470 — SonicWall Email Security SQL Injection Vulnerability

A vulnerability exists in the SonicWall Email Security appliance due to improper input sanitization that may lead to data corruption, allowing a remote authenticated attacker as admin user could expl…

Remote | Injection
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
2.7 LOW
CVE-2026-3469 — SonicWall Email Security Denial-of-Service Vulnerability

A denial-of-service (DoS) vulnerability exists due to improper input validation in the SonicWall Email Security appliance, allowing a remote authenticated attacker as admin user to cause the applicat…

Remote | Denial of Service
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
4.8 MEDIUM
CVE-2026-3468 — SonicWall Email Security Stored XSS

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allow…

Remote | Cross-Site Scripting
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.5 MEDIUM
CVE-2026-34740 — AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitra…

Remote | Server-Side Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.1 MEDIUM
CVE-2026-34739 — AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without appl…

Remote | Cross-Site Scripting
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
4.3 MEDIUM
CVE-2026-34738 — AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's stat…

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.5 MEDIUM
CVE-2026-34737 — AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscri…

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. Th…

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.5 MEDIUM
CVE-2026-34733 — AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access…

Remote | Misconfiguration
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
5.3 MEDIUM
CVE-2026-34732 — AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the comp…

Remote | Authentication
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
7.5 HIGH
CVE-2026-34731 — AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. …

Remote | Denial of Service
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.4 MEDIUM
CVE-2026-34716 — AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the c…

Remote | Cross-Site Scripting
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.5 MEDIUM
CVE-2026-34613 — AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoi…

Remote | Cross-Site Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.5 MEDIUM
CVE-2026-34611 — AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the …

Remote | Cross-Site Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.5 MEDIUM
CVE-2026-34586 — PdfDing: Shared PDF Expiration, Max Views, and Deletion Bypass via Serve/Download Endpoin…

PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence …

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.1 MEDIUM
CVE-2026-34396 — AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other out…

Remote | Cross-Site Scripting
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.5 MEDIUM
CVE-2026-34395 — AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balan…

Remote | Information Disclosure
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
Showing 20 of 6226 Results