Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.0 HIGH
CVE-2026-5350 — Trendnet TEW-657BRM setup.cgi update_pcdb stack-based overflow

A security flaw has been discovered in Trendnet TEW-657BRM 1.00.1. The impacted element is the function update_pcdb of the file /setup.cgi. The manipulation of the argument mac_pc_dba results in stac…

tew-657brm_firmware | Remote | Memory Corruption
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
9.0 HIGH
CVE-2026-5349 — Trendnet TEW-657BRM setup.cgi add_apcdb stack-based overflow

A vulnerability was identified in Trendnet TEW-657BRM 1.00.1. The affected element is the function add_apcdb of the file /setup.cgi. The manipulation of the argument mac_pc_dba leads to stack-based b…

tew-657brm_firmware | Remote | Memory Corruption
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
7.5 HIGH
CVE-2026-34876 — Mbed TLS CCM API Out-of-Bounds Read Vulnerability

An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vulnerability in mbedtls_ccm_finish() in library/ccm.c allows attackers to obtain adjacent CCM context data via invocation …

Remote | Memory Corruption
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
9.8 CRITICAL
CVE-2026-33746 — Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users

Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode() method did not verify the cryptographic signature of JWT toke…

Remote | Authentication
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.8 MEDIUM
CVE-2026-33691 — OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS th…

Remote | Misconfiguration
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
7.5 HIGH
CVE-2026-30332 — Balena Etcher Windows TOCTOU Race Condition Privilege Escalation

A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a le…

| Race Condition
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
7.5 HIGH
CVE-2026-5346 — huimeicloud hm_editor image-to-base64 Endpoint mcp-server.js client.get server-side reque…

A vulnerability was determined in huimeicloud hm_editor up to 2.2.3. Impacted is the function client.get of the file src/mcp-server.js of the component image-to-base64 Endpoint. Executing a manipulat…

Remote | Server-Side Request Forgery
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.5 MEDIUM
CVE-2026-5344 — Textpattern XML-RPC TXP_RPCServer.php mt_uploadImage path traversal

A security vulnerability has been detected in Textpattern up to 4.9.1. Affected by this vulnerability is the function mt_uploadImage of the file rpc/TXP_RPCServer.php of the component XML-RPC Handler…

textpattern | Remote | Path Traversal
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
5.5 MEDIUM
CVE-2026-5342 — LibRaw TIFF/NEF decoders_libraw.cpp nikon_load_padded_packed_raw out-of-bounds

A flaw has been found in LibRaw up to 0.22.0. This affects the function LibRaw::nikon_load_padded_packed_raw of the file src/decoders/decoders_libraw.cpp of the component TIFF/NEF. Executing a manipu…

libraw | Remote | Memory Corruption
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
5.8 MEDIUM
CVE-2026-5339 — Tenda G103 Setting gpon.lua action_set_net_settings command injection

A vulnerability was detected in Tenda G103 1.0.0.5. The impacted element is the function action_set_net_settings of the file gpon.lua of the component Setting Handler. Performing a manipulation of th…

g103_firmware | Remote | Injection
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
9.3 CRITICAL
CVE-2026-35002 — Agno < 2.3.24 field_type Eval Injection Arbitrary Code Execution

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the field_type …

Remote | Injection
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
5.4 MEDIUM
CVE-2026-34974 — phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege…

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs wit…

phpmyfaq | Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.9 MEDIUM
CVE-2026-34973 — phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters E…

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the sea…

phpmyfaq | Remote | Injection
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34823 — Endian Firewall /manage/password/web/ remark Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/password/web/. An authenticated attacker can inject arbitrary JavaScript that is s…

firewall | Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34822 — Endian Firewall /manage/ca/certificate/ new_cert_name Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the new_cert_name parameter to /manage/ca/certificate/. An authenticated attacker can inject arbitrary JavaScript …

firewall | Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34821 — Endian Firewall /manage/vpnauthentication/user/ remark Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/vpnauthentication/user/. An authenticated attacker can inject arbitrary JavaScript…

firewall | Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34820 — Endian Firewall /manage/ipsec/ remark Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/ipsec/. An authenticated attacker can inject arbitrary JavaScript that is stored a…

firewall | Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34819 — Endian Firewall /cgi-bin/openvpnclient.cgi REMARK Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the REMARK parameter to /cgi-bin/openvpnclient.cgi. An authenticated attacker can inject arbitrary JavaScript that…

firewall | Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34818 — Endian Firewall /manage/dnsmasq/localdomains/ remark Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dnsmasq/localdomains/. An authenticated attacker can inject arbitrary JavaScript t…

firewall | Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34817 — Endian Firewall /cgi-bin/smtprouting.cgi ADDRESS BCC Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript t…

firewall | Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
Showing 20 of 6381 Results