Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.5 HIGH
CVE-2026-27942 — fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with s…

fast-xml-parser fast-xml-parser | Remote | Denial of Service
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
9.9 CRITICAL
CVE-2026-27941 — OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_reque…

OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out …

openlit_software_development_kit | Remote | Misconfiguration
Feb 26, 2026 Mar 06, 2026
Feb 26, 2026
Mar 06, 2026
7.7 HIGH
CVE-2026-27938 — WPGraphQL Repo Vulnerable to Command Injection via Unsanitized GitHub Actions Expression …

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command inject…

wpgraphql | Remote | Injection
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
7.5 HIGH
CVE-2026-27904 — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expre…

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extg…

minimatch | Remote | Denial of Service
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
7.5 HIGH
CVE-2026-27903 — minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GL…

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` perf…

minimatch | Remote | Denial of Service
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
5.4 MEDIUM
CVE-2026-27902 — Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Marke…

Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injectio…

svelte | Remote | Cross-Site Scripting
Feb 26, 2026 Mar 05, 2026
Feb 26, 2026
Mar 05, 2026
6.1 MEDIUM
CVE-2026-27901 — Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textC…

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable …

svelte | Remote | Cross-Site Scripting
Feb 26, 2026 Mar 05, 2026
Feb 26, 2026
Mar 05, 2026
7.7 HIGH
CVE-2026-27900 — Terraform Provider Debug Logs Vulnerable to Sensitive Information Exposure

The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provide…

linode_provider | Remote | Information Disclosure
Feb 26, 2026 Mar 11, 2026
Feb 26, 2026
Mar 11, 2026
8.8 HIGH
CVE-2026-27899 — WireGuard Portal Vulnerable to Privilege Escalation to Admin via User Self-Update

WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sendin…

wireguard_portal | Remote | Authorization
Feb 26, 2026 Mar 02, 2026
Feb 26, 2026
Mar 02, 2026
6.9 MEDIUM
CVE-2026-27887 — Spin has memory leaks in various WIT interfaces

Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could ret…

Remote | Denial of Service
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
4.9 MEDIUM
CVE-2026-22728 — sealed-secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled…

Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation (/v1/rotate) flow. The rotation handler derives the sealing scope for the newly encrypted output from untrus…

Remote | Authorization
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
7.5 HIGH
CVE-2026-1557 — WP Responsive Images <= 1.0 - Unauthenticated Path Traversal to Arbitrary File Read via s…

The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers t…

Remote | Path Traversal
Feb 26, 2026 Feb 27, 2026
Feb 26, 2026
Feb 27, 2026
Showing 20 of 6092 Results