Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-33544 — Tinyauth has OAuth account confusion via shared mutable state on singleton service instan…

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifi…

| Race Condition
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
0.0 NA
CVE-2026-5346 — huimeicloud hm_editor image-to-base64 Endpoint mcp-server.js client.get server-side reque…

A vulnerability was determined in huimeicloud hm_editor up to 2.2.3. Impacted is the function client.get of the file src/mcp-server.js of the component image-to-base64 Endpoint. Executing a manipulat…

| Server-Side Request Forgery
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
0.0 NA
CVE-2026-33641 — Glances Vulnerable to Command Injection via Dynamic Configuration Values

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system…

| Injection
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
0.0 NA
CVE-2026-33533 — Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS …

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: …

| Information Disclosure
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
0.0 NA
CVE-2026-32871 — FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestD…

| Path Traversal
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
0.0 NA
CVE-2026-34974 — phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding leads to Stored XSS and Privilege…

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs wit…

| Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
0.0 NA
CVE-2026-34973 — phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters E…

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the sea…

| Injection
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
0.0 NA
CVE-2026-34729 — phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes()

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes(). This issue has been patched in version 4.1.…

| Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34823 — Endian Firewall /manage/password/web/ remark Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/password/web/. An authenticated attacker can inject arbitrary JavaScript that is s…

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34822 — Endian Firewall /manage/ca/certificate/ new_cert_name Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the new_cert_name parameter to /manage/ca/certificate/. An authenticated attacker can inject arbitrary JavaScript …

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34821 — Endian Firewall /manage/vpnauthentication/user/ remark Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/vpnauthentication/user/. An authenticated attacker can inject arbitrary JavaScript…

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34820 — Endian Firewall /manage/ipsec/ remark Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/ipsec/. An authenticated attacker can inject arbitrary JavaScript that is stored a…

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34819 — Endian Firewall /cgi-bin/openvpnclient.cgi REMARK Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the REMARK parameter to /cgi-bin/openvpnclient.cgi. An authenticated attacker can inject arbitrary JavaScript that…

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34818 — Endian Firewall /manage/dnsmasq/localdomains/ remark Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dnsmasq/localdomains/. An authenticated attacker can inject arbitrary JavaScript t…

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34817 — Endian Firewall /cgi-bin/smtprouting.cgi ADDRESS BCC Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript t…

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34816 — Endian Firewall /manage/smtpscan/domainrouting/ domain Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the domain parameter to /manage/smtpscan/domainrouting/. An authenticated attacker can inject arbitrary JavaScript…

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34815 — Endian Firewall /cgi-bin/smtpdomains.cgi DOMAIN Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the DOMAIN parameter to /cgi-bin/smtpdomains.cgi. An authenticated attacker can inject arbitrary JavaScript that i…

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34814 — Endian Firewall /cgi-bin/proxygroup.cgi group Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the group parameter to /cgi-bin/proxygroup.cgi. An authenticated attacker can inject arbitrary JavaScript that is …

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34813 — Endian Firewall /cgi-bin/proxyuser.cgi user Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the user parameter to /cgi-bin/proxyuser.cgi. An authenticated attacker can inject arbitrary JavaScript that is st…

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
6.4 MEDIUM
CVE-2026-34812 — Endian Firewall /cgi-bin/proxypolicy.cgi mimetypes Stored Cross-Site Scripting

Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the mimetypes parameter to /cgi-bin/proxypolicy.cgi. An authenticated attacker can inject arbitrary JavaScript tha…

Remote | Cross-Site Scripting
Apr 02, 2026 Apr 02, 2026
Apr 02, 2026
Apr 02, 2026
Showing 20 of 6327 Results