Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-39348 — OrangeHRM is Missing Authorization Checks in AbstractFileController Subclasses Expose Job…

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing…

Remote | Authorization
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
5.1 MEDIUM
CVE-2026-39347 — OrangeHRM's Self‑Appraisal Submission of Admin Users Can Be Modified After Completion

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissio…

Remote | Authorization
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
5.3 MEDIUM
CVE-2026-39346 — OrangeHRM has Improper Access Control Allowing Access to Disabled Modules via URL Encoding

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded reque…

Remote | Authorization
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
4.6 MEDIUM
CVE-2026-39345 — OrangeHRM Affected by Arbitrary File Read via Path Traversal in Email Template Loader

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowin…

Remote | Path Traversal
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
6.9 MEDIUM
CVE-2026-22711 — Stored XSS through system messages in WikiLove

Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikilove Exte…

Remote | Cross-Site Scripting
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
0.0 NA
CVE-2025-71058 — Fortinet FortiDNS DNS Cache Poisoning

Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches …

| Injection
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
8.1 HIGH
CVE-2026-39344 — Reflected XSS the login page through the 'username' parameter

ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or e…

Remote | Cross-Site Scripting
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
7.2 HIGH
CVE-2026-39343 — ChurchCRM has a SQL Injection in Event Type Editor (Admin)

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST…

Remote | Injection
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
9.4 CRITICAL
CVE-2026-39342 — ChurchCRM has a SQL injection searchwhat parameter via QueryView.php

ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires …

Remote | Injection
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
8.1 HIGH
CVE-2026-39341 — SQL injection in ChurchCRM.0

ChurchCRM is an open-source church management system. Prior to 7.1.0, The application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmai…

Remote | Injection
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
8.1 HIGH
CVE-2026-39340 — ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitut…

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property ty…

Remote | Injection
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
9.1 CRITICAL
CVE-2026-39339 — ChurchCRM has an API Authentication Bypass

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allo…

Remote | Authentication
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
8.6 HIGH
CVE-2026-39338 — ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration

ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The appl…

Remote | Cross-Site Scripting
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
10.0 CRITICAL
CVE-2026-39337 — ChurchCRM Affected by Unauthenticated RCE in Install Wizard

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to i…

Remote | Injection
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
6.1 MEDIUM
CVE-2026-39336 — ChurchCRM has Stored XSS from unescaped config values in HTML attributes

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered in…

Remote | Cross-Site Scripting
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
6.1 MEDIUM
CVE-2026-39335 — ChurchCRM has Stored XSS via Unescaped data-* Attributes in Group/Family Controls

ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path …

Remote | Cross-Site Scripting
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
8.8 HIGH
CVE-2026-39334 — ChurchCRM has a Blind SQL injection in SettingsIndividual.php

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without …

Remote | Injection
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
8.7 HIGH
CVE-2026-39333 — ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php

ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without prop…

Remote | Cross-Site Scripting
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
8.7 HIGH
CVE-2026-39332 — ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php

ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript …

Remote | Cross-Site Scripting
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
8.1 HIGH
CVE-2026-39331 — ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify…

ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} par…

Remote | Authorization
Apr 07, 2026 Apr 07, 2026
Apr 07, 2026
Apr 07, 2026
Showing 20 of 6206 Results