Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.4 MEDIUM
CVE-2026-34753 — vLLM affected by Server-Side Request Forgery (SSRF) in `download_bytes_from_url `

vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor …

Remote | Server-Side Request Forgery
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
8.4 HIGH
CVE-2026-34589 — OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA …

| Memory Corruption
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
8.6 HIGH
CVE-2026-34588 — OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal…

| Memory Corruption
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
7.9 HIGH
CVE-2026-34444 — Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getat…

Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and …

Remote | Authentication
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
8.1 HIGH
CVE-2026-34402 — Time Based Blind SQL Injection via Property Value in ChurchCRM

ChurchCRM is an open-source church management system. Prior to 7.1.0, authenticated users with Edit Records or Manage Groups permissions can exploit a time-based blind SQL injection vulnerability in …

Remote | Injection
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
5.9 MEDIUM
CVE-2026-34380 — OpenEXR has a signed integer overflow (undefined behavior) in undo_pxr24_impl may allow b…

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed…

Remote | Memory Corruption
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
7.1 HIGH
CVE-2026-34379 — OpenEXR has a misaligned write in LossyDctDecoder_execute leading to undefined behavior (…

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misali…

Remote | Memory Corruption
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
6.5 MEDIUM
CVE-2026-34378 — OpenEXR has a signed integer overflow in generic_unpack() when parsing EXR files with cra…

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on …

Remote | Memory Corruption
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
6.9 MEDIUM
CVE-2026-34217 — SandboxJS has a Sandbox Escape via Prop Object Leak in New Handler

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal inter…

Remote | Information Disclosure
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
6.9 MEDIUM
CVE-2026-34211 — SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker …

Remote | Denial of Service
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
10.0 CRITICAL
CVE-2026-34208 — SandboxJS: Sandbox integrity escape

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exp…

Remote | Misconfiguration
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
7.5 HIGH
CVE-2026-34148 — Fedify affected by resource exhaustion caused by unbounded redirect following during remo…

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote doc…

Remote | Misconfiguration
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
8.6 HIGH
CVE-2026-33752 — Redirect-based SSRF leading to internal network access in curl_cffi (with TLS impersonati…

curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of thi…

Remote | Server-Side Request Forgery
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
6.4 MEDIUM
CVE-2026-33727 — Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privile…

| Authentication
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
3.1 LOW
CVE-2026-33405 — Pi-hole has a Stored HTML Injection in queries.js

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders …

| Cross-Site Scripting
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
0.0 NA
CVE-2026-31354 — Feehi CMS Cross-Site Scripting (XSS) Vulnerability

Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafte…

| Cross-Site Scripting
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
0.0 NA
CVE-2026-31353 — Feehi CMS Stored XSS Vulnerability

An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload i…

| Cross-Site Scripting
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
0.0 NA
CVE-2026-31352 — Feehi CMS Cross-Site Scripting

An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted pa…

| Cross-Site Scripting
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
0.0 NA
CVE-2026-31351 — Feehi CMS Stored Cross-Site Scripting (XSS)

An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted p…

| Cross-Site Scripting
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
0.0 NA
CVE-2026-31350 — Feehi CMS Stored Cross-Site Scripting Vulnerability

An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign param…

| Cross-Site Scripting
Apr 06, 2026 Apr 06, 2026
Apr 06, 2026
Apr 06, 2026
Showing 20 of 5960 Results