Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-34396 — AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other out…

Remote | Cross-Site Scripting
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.5 MEDIUM
CVE-2026-34395 — AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balan…

Remote | Information Disclosure
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
8.1 HIGH
CVE-2026-34394 — AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlo…

Remote | Cross-Site Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
4.5 MEDIUM
CVE-2026-34384 — Admidio: Missing CSRF Protection on Registration Approval Actions

Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations…

Remote | Cross-Site Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
4.3 MEDIUM
CVE-2026-34383 — Admidio: CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter

Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, compl…

Remote | Cross-Site Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
4.6 MEDIUM
CVE-2026-34382 — Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validati…

Remote | Cross-Site Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
7.5 HIGH
CVE-2026-34381 — Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker i…

Remote | Misconfiguration
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
5.3 MEDIUM
CVE-2026-34372 — Sulu checks fix permissions for subentities endpoints

Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin vi…

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
7.6 HIGH
CVE-2026-34367 — InvoiceShelf: SSRF in Invoice PDF Rendering via Unsanitised HTML in Notes Field

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulner…

Remote | Server-Side Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
7.6 HIGH
CVE-2026-34366 — InvoiceShelf: SSRF in Payment Receipt PDF Rendering via Unsanitised HTML in Notes Field

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulner…

Remote | Server-Side Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
9.8 CRITICAL
CVE-2026-1579 — PX4 Autopilot Missing authentication for critical function

The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides…

Remote | Authentication
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-34405 — Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attribu…

Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability …

| Injection
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-34404 — Nuxt OG Image vulnerable to DoS via image generation

Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Serv…

| Denial of Service
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-5215 — D-Link DNS-1550-04 network_mgr.cgi cgi_get_ipv6 access control

A vulnerability was identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-72…

| Authentication
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-5214 — D-Link DNS-1550-04 account_mgr.cgi cgi_addgroup_get_group_quota_minsize stack-based overf…

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, …

| Memory Corruption
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-34401 — XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and…

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by defa…

| XML External Entity
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-34400 — alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API

Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-su…

| Injection
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
9.0 HIGH
CVE-2026-5211 — D-Link DNS-1550-04 app_mgr.cgi UPnP_AV_Server_Path_Del stack-based overflow

A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-…

Remote | Memory Corruption
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
8.1 HIGH
CVE-2026-4800 — lodash vulnerable to Code Injection via `_.template` imports key names

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports…

| Injection
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
8.2 HIGH
CVE-2026-34784 — Parse Server: Streaming file download bypasses afterFind file trigger authorization

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the a…

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
Showing 20 of 6196 Results