Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
2.9 LOW
CVE-2026-33769 — Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image opt…

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33768 — Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with …

Remote | Path Traversal
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.1 HIGH
CVE-2026-33627 — Parse Server: Auth data exposed via /users/me endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receiv…

Remote | Information Disclosure
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
2.1 LOW
CVE-2026-33624 — Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a si…

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.6 HIGH
CVE-2026-33539 — Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arb…

Remote | Injection
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.7 HIGH
CVE-2026-33538 — Parse Server: Denial of service via unindexed database query for unconfigured auth provid…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of se…

Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
5.3 MEDIUM
CVE-2026-33527 — Parse Server: Session update endpoint allows overwriting server-generated session fields

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generat…

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.2 HIGH
CVE-2026-33508 — Parse Server: LiveQuery subscription query depth bypass

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforc…

Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.7 HIGH
CVE-2026-33498 — Parse Server: Query condition depth bypass via pre-validation transform pipeline

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP reque…

Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.3 MEDIUM
CVE-2026-33429 — Parse Server: Protected field change detection oracle via LiveQuery watch parameter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watc…

Remote | Information Disclosure
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.1 HIGH
CVE-2026-33421 — Parse Server: LiveQuery bypasses CLP pointer permission enforcement

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does …

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33417 — Wallos: Password Reset Tokens Never Expire

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp …

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.0 HIGH
CVE-2026-33409 — Parse Server: Auth provider validation bypass on login via partial authData

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an a…

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.3 MEDIUM
CVE-2026-33323 — Parse Server: Email verification resend page leaks user existence

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for res…

Remote | Information Disclosure
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.6 HIGH
CVE-2026-30932 — Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in D…

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for seve…

Remote | Injection
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
9.3 CRITICAL
CVE-2026-2417 — Missing Authentication for Critical Function in Pharos Controls Mosaic Show Controller

A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and exe…

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
5.9 MEDIUM
CVE-2026-29772 — Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates …

Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.1 MEDIUM
CVE-2026-23924 — Agent 2 Docker plugin arbitrary file read via Docker API injection

Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary fi…

Remote | Information Disclosure
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-23923 — Unauthenticated arbitrary PHP class instantiation

An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.7 HIGH
CVE-2026-23921 — Blind, read-only SQL injection in Zabbix API via sortfield parameter

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Althou…

Remote | Injection
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
Showing 20 of 5481 Results