Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.3 CRITICAL
CVE-2026-2417 — Missing Authentication for Critical Function in Pharos Controls Mosaic Show Controller

A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and exe…

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
0.0 NA
CVE-2026-33323 — Parse Server: Email verification resend page leaks user existence

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for res…

| Information Disclosure
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
0.0 NA
CVE-2026-33417 — Wallos: Password Reset Tokens Never Expire

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp …

| Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
0.0 NA
CVE-2026-1995 — IDrive Cloud Backup Client for Windows contains a privilege escalation vulnerability

IDrive’s id_service.exe process runs with elevated privileges and regularly reads from several files under the C:\ProgramData\IDrive\ directory. The UTF16-LE encoded contents of these files are used …

| Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
9.1 CRITICAL
CVE-2026-33340 — LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing …

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
2.1 LOW
CVE-2025-11571 — Command Execution vulnerability in Simplicity Installer

Vulnerable endpoints accept user-controlled input through a URL in JSON format which enables command execution. The commands allowed to execute can open executables. However, the commands cannot pass…

Remote | Injection
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-33700 — Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Proje…

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to th…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.5 HIGH
CVE-2026-33680 — Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission …

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project,…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.4 MEDIUM
CVE-2026-33679 — Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when …

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.1 HIGH
CVE-2026-33678 — Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL p…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33677 — Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` …

Remote | Information Disclosure
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33676 — Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorizati…

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all relat…

Remote | Authorization
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.4 MEDIUM
CVE-2026-33675 — Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading In…

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.g…

Remote | Server-Side Request Forgery
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.1 HIGH
CVE-2026-33668 — Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and …

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on …

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33474 — Vikunja Affected by DoS via Image Preview Generation

Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attac…

Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
5.7 MEDIUM
CVE-2026-33473 — Vikunja has TOTP Reuse During Validity Window

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 se…

Remote | Authentication
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33336 — Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main Brows…

Remote | Misconfiguration
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.4 MEDIUM
CVE-2026-33335 — Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openE…

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls dire…

Remote | Misconfiguration
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-33334 — Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegrati…

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer p…

Remote | Cross-Site Scripting
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
0.0 NA
CVE-2026-29840 — JiZhiCMS Stored Cross-Site Scripting (XSS)

JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filte…

| Cross-Site Scripting
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
Showing 20 of 5460 Results