Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 4.3

    MEDIUM
    CVE-2026-27968

    Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired ... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authentication

  • 9.8

    CRITICAL
    CVE-2026-27966

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a... Read more

    Affected Products : langflow
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection

  • 8.4

    HIGH
    CVE-2026-27965

    Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is la... Read more

    Affected Products : vitess
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Misconfiguration

  • 8.8

    HIGH
    CVE-2026-27961

    Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed s... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2026-27959

    Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to ... Read more

    Affected Products : koa
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Information Disclosure

  • 4.9

    MEDIUM
    CVE-2026-27954

    Live Helper Chat is an open-source application that enables live support websites. In versions up to and including 4.52, three chat action endpoints (holdaction.php, blockuser.php, and transferchat.php) load chat objects by ID without calling `erLhcoreCl... Read more

    Affected Products : livehelperchat
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2026-27952

    Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but ... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2026-27948

    Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.... Read more

    Affected Products : copyparty
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 6.5

    MEDIUM
    CVE-2026-27943

    OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or equivalent) without verifying that the form belongs to ... Read more

    Affected Products : openemr
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authorization

  • 2.7

    LOW
    CVE-2026-27942

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOr... Read more

    Affected Products : fast-xml-parser
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Denial of Service

  • 9.9

    CRITICAL
    CVE-2026-27941

    OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. ... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Misconfiguration

  • 7.7

    HIGH
    CVE-2026-27938

    WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request... Read more

    Affected Products : wpgraphql
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2026-27904

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (... Read more

    Affected Products : minimatch
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Denial of Service

  • 7.5

    HIGH
    CVE-2026-27903

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob patter... Read more

    Affected Products : minimatch
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Denial of Service

  • 5.3

    MEDIUM
    CVE-2026-27902

    Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned fro... Read more

    Affected Products : svelte
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2026-27901

    Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if renderi... Read more

    Affected Products : svelte
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.0

    MEDIUM
    CVE-2026-27900

    The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This issue is... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Information Disclosure

  • 8.8

    HIGH
    CVE-2026-27899

    WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoin... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authorization

  • 6.9

    MEDIUM
    CVE-2026-27887

    Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g. tables with many r... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Denial of Service

  • 4.9

    MEDIUM
    CVE-2026-22728

    Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation (/v1/rotate) flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the in... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authorization
Showing 20 of 4944 Results