Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.3 CRITICAL
CVE-2026-32311 — Command Injection and Docker container escape allows root on host machine

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to ma…

Remote | Injection
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
7.7 HIGH
CVE-2026-32135 — NanoMQ has Heap Buffer Overflow in URI Parameter Parsing

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ's REST API…

Remote | Memory Corruption
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
0.0 NA
CVE-2026-29649 — NEMU RISC-V Hypervisor CSR Handling Implementation Flaw

NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode w…

| Misconfiguration
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
0.0 NA
CVE-2026-29645 — NEMU RISC-V Vector Decoder Improper Instruction Validation

NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decodin…

| Misconfiguration
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
8.1 HIGH
CVE-2026-6248 — wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Pr…

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not valid…

Remote | Path Traversal
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
4.5 MEDIUM
CVE-2026-6060 — Possible DoS via SQL Box

A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS…

Remote | Denial of Service
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
5.8 MEDIUM
CVE-2026-41389 — OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Pat…

OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result …

Remote | Path Traversal
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
5.4 MEDIUM
CVE-2026-39112 — Apartment Visitors Management System Cross Site Scripting

Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can injec…

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
7.5 HIGH
CVE-2026-39111 — Apartment Visitors Management System SQL Injection

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the email parameter of the forgot password page (forgot-password.php). This allows an …

Remote | Injection
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
8.2 HIGH
CVE-2026-39110 — Apache Openvisit SQL Injection Vulnerability

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows…

Remote | Injection
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
9.4 CRITICAL
CVE-2026-39109 — Apartment Visitors Management System SQL Injection

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 within the username parameter of the login page (index.php). This allows an unauthenticat…

Remote | Injection
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
0.0 NA
CVE-2026-26399 — Arduin_Core_STM32 Stack Use-After-Return Buffer Overflow Vulnerability

A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to…

| Memory Corruption
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
6.4 MEDIUM
CVE-2026-23758 — GFI HelpDesk < 4.99.9 Stored XSS via editsubject Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the …

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
5.4 MEDIUM
CVE-2026-23757 — GFI HelpDesk < 4.99.10 Stored XSS via Reports Module

GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization…

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
5.4 MEDIUM
CVE-2026-23756 — GFI HelpDesk < 4.99.9 Stored XSS via Troubleshooter Step Subject

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and Ed…

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
4.8 MEDIUM
CVE-2026-23753 — GFI HelpDesk < 4.99.9 Stored XSS via charset Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create(…

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
4.8 MEDIUM
CVE-2026-23752 — GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary J…

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
7.5 HIGH
CVE-2026-6662 — ericc-ch copilot-api Token Endpoint server.ts cors cross-domain policy

A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the component Token Endpoint. Performing a manipulation results i…

Remote | Misconfiguration
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
8.8 HIGH
CVE-2026-41445 — KissFFT Integer Overflow Heap Buffer Overflow via kiss_fftndr_alloc()

KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther*(dimReal+2)*sizeof(kiss_ff…

Remote | Memory Corruption
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
8.7 HIGH
CVE-2026-40488 — OpenMage LTS has Customer File Upload Extension Blocklist Bypass that Leads to Remote Cod…

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr…

Remote | Misconfiguration
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
Showing 20 of 6044 Results