Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.2 HIGH
CVE-2019-25493 — Homey BNB V4 SQL Injection via getrecord.php

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET req…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2019-25492 — Homey BNB V4 SQL Injection via getcmsdata.php

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requ…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2019-25491 — Homey BNB V4 SQL Injection via cms_getpagetitle.php

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET req…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2019-25490 — Homey BNB V4 SQL Injection via admin edit.php

Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Attackers can send GET reque…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2019-25489 — Homey BNB V4 SQL Injection via ajax_refresh_subtotal

Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2026-2293 — NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.…

nest.js | Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
7.1 HIGH
CVE-2026-25147 — OpenEMR's Portal Payment Endpoint Trusts User-Controlled pid

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is ta…

openemr | Remote | Authorization
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.5 MEDIUM
CVE-2026-24488 — OpenEMR Vulnerable to Arbitrary File Exfiltration via Fax Endpoint

OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, an arbitrary file exfiltration vulnerability in the fax…

openemr | Remote | Path Traversal
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.7 HIGH
CVE-2025-69437 — PublicCMS Stored XSS in PDF Upload

PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF f…

Remote | Cross-Site Scripting
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.7 HIGH
CVE-2026-3304 — Multer vulnerable to Denial of Service via incomplete cleanup

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed reques…

Remote | Denial of Service
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
0.0 NA
CVE-2026-3277 — PowerShell Universal OpenID Connect Cleartext Client Secret Exposure

The OpenID Connect (OIDC) authentication configuration in PowerShell Universal before 2026.1.3 stores the OIDC client secret in cleartext in the .universal/authentication.ps1 script, which allows a…

| Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
9.1 CRITICAL
CVE-2026-2750 — Command Injection via CLAPI generatetraps

Improper Input Validation vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centreon Open Tickets modules).This issue affects Centreon Open Tickets on Central Server: from a…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
9.9 CRITICAL
CVE-2026-2749 — Path traversal in Centreon Open Tickets

Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8,…

Remote | Information Disclosure
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.7 HIGH
CVE-2026-2359 — Multer vulnerable to Denial of Service via resource exhaustion

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection duri…

Remote | Denial of Service
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
4.8 MEDIUM
CVE-2026-3327 — Authenticated DatoCMS Web Previews Plugin Iframe Injection

Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabli…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.4 HIGH
CVE-2026-3223 — Zip Slip leading to Arbitrary File Write and Privilege Escalation in Google Web Designer

Arbitrary file write & potential privilege escalation exploiting zip slip vulnerability in Google Web Designer.

web_designer | Path Traversal
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.3 HIGH
CVE-2026-2751 — Blind SQL Injection

Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Inje…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
9.3 CRITICAL
CVE-2025-15498 — SQL Injection in Pro3W CMS

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privi…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
7.5 HIGH
CVE-2025-10990 — Rexml: rexml: denial of service via inefficient regex parsing

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead …

Remote | Denial of Service
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.3 MEDIUM
CVE-2025-11950 — Reflected XSS in Knowhy's EduAsist

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KNOWHY Advanced Technology Trading Ltd. Co. EduAsist allows Reflected XSS.This issue affec…

eduasist | Remote | Cross-Site Scripting
Feb 27, 2026 Feb 28, 2026
Feb 27, 2026
Feb 28, 2026
Showing 20 of 4739 Results