Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.4

    CRITICAL
    CVE-2026-24731

    WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2026-22890

    Charging station authentication identifiers are publicly accessible via web-based mapping platforms.... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication

  • 7.3

    HIGH
    CVE-2026-20895

    The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijack... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication

  • 7.5

    HIGH
    CVE-2026-20792

    The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or misrouting legitimate charger teleme... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2026-20791

    Charging station authentication identifiers are publicly accessible via web-based mapping platforms.... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Information Disclosure

  • 9.4

    CRITICAL
    CVE-2026-20781

    WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication

  • 6.5

    MEDIUM
    CVE-2026-20733

    Charging station authentication identifiers are publicly accessible via web-based mapping platforms.... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication

  • 6.7

    MEDIUM
    CVE-2026-1585

    An unquoted Windows service executable path vulnerability in IJ Scan Utility for Windows versions 1.1.2 through 1.5.0 may allow a local attacker to execute a malicious file with the privileges of the affected service.... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Misconfiguration

  • 0.0

    NA
    CVE-2025-40932

    Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Cryptography

  • 5.5

    MEDIUM
    CVE-2026-3268

    A vulnerability was detected in psi-probe PSI Probe up to 5.3.0. The affected element is an unknown function of the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/RemoveSessAttributeController.java of the component Session Attribute Handl... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2026-3265

    A vulnerability was identified in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This affects an unknown part of the file /api/Security/ of the component Security API. The manipulation leads to improper authorization. The attack is pos... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2026-3264

    A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functionality of the component Administrative Interface. Executing a manipulation can lead to execution after redir... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Misconfiguration

  • 6.1

    MEDIUM
    CVE-2026-28280

    osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parame... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.3

    HIGH
    CVE-2026-28279

    osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter w... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2026-28276

    Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authori... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authorization

  • 8.1

    HIGH
    CVE-2026-28275

    Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authentication

  • 8.7

    HIGH
    CVE-2026-28274

    Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives" sectio... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Cross-Site Scripting

  • 5.9

    MEDIUM
    CVE-2026-28269

    Kiteworks is a private data network (PDN). Prior to version 9.2.0, avulnerability in Kiteworks command execution functionality allows authenticated users to redirect command output to arbitrary file locations. This could be exploited to overwrite critical... Read more

    Affected Products : kiteworks
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Path Traversal

  • 7.1

    HIGH
    CVE-2026-28230

    SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId (a sequential integer starting from 1) without ve... Read more

    Affected Products : steve
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2026-28226

    Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw ... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection
Showing 20 of 4960 Results