Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-34370 — Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private …

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authen…

Remote | Authorization
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
5.4 MEDIUM
CVE-2026-34213 — Docmost has cross-page attachment overwrite via flawed attachmentId overwrite validation

Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated us…

Remote | Authorization
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
5.4 MEDIUM
CVE-2026-34212 — Docmost page content has stored XSS via unsanitized attachment URLs

Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to …

Remote | Cross-Site Scripting
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
4.6 MEDIUM
CVE-2026-33193 — Docmost vulnerable to stored XSS via MIME type spoofing

Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoof…

Remote | Cross-Site Scripting
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
4.3 MEDIUM
CVE-2026-33146 — Docmost's Public Share Search Exposes Metadata of Restricted Children

Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets th…

Remote | Authorization
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.1 HIGH
CVE-2026-33020 — libsixel: Integer Overflow in write_png_to_file() leads to Heap-based Buffer Overflow

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixel_frame_convert_to_rg…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.1 HIGH
CVE-2026-33019 — libsixel: Integer overflow leads to Out-of-bounds Read in img2sixel

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.0 HIGH
CVE-2026-33018 — libsixel: Use-After-Free in load_gif()

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
2.4 LOW
CVE-2026-27308 — ColdFusion | Uncontrolled Resource Consumption (CWE-400)

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could e…

| Denial of Service
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
2.4 LOW
CVE-2026-27307 — ColdFusion | Uncontrolled Resource Consumption (CWE-400)

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could e…

| Denial of Service
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
8.4 HIGH
CVE-2026-27306 — ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker r…

| Injection
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
8.6 HIGH
CVE-2026-27305 — ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal…

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file syste…

Remote | Path Traversal
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
9.3 CRITICAL
CVE-2026-27304 — ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitati…

| Injection
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.5 HIGH
CVE-2026-27282 — ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerabilit…

Remote | Authentication
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
5.3 MEDIUM
CVE-2025-15565 — Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This ma…

Remote | Authorization
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
5.1 MEDIUM
CVE-2026-34161 — Chamilo LMS: Stored XSS via Malicious File Upload in Social Post Attachments Leads to Arb…

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality,…

Remote | Cross-Site Scripting
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
8.6 HIGH
CVE-2026-34160 — Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal netwo…

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessib…

Remote | Server-Side Request Forgery
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.2 HIGH
CVE-2026-33715 — Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_maile…

Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because…

Remote | Server-Side Request Forgery
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.1 HIGH
CVE-2026-33714 — Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2…

Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. W…

Remote | Injection
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.8 HIGH
CVE-2026-27287 — InCopy | Out-of-bounds Read (CWE-125)

InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. A…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
Showing 20 of 6646 Results