Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.5 HIGH
CVE-2026-27282 — ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerabilit…

Remote | Authentication
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
5.3 MEDIUM
CVE-2025-15565 — Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This ma…

Remote | Authorization
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
0.0 NA
CVE-2026-34454 — OAuth2 Proxy: Session cookie not cleared when rendering sign-in page

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-i…

| Authentication
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
0.0 NA
CVE-2026-33023 — libsixel: Use-after-free in load_with_gdkpixbuf()

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in loa…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
0.0 NA
CVE-2026-33021 — libsixel: Use-after-free in sixel_encoder_encode_bytes()

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
5.1 MEDIUM
CVE-2026-34161 — Chamilo LMS: Stored XSS via Malicious File Upload in Social Post Attachments Leads to Arb…

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality,…

Remote | Cross-Site Scripting
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
8.6 HIGH
CVE-2026-34160 — Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal netwo…

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessib…

Remote | Server-Side Request Forgery
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.2 HIGH
CVE-2026-33715 — Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_maile…

Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because…

Remote | Server-Side Request Forgery
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.1 HIGH
CVE-2026-33714 — Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2…

Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. W…

Remote | Injection
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.8 HIGH
CVE-2026-27287 — InCopy | Out-of-bounds Read (CWE-125)

InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. A…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
4.8 MEDIUM
CVE-2026-25133 — October CMS has Stored XSS via SVG Filter Bypass

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex p…

Remote | Cross-Site Scripting
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
4.9 MEDIUM
CVE-2026-25125 — October CMS: Environment Variable Exfiltration via INI Parser Interpolation

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's…

Remote | Information Disclosure
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
8.8 HIGH
CVE-2026-24893 — openITCOCKPIT has Authenticated Command Injection Leading to Remote Code Execution via Ho…

openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows a…

Remote | Injection
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.7 HIGH
CVE-2026-40683 — OpenStack Keystone LDAP Authentication Bypass

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _…

Remote | Authentication
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.8 HIGH
CVE-2026-34630 — Bridge | Heap-based Buffer Overflow (CWE-122)

Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.8 HIGH
CVE-2026-34618 — Illustrator | Out-of-bounds Write (CWE-787)

Illustrator versions 30.2, 29.8.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of th…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.8 HIGH
CVE-2026-27313 — Bridge | Heap-based Buffer Overflow (CWE-122)

Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.8 HIGH
CVE-2026-27312 — Bridge | Heap-based Buffer Overflow (CWE-122)

Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.8 HIGH
CVE-2026-27311 — Bridge | Heap-based Buffer Overflow (CWE-122)

Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
7.8 HIGH
CVE-2026-27310 — Bridge | Heap-based Buffer Overflow (CWE-122)

Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of…

| Memory Corruption
Apr 14, 2026 Apr 14, 2026
Apr 14, 2026
Apr 14, 2026
Showing 20 of 6616 Results