Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.8 HIGH
CVE-2026-41421 — SiYuan Desktop Notification XSS Leads to Electron RCE

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/n…

siyuan | Cross-Site Scripting
Apr 24, 2026 Apr 25, 2026
Apr 24, 2026
Apr 25, 2026
7.6 HIGH
CVE-2026-41419 — 4ga Boards: Import Path Traversal Leads to Arbitrary File Read

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbit…

Remote | Path Traversal
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
5.3 MEDIUM
CVE-2026-41418 — 4ga Boards: User Enumeration via Timing Side-Channel in Authentication Endpoint

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). …

Remote | Authentication
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
8.1 HIGH
CVE-2026-41416 — PJSIP: Asymmetric ptime integer overflow in Media Stream

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymm…

pjsip | Remote | Memory Corruption
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
6.7 MEDIUM
CVE-2026-41415 — PJSIP: SIP Multipart CID URI Length Underflow

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message bod…

pjsip | Remote | Memory Corruption
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.4 HIGH
CVE-2026-41414 — Skim: Arbitrary code execution via pull_request_target fork checkout in pr.yml

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with …

Remote | Supply Chain
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
9.1 CRITICAL
CVE-2026-41328 — Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the …

dgraph | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
9.1 CRITICAL
CVE-2026-41327 — Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the …

dgraph | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
8.2 HIGH
CVE-2026-41326 — Kata Containers: CopyFile Policy Subversion via Symlinks

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFil…

kata_containers | Path Traversal
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.5 HIGH
CVE-2026-33666 — Zserio: Integer Overflow in BitStreamReader on 32-bit platforms

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds…

Remote | Memory Corruption
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.5 HIGH
CVE-2026-33662 — OP-TEE: RSASSA EMSA- PKCS1-v1_5 underflow in emsa_pkcs1_v1_5_encode()

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From 3.8.0 to 4.10, in the function e…

op-tee_os | Remote | Memory Corruption
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.5 HIGH
CVE-2026-33524 — Zserio: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserializ…

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up t…

Remote | Memory Corruption
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
6.5 MEDIUM
CVE-2026-42044 — Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype…

axios | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.2 HIGH
CVE-2026-42043 — Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loo…

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 r…

axios | Remote | Server-Side Request Forgery
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
5.4 MEDIUM
CVE-2026-42042 — Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` …

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict …

axios | Remote | Cross-Site Request Forgery
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
4.8 MEDIUM
CVE-2026-42041 — Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Str…

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype…

axios | Remote | Misconfiguration
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
3.7 LOW
CVE-2026-42040 — Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at li…

axios | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
6.9 MEDIUM
CVE-2026-42039 — Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as reque…

axios | Remote | Denial of Service
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
6.8 MEDIUM
CVE-2026-42038 — Axios: no_proxy bypass via IP alias allows SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests…

axios | Remote | Misconfiguration
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
5.3 MEDIUM
CVE-2026-42037 — Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataTo…

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into th…

axios | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
Showing 20 of 5983 Results