Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.5 HIGH
CVE-2026-33281 — Ella Core panics on invalid PDU Session IDs in NGAP messages

Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP m…

ella_core | Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.1 HIGH
CVE-2026-33252 — MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` h…

mcp_go_sdk | Remote | Cross-Site Request Forgery
Mar 24, 2026 Apr 15, 2026
Mar 24, 2026
Apr 15, 2026
7.5 HIGH
CVE-2026-33250 — Crash when receiving specially-crafted packets

Freeciv21 is a free open source, turn-based, empire-building strategy game. Versions prior to 3.1.1 crash with a stack overflow when receiving specially-crafted packets. A remote attacker can use thi…

Remote | Denial of Service
Mar 24, 2026 Apr 15, 2026
Mar 24, 2026
Apr 15, 2026
7.5 HIGH
CVE-2026-33242 — Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass

Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated e…

salvo | Remote | Path Traversal
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
8.7 HIGH
CVE-2026-33241 — Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading requ…

salvo | Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
9.6 CRITICAL
CVE-2026-33211 — Tekton Pipelines git resolver has path traversal that allows reading arbitrary files from…

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines…

tekton_pipelines | Remote | Path Traversal
Mar 24, 2026 Mar 26, 2026
Mar 24, 2026
Mar 26, 2026
9.1 CRITICAL
CVE-2026-33202 — Rails Active Storage has possible glob injection in its DiskService

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys dir…

rails | Remote | Path Traversal
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
9.8 CRITICAL
CVE-2026-33195 — Rails Active Storage has possible Path Traversal in DiskService

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the …

rails | Remote | Path Traversal
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.5 HIGH
CVE-2026-33176 — Rails Active Support has a possible DoS vulnerability in its number helpers

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept str…

rails | Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
7.5 HIGH
CVE-2026-33174 — Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range reques…

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, th…

rails | Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
5.3 MEDIUM
CVE-2026-33173 — Rails Active Storage has possible content type bypass via metadata in direct uploads

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the clien…

rails | Remote | Misconfiguration
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.1 MEDIUM
CVE-2026-33170 — Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@…

rails | Remote | Cross-Site Scripting
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-33169 — Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to in…

rails | Remote | Denial of Service
Mar 24, 2026 Mar 24, 2026
Mar 24, 2026
Mar 24, 2026
Showing 20 of 6453 Results