Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.9 HIGH
CVE-2026-33078 — Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Para…

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/…

roxy-wi | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.7 HIGH
CVE-2026-33077 — Roxy-WI has an arbitrary file read vulnerability

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has an arbitrary file re…

roxy-wi | Remote | Path Traversal
Apr 24, 2026 Apr 25, 2026
Apr 24, 2026
Apr 25, 2026
8.9 HIGH
CVE-2026-33076 — Roxy-WI vulnerable to path traversal and arbitrary file writing

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote …

roxy-wi | Remote | Path Traversal
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
5.3 MEDIUM
CVE-2026-32952 — go-ntlmssp NTLM challenges can panic on malformed payloads

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash a…

Remote | Memory Corruption
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.1 HIGH
CVE-2026-41325 — Kirby is vulnerable to authorization bypass during page, file and user creation via bluep…

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined …

kirby | Remote | Authorization
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
5.3 MEDIUM
CVE-2026-40099 — Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDra…

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined …

kirby | Remote | Authorization
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.6 HIGH
CVE-2026-34587 — Kirby has Server-Side Template Injection (SSTI) via double template resolution in option …

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the …

kirby | Remote | Authorization
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
6.9 MEDIUM
CVE-2026-32870 — Kirby has XML injection in its XML creator toolkit

Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a seco…

kirby | Remote | XML External Entity
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
4.3 MEDIUM
CVE-2026-31956 — Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level a…

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL t…

xibo | Remote | Authorization
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
4.9 MEDIUM
CVE-2026-31955 — Xibo CMS has Authenticated Server-Side Request Forgery (SSRF) in Remote DataSet Functiona…

Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions…

xibo | Remote | Server-Side Request Forgery
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
6.4 MEDIUM
CVE-2026-31953 — Xibo CMS has Stored XSS via Notification Body with Zero-Click Execution on Login

Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 …

xibo | Remote | Cross-Site Scripting
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
9.8 CRITICAL
CVE-2026-40630 — SenseLive X3050 Authentication bypass using an alternate path or channel

A vulnerability in  SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network acc…

Remote | Authorization
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
8.1 HIGH
CVE-2026-40623 — SenseLive X3050 Missing Authorization

A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inad…

Remote | Misconfiguration
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
9.8 CRITICAL
CVE-2026-40620 — SenseLive X3050 Missing authentication for critical function

A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config appli…

Remote | Authentication
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
6.9 MEDIUM
CVE-2026-40431 — SenseLive X3050 Cleartext transmission of sensitive information

A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication…

Remote | Misconfiguration
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
9.3 CRITICAL
CVE-2026-39462 — SenseLive X3050 Insufficiently Protected Credentials

A vulnerability exists in SenseLive X3050’s web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the device…

Remote | Authentication
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
9.8 CRITICAL
CVE-2026-35503 — SenseLive X3050 Use of Hard-coded Credentials

A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rath…

Remote | Authentication
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
8.7 HIGH
CVE-2026-35064 — SenseLive X3050 Missing authentication for critical function

A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, iden…

Remote | Information Disclosure
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.6 HIGH
CVE-2026-31952 — Xibo CMS API has SQL Injection via DataSet Filter Parameter

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API rou…

xibo | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
4.3 MEDIUM
CVE-2026-29197 — Apache Apps Engine Log Information Disclosure Vulnerability

In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing…

rocket.chat | Remote | Authorization
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
Showing 20 of 5915 Results