Latest CVE Vulnerabilities

7.2 HIGH

CVE-2026-33503 — Ory Kratos has a SQL injection via forged pagination tokens

Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to…

kratos | Remote | Injection

Mar 26, 2026 Apr 17, 2026

Mar 26, 2026

Apr 17, 2026

8.1 HIGH

CVE-2026-33496 — Ory Oathkeeper has an authentication bypass by cache key confusion

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authenticat…

oathkeeper | Remote | Authentication

Mar 26, 2026 Apr 07, 2026

Mar 26, 2026

Apr 07, 2026

6.5 MEDIUM

CVE-2026-33495 — Ory Oathkeeper has an authentication bypass by usage of untrusted header

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other component…

oathkeeper | Remote | Misconfiguration

Mar 26, 2026 Apr 02, 2026

Mar 26, 2026

Apr 02, 2026

10.0 CRITICAL

CVE-2026-33494 — Ory Oathkeeper has a path traversal authorization bypass

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authoriza…

oathkeeper | Remote | Path Traversal

Mar 26, 2026 Apr 07, 2026

Mar 26, 2026

Apr 07, 2026

5.3 MEDIUM

CVE-2026-33490 — h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrel…

H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted su…

h3 | Remote | Authorization

Mar 26, 2026 Mar 31, 2026

Mar 26, 2026

Mar 31, 2026

7.5 HIGH

CVE-2026-33487 — goxmldsig has validateSignature Loop Variable Capture Signature Bypass

goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one…

goxmldsig | Remote | Misconfiguration

Mar 26, 2026 Apr 20, 2026

Mar 26, 2026

Apr 20, 2026

6.8 MEDIUM

CVE-2026-33486 — Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents

Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.4…

core-bundle-dev-app | Remote | Path Traversal

Mar 26, 2026 Mar 31, 2026

Mar 26, 2026

Mar 31, 2026

5.3 MEDIUM

CVE-2026-33481 — Syft improper temporary file cleanup

Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage…

syft | Remote | Misconfiguration

Mar 26, 2026 Mar 31, 2026

Mar 26, 2026

Mar 31, 2026

4.3 MEDIUM

CVE-2026-33477 — FileRise has incorrect authorization in /api/file/snippet.php allows read_own users to re…

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an a…

filerise | Remote | Authorization

Mar 26, 2026 Mar 31, 2026

Mar 26, 2026

Mar 31, 2026

8.6 HIGH

CVE-2026-32857 — Firecrawl Playwright Service SSRF Protection Bypass via Missing Post-Redirect Validation

Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vulnerability in the Playwright scraping service where network policy validation is applied only to th…

Remote | Server-Side Request Forgery

Mar 26, 2026 Mar 30, 2026

Mar 26, 2026

Mar 30, 2026

Browse by Apps

Latest CVE Feed

Cookie Preferences