Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-30847 — Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Sessi…

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the Reacti…

| Information Disclosure
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2026-30846 — Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields…

| Information Disclosure
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2026-30845 — Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering…

| Information Disclosure
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2026-30844 — Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment…

| Server-Side Request Forgery
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2026-30843 — Wekan has Cross-Board IDOR in Custom Fields Update Endpoints

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom field…

| Authorization
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.7 HIGH
CVE-2026-29063 — Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototy…

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(),…

Remote | Misconfiguration
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2025-69653 — "QuickJS Denial-of-Service Vulnerability"

A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in q…

| Denial of Service
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2025-69652 — GNU Binutils Denial of Service Vulnerability

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state…

| Denial of Service
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2025-69650 — GNU Binutils Double Free Vulnerability

GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return ea…

| Memory Corruption
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2025-69649 — Apache GNU Binutils Null Pointer Dereference Vulnerability

GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null se…

| Memory Corruption
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
5.3 MEDIUM
CVE-2026-3419 — Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass V…

Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.conten…

| Misconfiguration
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.9 MEDIUM
CVE-2026-30833 — Rocket.Chat: NoSQL injection in the EE ddp-streamer-service

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.0 HIGH
CVE-2026-30831 — Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in R…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.7 HIGH
CVE-2026-29178 — Lemmy: Unauthenticated SSRF via file_type query parameter injection in image endpoint

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to…

Remote | Server-Side Request Forgery
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
2.2 LOW
CVE-2026-29110 — Cryptomator: Leaking of cleartext paths into log file in non-debug mode

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information a…

| Information Disclosure
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.1 HIGH
CVE-2026-29091 — Locutus: Remote Code Execution (RCE) in locutus call_user_func_array due to Code Injection

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifi…

locutus | Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.8 HIGH
CVE-2026-29089 — TimescaleDB uses untrusted search path during extension upgrade

TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the search_path setting to locate unqua…

| Misconfiguration
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.5 HIGH
CVE-2026-29087 — @hono/node-server: Authorization bypass for protected static paths via encoded slashes in…

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. p…

node-server | Remote | Authorization
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
9.3 CRITICAL
CVE-2026-28514 — Rocket.Chat: Users can login with any password via the EE ddp-streamer-service

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerab…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2025-69651 — Apache GNU Binutils Denial of Service (DoS) Vulnerability

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations return…

| Memory Corruption
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
Showing 20 of 5133 Results