Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-29074 — SVGO: DoS through entity expansion in DOCTYPE (Billion Laughs)

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and …

| Denial of Service
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2026-2830 — WP All Import <= 4.0.0 - Reflected Cross-Site Scripting via 'filepath'

The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and…

| Cross-Site Scripting
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2026-29183 — SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enable…

SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when ty…

| Cross-Site Scripting
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2026-29073 — SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized databa…

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even re…

| Authorization
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.7 HIGH
CVE-2026-29068 — PJSIP: Stack buffer overflow in Opus codec parser

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, there is a stack buffer overflow vulnerability when pjmedia-codec parses an RTP payload contain m…

Remote | Memory Corruption
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.8 HIGH
CVE-2026-29065 — changedetection.io: Zip Slip vulnerability in the backup restore functionality

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path…

Remote | Path Traversal
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
9.8 CRITICAL
CVE-2026-29058 — AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64U…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
4.3 MEDIUM
CVE-2026-29049 — melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP …

Remote | Misconfiguration
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.9 MEDIUM
CVE-2026-29048 — HumHub: XSS in Button component

HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encodi…

Remote | Cross-Site Scripting
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.9 HIGH
CVE-2026-29042 — Nuclio Shell Runtime Command Injection Leading to Privilege Escalation

Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processe…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.8 HIGH
CVE-2026-29039 — changedetection.io: XPath - Arbitrary File Read via unparsed-text()

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via t…

Remote | Path Traversal
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.1 MEDIUM
CVE-2026-29038 — changedetection.io: Reflected XSS in RSS Tag Error Response

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of…

Remote | Cross-Site Scripting
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.9 MEDIUM
CVE-2026-28804 — pypdf: Inefficient decoding of ASCIIHexDecode streams

pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream…

Remote | Denial of Service
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.7 HIGH
CVE-2026-28802 — Authlib: Setting `alg: none` and a blank signature appears to bypass signature verificati…

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an emp…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.6 MEDIUM
CVE-2026-28801 — Natro Macro: Code Injection through Pattern/Path files

Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, any ahk code contained inside of a pattern or path file is executed by the macro. Since users co…

| Misconfiguration
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.4 MEDIUM
CVE-2026-28800 — Natro Macro: Malicious actions allowed through Discord RC Commands by any user

Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, anyone with Discord Remote Control set up in a non-private channel gives access to any user with…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.7 HIGH
CVE-2026-28799 — PJSIP: Heap use-after-free in PJSIP presence subscription termination handler

PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that…

Remote | Memory Corruption
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.7 HIGH
CVE-2026-28795 — OpenChatBI: Critical Path Traversal Vulnerability in save_report Tool of OpenChatBI

OpenChatBI is an intelligent chat-based BI tool powered by large language models, designed to help users query, analyze, and visualize data through natural language conversations. Prior to version 0.…

Remote | Path Traversal
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.9 MEDIUM
CVE-2026-28438 — CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE s…

CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER TABLE). So,…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2026-29062 — jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially al…

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParse…

| Denial of Service
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
Showing 20 of 5208 Results