Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2026-27745

    The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendere... Read more

    Affected Products : interface_traduction_objets
    • Published: Feb. 25, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2026-27747

    The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-s... Read more

    Affected Products : interface_traduction_objets
    • Published: Feb. 25, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Injection

  • 7.3

    HIGH
    CVE-2026-25129

    PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write t... Read more

    Affected Products : psysh
    • Published: Jan. 30, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Misconfiguration

  • 7.1

    HIGH
    CVE-2025-69207

    Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID w... Read more

    Affected Products : khoj
    • Published: Feb. 02, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 7.0

    HIGH
    CVE-2026-24051

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go execute... Read more

    Affected Products : opentelemetry-go
    • Published: Feb. 02, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-64712

    The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allow... Read more

    Affected Products : unstructured
    • Published: Feb. 04, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Path Traversal

  • 0.0

    NA
    CVE-2026-28338

    PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted strin... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Cross-Site Scripting

  • 8.4

    HIGH
    CVE-2026-24884

    Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended ... Read more

    Affected Products : compressing
    • Published: Feb. 04, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Path Traversal

  • 0.0

    NA
    CVE-2026-28288

    Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Information Disclosure

  • 9.8

    CRITICAL
    CVE-2026-25505

    Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been p... Read more

    Affected Products : bambuddy
    • Published: Feb. 04, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication

  • 0.0

    NA
    CVE-2026-28272

    Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when use... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2026-25128

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xm... Read more

    Affected Products : fast-xml-parser fast-xml-parser
    • Published: Jan. 30, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Misconfiguration

  • 0.0

    NA
    CVE-2026-3255

    HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will ... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Cryptography

  • 5.7

    MEDIUM
    CVE-2026-28354

    ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another user’s collection items. This affects both add ite... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 5.5

    MEDIUM
    CVE-2026-28231

    pillow_heif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buffer validation of `_pillow_heif.c` allows an attacker to bypass bounds checks by providing large image di... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Memory Corruption

  • 9.4

    CRITICAL
    CVE-2026-27947

    Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extract... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2026-27836

    phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows un... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication

  • 7.1

    HIGH
    CVE-2026-27832

    Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an a... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2026-27824

    calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication

  • 6.4

    MEDIUM
    CVE-2026-27810

    calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HT... Read more

    Affected Products :
    • Published: Feb. 27, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Injection
Showing 20 of 4893 Results