Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.4 MEDIUM
CVE-2026-33500 — AVideo Vulnerable to Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWith…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes …

avideo | Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
6.1 MEDIUM
CVE-2026-33499 — AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPag…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` paramet…

avideo | Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
6.2 MEDIUM
CVE-2026-30007 — XnSoft NConvert Use-After-Free Vulnerability

XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a crafted .tiff file

| Memory Corruption
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
6.2 MEDIUM
CVE-2026-30006 — NConvert TIFF Stack Buffer Overrun

XnSoft NConvert 7.230 is vulnerable to Stack Buffer Overrun via a crafted .tiff file.

| Memory Corruption
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.5 HIGH
CVE-2026-26829 — Owntone-Server NULL Pointer Dereference Denial of Service Vulnerability

A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP r…

Remote | Denial of Service
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.5 HIGH
CVE-2026-26828 — Owntone-Server NULL Pointer Dereference Denial of Service

A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP requ…

Remote | Denial of Service
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
0.0 NA
CVE-2026-24516 — DigitalOcean Droplet Agent Command Injection Vulnerability

A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component (internal/troubleshooting/actioner/actioner.go) processes metadata from th…

| Injection
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
6.3 MEDIUM
CVE-2026-4592 — kalcaddle kodbox Password Login index.class.php tfaVerify improper authentication

A security vulnerability has been detected in kalcaddle kodbox 1.64. This impacts the function loginAfter/tfaVerify of the file /workspace/source-code/plugins/client/controller/tfa/index.class.php of…

Remote | Authentication
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.8 MEDIUM
CVE-2026-4591 — kalcaddle kodbox fileThumb Endpoint app.php checkBin os command injection

A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing…

Remote | Injection
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.1 HIGH
CVE-2026-33493 — AVideo has a Path Traversal in import.json.php that Allows Private Video Theft and Arbitr…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check t…

avideo | Remote | Path Traversal
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.3 HIGH
CVE-2026-33492 — AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regen…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them …

avideo | Remote | Authentication
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.4 HIGH
CVE-2026-33488 — AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in Lo…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been…

avideo | Remote | Cryptography
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.4 HIGH
CVE-2026-32845 — jkuhlmann / cgltf <= 1.15 Sparse Accessor Validation Integer Overflow

cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supply…

| Memory Corruption
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
6.1 MEDIUM
CVE-2024-51226 — Phpgurukul Vehicle Record Management System Stored XSS

A stored cross-site scripting (XSS) vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or H…

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
4.8 MEDIUM
CVE-2024-51225 — PhpGurukul Vehicle Record Management System Stored XSS

A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML v…

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
4.8 MEDIUM
CVE-2024-51224 — PhpGurukul Vehicle Record Management System XSS Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or H…

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
4.8 MEDIUM
CVE-2024-51223 — PhpGurukul Vehicle Record Management System Stored XSS

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via…

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
4.8 MEDIUM
CVE-2024-51222 — Phpgurukul Vehicle Record Management System Stored XSS Vulnerability

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via…

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
3.1 LOW
CVE-2026-4590 — kalcaddle kodbox loginSubmit API index.class.php cross-site request forgery

A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the compo…

Remote | Cross-Site Request Forgery
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
9.4 CRITICAL
CVE-2026-4404 — Use of hard coded credentials in GoHarbor Harbor

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

Remote | Authentication
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
Showing 20 of 5262 Results