Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.5 HIGH
CVE-2026-27836 — phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF prot…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
7.1 HIGH
CVE-2026-27832 — Group-Office Has Authenticated SQL Injection in advancedQueryData.comparator

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `a…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
5.3 MEDIUM
CVE-2026-27824 — calibre has IP Ban Bypass via X-Forwarded-For Header Spoofing

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban k…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.4 MEDIUM
CVE-2026-27810 — calibre Vulnerable to HTTP Response Header Injection

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Ser…

Remote | Injection
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.5 MEDIUM
CVE-2026-27793 — Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-P…

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, in…

Remote | Information Disclosure
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
5.4 MEDIUM
CVE-2026-27792 — Seerr missing authentication on pushSubscription endpoints

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and pr…

Remote | Authorization
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.5 MEDIUM
CVE-2026-27734 — Beszel Vulnerable to Docker API Path Traversal via Unsanitized Container ID

Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "cont…

Remote | Path Traversal
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
7.3 HIGH
CVE-2026-27707 — Plex-configured Seerr instances vulnerable to unauthenticated account registration via Je…

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/aut…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
2.0 LOW
CVE-2026-26997 — ClipBucket v5 has Stored XSS via Collection name

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59…

Remote | Cross-Site Scripting
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
2.7 LOW
CVE-2026-22717 — VMware Workstation out-of-bound read vulnerability

Out-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the…

| Information Disclosure
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2026-2880 — @fastify/middie has an improper path normalization vulnerability

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router n…

Remote | Authorization
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
5.1 MEDIUM
CVE-2026-27758 — SODOLA SL902-SWTGW124AS <= 200.1.20 Missing CSRF Protections

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a cross-site request forgery vulnerability in its management interface that allows attackers to induce authenticated users into subm…

Remote | Cross-Site Request Forgery
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
7.1 HIGH
CVE-2026-27757 — SODOLA SL902-SWTGW124AS <= 200.1.20 Unverified Password Change

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication vulnerability that allows authenticated users to change account passwords without verifying the current password. …

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.1 MEDIUM
CVE-2026-27756 — SODOLA SL902-SWTGW124AS <= 200.1.20 Reflected XSS in Management Interface

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a reflected cross-site scripting vulnerability in the management interface where user input is not properly encoded before output. A…

Remote | Cross-Site Scripting
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
9.8 CRITICAL
CVE-2026-27755 — SODOLA SL902-SWTGW124AS <= 200.1.20 Predictable Session ID

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge authenticated sessions by computing predictable MD…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.9 MEDIUM
CVE-2026-27754 — SODOLA SL902-SWTGW124AS <= 200.1.20 MD5 Session Token Generation

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predicta…

Remote | Cryptography
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
5.0 MEDIUM
CVE-2026-22716 — VMware Workstation out-of-bounds write vulnerability

Out-of-bound write vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to terminate certain Workstation processes.

| Information Disclosure
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
6.9 MEDIUM
CVE-2026-27753 — SODOLA SL902-SWTGW124AS <= 200.1.20 Improper Login Rate Limiting

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management inter…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
8.2 HIGH
CVE-2026-27752 — SODOLA SL902-SWTGW124AS <= 200.1.20 Cleartext Credential Transmission

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit authentication credentials over unencrypted HTTP, allowing attackers to capture credentials. An attacker positioned to observe netw…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
9.8 CRITICAL
CVE-2026-27751 — SODOLA SL902-SWTGW124AS <= 200.1.20 Use of Default Credentials

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative access to the management interface. Attack…

Remote | Authentication
Feb 27, 2026 Feb 27, 2026
Feb 27, 2026
Feb 27, 2026
Showing 20 of 4891 Results