Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-29783 — GitHub Copilot CLI allows for dangerous shell expansion patterns that enable arbitrary co…

The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence th…

Remote | Injection
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.3 HIGH
CVE-2026-29082 — Kestra: Stored Cross-Site Scripting in Markdown File Preview

Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true an…

Remote | Cross-Site Scripting
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.3 HIGH
CVE-2026-29075 — Mesa: Checking out of untrusted code in `benchmarks.yml` workflow may lead to code execut…

Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.y…

Remote | Supply Chain
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.2 HIGH
CVE-2026-29064 — Zarf: Symlink targets in archives are not validated against destination directory

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package…

| Path Traversal
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
0.0 NA
CVE-2025-70363 — Ibexa Ciril GROUP eZ Platform Unauthenticated Data Access Vulnerability

Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs.

| Authorization
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
8.8 HIGH
CVE-2025-15602 — Snipe-IT < 8.3.7 Mass Assignment Vulnerability Leading to Privilege Escalation

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can c…

Remote | Authorization
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.5 MEDIUM
CVE-2026-27777 — Mobiliti e-mobi.hu Insufficiently Protected Credentials

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.3 HIGH
CVE-2026-27764 — Mobiliti e-mobi.hu Insufficient Session Expiration

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predi…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.5 MEDIUM
CVE-2026-27027 — Everon api.everon.io Insufficiently Protected Credentials

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Remote | Information Disclosure
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
9.4 CRITICAL
CVE-2026-26288 — Everon api.everon.io Missing Authentication for Critical Function

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can co…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.5 HIGH
CVE-2026-26018 — CoreDNS Loop Detection Denial of Service Vulnerability

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by se…

coredns | Remote | Denial of Service
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.7 HIGH
CVE-2026-26017 — CoreDNS ACL Bypass

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Secur…

coredns | Remote | Misconfiguration
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.5 HIGH
CVE-2026-24696 — Everon api.everon.io Improper Restriction of Excessive Authentication Attempts

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks b…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.5 HIGH
CVE-2026-20882 — Mobiliti e-mobi.hu Improper Restriction of Excessive Authentication Attempts

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks b…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.3 HIGH
CVE-2026-20748 — Everon api.everon.io Insufficient Session Expiration

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predi…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.5 HIGH
CVE-2026-2754 — Navtor NavBox Unauthenticated Information Disclosure

Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execut…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
7.5 HIGH
CVE-2026-2753 — Navtor NavBox Absolute Path Traversal Vulnerability

An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers ca…

Remote | Path Traversal
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
5.3 MEDIUM
CVE-2026-2752 — Navtor NavBox .NET Information Disclosure

Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to retur…

Remote | Information Disclosure
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
9.4 CRITICAL
CVE-2026-26051 — Mobiliti e-mobi.hu Missing Authentication for Critical Function

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can co…

Remote | Authentication
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
6.9 MEDIUM
CVE-2018-25200 — OOP CMS BLOG 1.0 Cross-Site Request Forgery via addUser.php

OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can su…

Remote | Cross-Site Request Forgery
Mar 06, 2026 Mar 06, 2026
Mar 06, 2026
Mar 06, 2026
Showing 20 of 5128 Results