Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-5965 — NewSoft|NewSoftOA - OS Command Injection

NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.

Remote | Injection
Apr 21, 2026 May 19, 2026
Apr 21, 2026
May 19, 2026
5.3 MEDIUM
CVE-2026-6675 — Responsive Blocks <= 2.2.0 - Unauthenticated Open Email Relay via REST API 'email_to' Par…

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to Unauthenticated Open Email Relay in all versions up to, and including, 2.2.0. This is due to insuffici…

responsive_blocks | Remote | Misconfiguration
Apr 21, 2026 Apr 22, 2026
Apr 21, 2026
Apr 22, 2026
6.5 MEDIUM
CVE-2026-6674 — Plugin: CMS für Motorrad Werkstätten <= 1.0.0 - Authenticated (Subscriber+) SQL Injection…

The Plugin: CMS für Motorrad Werkstätten plugin for WordPress is vulnerable to SQL Injection via the 'arttype' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on th…

Remote | Injection
Apr 21, 2026 Apr 22, 2026
Apr 21, 2026
Apr 22, 2026
8.1 HIGH
CVE-2026-40497 — FreeScout Vulnerable to CSS Injection via Stored Style Tag in Mailbox Signature (CSRF Tok…

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`, `<iframe>`, `<object>` but does NOT st…

freescout | Remote | Cross-Site Scripting
Apr 21, 2026 Apr 23, 2026
Apr 21, 2026
Apr 23, 2026
4.5 MEDIUM
CVE-2026-6058 — Zyxel WRE6505 CGI Denial-of-Service Vulnerability

** UNSUPPORTED WHEN ASSIGNED ** An improper encoding or escaping vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the WLAN to …

| Denial of Service
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
9.1 CRITICAL
CVE-2026-40496 — FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Downl…

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + s…

freescout | Remote | Authentication
Apr 21, 2026 Apr 23, 2026
Apr 21, 2026
Apr 23, 2026
8.4 HIGH
CVE-2026-40250 — OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed varia…

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, …

openexr | Memory Corruption
Apr 21, 2026 Apr 22, 2026
Apr 21, 2026
Apr 22, 2026
8.4 HIGH
CVE-2026-40244 — OpenEXR has integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (mis…

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, …

openexr | Memory Corruption
Apr 21, 2026 Apr 22, 2026
Apr 21, 2026
Apr 22, 2026
7.1 HIGH
CVE-2026-39973 — Apktool: Path Traversal to Arbitrary File Write

Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafte…

apktool | Path Traversal
Apr 21, 2026 Apr 23, 2026
Apr 21, 2026
Apr 23, 2026
5.3 MEDIUM
CVE-2026-39886 — OpenEXR has HTJ2K Signed Integer Overflow in ht_undo_impl()

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Versions 3.4.0 through 3.4.9 have a signed integer ove…

openexr | Remote | Memory Corruption
Apr 21, 2026 Apr 22, 2026
Apr 21, 2026
Apr 22, 2026
8.8 HIGH
CVE-2026-39866 — Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release…

Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code …

lawnchair | Remote | Injection
Apr 21, 2026 Apr 23, 2026
Apr 21, 2026
Apr 23, 2026
Showing 20 of 6411 Results