Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.3

    MEDIUM
    CVE-2026-27837

    Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separate... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Misconfiguration

  • 7.5

    HIGH
    CVE-2026-27831

    rldns is an open source DNS server. Version 2.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue.... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Memory Corruption

  • 8.9

    HIGH
    CVE-2026-27830

    c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString`... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2026-27829

    Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `infe... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Server-Side Request Forgery

  • 8.8

    HIGH
    CVE-2026-27976

    Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) creates symlinks from the archive without validation, and the path guard (`writeable_path_from_extension`)... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Path Traversal

  • 7.1

    HIGH
    CVE-2026-27967

    Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to ex... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Path Traversal

  • 6.8

    MEDIUM
    CVE-2026-27933

    Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cookie leakage in proxy caches. Version 0.133.0 fixes the i... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Misconfiguration

  • 7.7

    HIGH
    CVE-2026-27821

    GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHead... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Memory Corruption

  • 8.7

    HIGH
    CVE-2026-27818

    TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configura... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Misconfiguration

  • 8.0

    HIGH
    CVE-2026-27812

    Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attacker... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authentication

  • 6.8

    MEDIUM
    CVE-2026-27809

    psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError wh... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Information Disclosure

  • 5.8

    MEDIUM
    CVE-2026-27808

    Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an ema... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Server-Side Request Forgery

  • 9.3

    CRITICAL
    CVE-2026-27804

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Authentication

  • 7.4

    HIGH
    CVE-2026-27800

    Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extract_zip()` function in `crates/util/src/archive.rs` fails to validate ZIP entry filenames for pat... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Path Traversal

  • 4.0

    MEDIUM
    CVE-2026-27799

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Memory Corruption

  • 4.0

    MEDIUM
    CVE-2026-27798

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Memory Corruption

  • 6.4

    MEDIUM
    CVE-2026-27735

    Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within t... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Path Traversal

  • 5.1

    MEDIUM
    CVE-2026-27711

    NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a memory corruption vulnerability in NanaZip’s UFS parser allows a crafted `.ufs/.ufs2/.img` file to trigger out-of-bounds memory acces... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Memory Corruption

  • 5.1

    MEDIUM
    CVE-2026-27710

    NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a denial-of-service vulnerability exists in NanaZip’s `.NET Single File Application` parser. A crafted bundle can force an integer unde... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Denial of Service

  • 5.1

    MEDIUM
    CVE-2026-27709

    NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, NanaZip’s `.NET Single File Application` parser has an out-of-bounds read vulnerability in manifest parsing. A crafted bundle can provi... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 26, 2026
    • Vuln Type: Memory Corruption
Showing 20 of 4982 Results