Live CVE feed — high and critical vulnerability disclosures tracked as they drop.
🚨 CVE-2026-5575 A vulnerability was detected in SourceCodester/jkev Record Management System 1.0. Affected by this vulnerability is an unknown functionality of the file index.php of...
🚨 CVE-2026-5553 A vulnerability was identified in itsourcecode Online Cellphone System 1.0. Affected by this vulnerability is an unknown functionality of the file /cp/available.php of...
🚨 CVE-2026-5551 A security flaw has been discovered in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/login.php of...
🚨 CVE-2026-5534 A vulnerability was identified in itsourcecode Online Enrollment System 1.0. This affects an unknown function of the file /sms/user/index.php?view=edit&id=10 of the component Parameter...
🚨 CVE-2026-5531 A vulnerability has been found in SourceCodester Student Result Management System 1.0. Impacted is an unknown function of the file /logincredentials.txt of the...
This is due to a missing ownership verification on the changeplansubid parameter in the processcheckout() function.
🚨 CVE-2026-34776 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, on...
🚨 CVE-2026-34770 Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, apps...
🚨 CVE-2026-27447 OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd)...
🚨 CVE-2026-22661 prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the...
🚨 CVE-2026-32716 SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a...
🚨 CVE-2026-33997 Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to...
🚨 CVE-2026-34040 Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization...
🚨 CVE-2026-30311 Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective.
🚨 CVE-2024-28862 The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly...
🚨 CVE-2022-21693 OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor...
🚨 CVE-2026-32113 Discourse is an open-source discussion platform. While this cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographically validated SSO payloads, cookies...
🚨 CVE-2025-24085 A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.6,...
🚨 CVE-2024-44309 A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS...
🚨 CVE-2024-44308 The issue was addressed with improved checks. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS...
🚨 CVE-2026-4350 The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This...
🚨 CVE-2026-0945 Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0.
🚨 CVE-2025-55102 A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too...
🚨 CVE-2026-34389 Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address...
🚨 CVE-2026-34388 Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to...
🚨 CVE-2026-34373 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and...
CVE-2026-3502 — TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can...
🚨 CVE-2026-5326 A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an unknown function of the file /index.php?page=manage_user of the…
🚨 CVE-2026-32145 Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing. The…
🚨 CVE-2026-33613 Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the...
🚨 CVE-2026-5325 A vulnerability was determined in SourceCodester Simple Customer Relationship Management System 1.0. This issue affects some unknown processing of the file…
🚨 CVE-2026-5319 A security vulnerability has been detected in itsourcecode Payroll Management System up to 1.0. Affected is an unknown function of the file /navbar.php....
🚨 CVE-2026-34560 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version…
🚨 CVE-2026-34559 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version…
🚨 CVE-2025-9293 A vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication.
🚨 CVE-2025-9292 A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation…
🚨 CVE-2026-26056 Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC)…
🚨 CVE-2026-34442 FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout...
🚨 CVE-2025-53906 Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow...
🚨 CVE-2026-33537 Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP…
🚨 CVE-2026-33531 InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a…...
🚨 CVE-2026-33530 InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked...
🚨 CVE-2026-33726 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network…
🚨 CVE-2026-33747 BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when...
🚨 CVE-2026-4628 A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid…
🚨 CVE-2026-33674 PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0…...
🚨 CVE-2026-33673 PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS)…
🚨 CVE-2026-33672 Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the…...
🚨 CVE-2026-33671 Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS)...
🚨 CVE-2026-33661 Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in…
CVE-2026-5281 — Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via...
🚨 CVE-2026-28038 Missing Authorization vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows Exploiting Incorrectly Configured Access Control…
🚨 CVE-2026-3776 The application does not validate the presence of required appearance (AP) data before accessing stamp annotation resources. When a PDF contains a stamp…...
🚨 CVE-2026-34215 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and...
🚨 CVE-2026-33438 Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Versions starting in 2.1.5 and prior...
🚨 CVE-2026-33996 LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did...
🚨 CVE-2026-3573 Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0…
🚨 CVE-2026-3526 Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0…
🚨 CVE-2026-33045 Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version...
🚨 CVE-2026-3525 Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0…
🚨 CVE-2026-0558 A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the…
🚨 CVE-2026-3210 Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4. 🎖@cveNotify
🚨 CVE-2026-27876 A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is...
🚨 CVE-2026-30574 A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the…...
🚨 CVE-2026-28368 A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently...
🚨 CVE-2025-15615 Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation…
🚨 CVE-2026-24148 NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a…
🚨 CVE-2026-34247 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to…...
🚨 CVE-2026-34245 WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows…
🚨 CVE-2026-33623 PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection...
🚨 CVE-2026-33622 PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript…...
🚨 CVE-2025-14905 A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file.
🚨 CVE-2025-54236 Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability.
🚨 CVE-2026-34036 Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local…...
🚨 CVE-2026-34557 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version…
🚨 CVE-2026-21710 A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the...
🚨 CVE-2026-33992 pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without…
🚨 CVE-2026-29044 EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler…
🚨 CVE-2026-32970 OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are…
🚨 CVE-2026-32917 OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary…
CVE-2025-53521 — F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution.
CVE-2026-33634 — Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including...
CVE-2026-33017 — Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.
CVE-2025-54068 — Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.
CVE-2025-43520 — Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected...
CVE-2025-43510 — Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes...
CVE-2025-32432 — Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.
CVE-2025-31277 — Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web...
CVE-2026-20131 — Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in...
CVE-2026-20963 — Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network.
CVE-2025-66376 — Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import...
CVE-2025-47813 — Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie.
The INCD has issued an advisory regarding Microsoft's monthly security updates addressing approximately 87 vulnerabilities, including 3 critical, 6 with high exploitation probability, and 20...
CVE-2026-3910 — Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker...
CVE-2026-3909 — Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted...
CVE-2025-68613 — n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution....
CVE-2026-1603 — Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to...
CVE-2025-26399 — SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the...
CVE-2021-22054 — Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious...
CVE-2023-43000 — Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead...
CVE-2023-41974 — Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.
CVE-2021-30952 — Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web content...
CVE-2021-22681 — Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key...
CVE-2017-7921 — Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access...
Get critical CVE alerts, threat intel drops, and curated cyber insights — straight to your inbox.
No spam. Unsubscribe anytime. Privacy Policy
