Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 1.3

    LOW
    CVE-2026-28219

    Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. By manipulating... Read more

    Affected Products : discourse
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 5.3

    MEDIUM
    CVE-2026-28218

    Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including ... Read more

    Affected Products : discourse
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2026-27835

    wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of fi... Read more

    Affected Products : wger
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2026-27457

    Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allow... Read more

    Affected Products : weblate
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2026-27449

    Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected en... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 1.3

    LOW
    CVE-2026-27154

    Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, a user full name can be evaluated as raw HTML when the following settings are set: `display_name_on_posts` => true; and `prioritize_username_in_ux` => fa... Read more

    Affected Products : discourse
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Cross-Site Scripting

  • 1.3

    LOW
    CVE-2026-27153

    Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in `can_export_entity?`. The method allowe... Read more

    Affected Products : discourse
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 7.1

    HIGH
    CVE-2026-25741

    Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When th... Read more

    Affected Products : zulip_server
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 4.9

    MEDIUM
    CVE-2026-27162

    Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. U... Read more

    Affected Products : discourse
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 1.3

    LOW
    CVE-2026-27152

    Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user could add targets who have blocked/ignored/muted them to an... Read more

    Affected Products : discourse
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 1.3

    LOW
    CVE-2026-27151

    Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed T... Read more

    Affected Products : discourse
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 1.3

    LOW
    CVE-2026-27150

    Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups... Read more

    Affected Products : discourse
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 4.9

    MEDIUM
    CVE-2026-27149

    Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private messa... Read more

    Affected Products : discourse
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Injection

  • 6.9

    MEDIUM
    CVE-2026-27021

    Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2... Read more

    Affected Products : discourse
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2026-22207

    OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protect... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2026-22206

    SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined wit... Read more

    Affected Products : spip
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Injection

  • 8.7

    HIGH
    CVE-2026-22205

    SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass ... Read more

    Affected Products : spip
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication

  • 8.3

    HIGH
    CVE-2023-31364

    Improper handling of direct memory writes in the input-output memory management unit could allow a malicious guest virtual machine (VM) to flood a host with writes, potentially causing a fatal machine check error resulting in denial of service.... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Memory Corruption

  • 9.6

    CRITICAL
    CVE-2026-27510

    Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Information Disclosure

  • 8.5

    HIGH
    CVE-2026-27509

    Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthentic... Read more

    Affected Products :
    • Published: Feb. 26, 2026
    • Modified: Feb. 27, 2026
    • Vuln Type: Authentication
Showing 20 of 4893 Results