Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-5270 — Authentication Bypass in Navigator and Blue Planet Products

An authentication bypass vulnerability exists in certain releases of Ciena Navigator Network Control Suite (NCS), Manage Control Plan (MCP), and Blue Planet products. The issue is caused by improper …

| Authentication
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2026-5269 — Navigator NCS and MCP System Accounts with Default Passwords

In Ciena's Navigator Network Control Suite (NCS) and Manage Control Plan (MCP), there are hidden system accounts used for internal software operations. Some of these accounts have default passwords t…

| Authentication
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2026-51808 — OpenHTJ2K Buffer Overflow Vulnerability

Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the openhtj2k_decoder_impl::invoke, invoke_line_based, invoke_line_based_stream, and in…

| Memory Corruption
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2026-51807 — OpenHTJ2K Buffer Overflow Vulnerability

Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the j2k_precinct_subband::parse_packet_header() in source/core/coding/coding_units.cpp

| Memory Corruption
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2026-36035 — CAXPerts UniversalPlantViewer WebServices Server Improper Access Control

Incorrect access control in the /api/License/deactivateOffline endpoint of CAXPerts UniversalPlantViewer WebServices Server v2.7.6 allows authenticated attackers with low-level privileges to cause a …

| Authorization
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.5 MEDIUM
CVE-2026-15753 — zhinianboke xianyu-auto-reply review approve trusting http permission methods on the serv…

A vulnerability was determined in zhinianboke xianyu-auto-reply on Server. Affected by this vulnerability is an unknown functionality of the file /api/v1/payment/withdraw/review?action=approve. Execu…

Remote | Authorization
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-15752 — zhinianboke xianyu-auto-reply Backend User Endpoint users authorization

A vulnerability was found in zhinianboke xianyu-auto-reply up to dcb445ad97816ad65299a7580ee0c8c8f929da84. Affected is an unknown function of the file /api/v1/users/ of the component Backend User End…

Remote | Authorization
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.3 MEDIUM
CVE-2026-15751 — mastergo-design mastergo-magic-mcp mcp__getComponentGenerator component-workflow.md execu…

A security vulnerability has been detected in mastergo-design mastergo-magic-mcp up to 0.2.0. The affected element is the function execute of the file mastergo/component-workflow.md of the component …

| Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2025-56365 — Matter SDK Reachable Assertion Vulnerability

A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, in the interaction model command processing logic. When an InvokeCommandRequest is sent to a nonexistent e…

| Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2025-56364 — Matter SDK Use of Uninitialized Value Vulnerability

A use of uninitialized value vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, where the `GetDestinationGroupId().Value()` method is called without first checking whether a value…

| Memory Corruption
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2025-56363 — Matter SDK Null Pointer Dereference Denial of Service Vulnerability

A null pointer dereference vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, affecting the ReadRevisionAttribute function used in multiple clusters (Channel, Account Login, Targe…

| Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2025-56362 — Matter SDK Level Control Cluster Reachable Assertion Denial of Service

A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.2, specifically within the Level Control cluster's periodic server tick logic. When a MoveToLevel command is …

| Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
8.8 HIGH
CVE-2026-59733 — rclone `serve restic --private-repos` authorization bypass: `..` in the URL path lets an …

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the rou…

Remote | Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.0 MEDIUM
CVE-2026-59732 — rclone archive extract allows S3 destination prefix escape via crafted archive paths

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-select…

| Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.0 HIGH
CVE-2026-54684 — jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code…

jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack dire…

| Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-54572 — rclone: Unvalidated symlink target in local `--links` — arbitrary file write from an untr…

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects …

Remote | Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
8.8 HIGH
CVE-2026-50130 — Pi-hole: Local privilege escalation from `pihole` user to root via `/etc/pihole/logrotate`

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to 6.4.2, a user with code execution as the unprivileged pihole user can es…

| Authentication
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.0 MEDIUM
CVE-2026-49981 — Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes betwe…

Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after san…

twig | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.0 MEDIUM
CVE-2026-48808 — Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterf…

Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed(…

twig | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.1 HIGH
CVE-2026-48807 — Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filt…

Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not …

twig | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
Showing 20 of 8384 Results