Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-15318 — Sipeed PicoClaw MQTT Channel mqtt.go authorization

A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This m…

picoclaw | Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-15320 — Sipeed PicoClaw pico.go rt.ReloadConfig authorization

A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument m…

picoclaw | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-15319 — Sipeed PicoClaw Launcher access_control.go IPAllowlist access control

A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such m…

picoclaw | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
9.2 CRITICAL
CVE-2026-55615 — Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cyph…

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.5, Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no valida…

Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.1 HIGH
CVE-2026-54771 — Langroid: handle_message() executes user-supplied tool JSON without sender verification

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.3, a Langroid application exposing a chat interface to untrusted users may allow direct tool invo…

Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
10.0 CRITICAL
CVE-2026-54769 — Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in T…

Langroid is a framework for building large-language-model-powered applications. Versions prior to 0.65.2 are vulnerable to a critical Sandbox Escape leading to Remote Code Execution (RCE) in its `Tab…

Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
9.3 CRITICAL
CVE-2026-54760 — Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema…

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.1, the `SQLChatAgent` SQL-injection mitigation, with default `allow_dangerous_operations=False`, …

Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
7.1 HIGH
CVE-2026-50181 — Langroid: Path traversal in the file tools allows read/write outside configured current d…

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, Langroid's `ReadFileTool` and `WriteFileTool` appear to treat `curr_dir` as the intended worki…

| Path Traversal
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.7 HIGH
CVE-2026-50180 — Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbi…

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, `SQLChatAgent` in `langroid` ships a `_validate_query` defense-in-depth layer whose `_DANGEROU…

Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
7.5 HIGH
CVE-2026-15317 — Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request fo…

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guard…

picoclaw | Remote | Server-Side Request Forgery
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.0 MEDIUM
CVE-2026-15311 — NousResearch hermes-agent Matrix Adapter matrix.py MatrixAdapter._markdown_to_html cross …

A vulnerability was identified in NousResearch hermes-agent up to 2026.5.29.2. Affected by this issue is the function MatrixAdapter._markdown_to_html of the file gateway/platforms/matrix.py of the co…

hermes-agent | Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.1 HIGH
CVE-2026-12598 — LoginPress Pro <= 6.2.3 - Unauthenticated Authentication Bypass via Unverified OAuth Emai…

The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in versions up to and including 6.2.3 via the Spotify Social Login addon. This is due to the loginpress_on_spotify_login…

Remote | Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.1 HIGH
CVE-2026-12597 — LoginPress Pro <= 6.2.3 - Unauthenticated Authentication Bypass via Unverified OAuth Emai…

The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via the GitHub OAuth callback in versions up to, and including, 6.2.3. The vulnerability exists in the loginpress_on_git…

Remote | Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.1 HIGH
CVE-2026-12595 — LoginPress Pro <= 6.2.3 - Unauthenticated Authentication Bypass via Unverified OAuth Emai…

The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email in all versions up to and including 6.2.3. The vulnerability exists in the loginpress_on_disc…

Remote | Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.4 HIGH
CVE-2026-59858 — Vim: Arbitrary Code Execution via C Omni-Completion

Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags ent…

| Injection
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.6 MEDIUM
CVE-2026-59857 — Vim: Out-of-bounds Write in SAL Soundfolding

Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules int…

| Memory Corruption
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.4 HIGH
CVE-2026-59856 — Vim: Arbitrary Code Execution via PHP Omni-Completion

Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of t…

| Injection
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.6 HIGH
CVE-2026-59855 — SiYuan: Store XSS To Rce via Asset.render

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, Asset.render in app/src/asset/index.ts interpolates the unsanitized this.path value into HTML assigned to innerHTML, all…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
4.9 MEDIUM
CVE-2026-59854 — SiYuan: Incomplete IsSensitivePath denylist: globalCopyFiles reads home-dir credential do…

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, POST /api/file/globalCopyFiles accepts attacker-supplied absolute source paths and relies on util.IsSensitivePath in ker…

Remote | Path Traversal
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.5 MEDIUM
CVE-2026-59853 — SiYuan: Publish-mode Reader can exfiltrate private saved-search Criteria via /api/storage…

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /api/storage/getCriteria endpoint returns saved search criteria from data/storage/criteria.json without the publish-…

Remote | Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
Showing 20 of 7314 Results