Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.4 MEDIUM
CVE-2026-57980 — Microsoft Edge (Chromium-based) Tampering Vulnerability

Authentication bypass using an alternate path or channel in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform tampering over a network.

Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-56741 — JLine: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not apply an upper bound to terminal dimensions received vi…

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-56740 — JLine: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may …

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.1 HIGH
CVE-2026-56171 — Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exposure of private personal information to an unauthorized actor in Windows RDP allows an unauthorized attacker to disclose information over a network.

Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
3.7 LOW
CVE-2026-54335 — Feathersjs: Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In 5.0.44 and earlier, the _.merge(target, source) utility exported by @feathersjs/commons re…

feathers | Remote | Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-49485 — HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.9 and 6.9.4.2, all implementations of FHIRPathEngine accept arbitrary FHIRPath ex…

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
5.3 MEDIUM
CVE-2026-48049 — @hapi/inert: Static-file confinement bypass via sibling-prefix path

@hapi/inert provides static file and directory handlers for hapi.js. From 4.0.0 to 7.1.0, @hapi/inert serves static files from a directory configured with path in the directory or file handlers or re…

Remote | Path Traversal
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.5 MEDIUM
CVE-2026-48022 — @hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirec…

@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the orig…

Remote | Information Disclosure
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.3 MEDIUM
CVE-2026-44979 — @hapi/wreck : Sensitive `Proxy-Authorization` header leaked across cross-hostname redirec…

@hapi/wreck is an HTTP client utility. Prior to 18.1.1, when @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped, and the standard crede…

Remote | Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.6 CRITICAL
CVE-2026-55518 — Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relatio…

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to 3.32.1 and 4.0.0.beta.51, Avo's association attach workflow checks attach_<association>? in the UI and GET /resources/:resou…

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.7 HIGH
CVE-2026-54498 — view_component: around_render HTML-Safety Bypass

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base#around_render can return HTML-unsafe str…

view_component | Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.8 MEDIUM
CVE-2026-54497 — view_component: Reused Component Instances Retain Stale Render Context

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base instances retain render-scoped objects a…

view_component | Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.3 MEDIUM
CVE-2026-54490 — websocket-driver: Resource limit bypass via message compression

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, if this library is used with the permessage-deflate extension, a WebSocket server or client can be made to accept …

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.2 CRITICAL
CVE-2026-54466 — websocket-driver: Message corruption via abuse of protocol length headers

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, the frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily l…

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
3.5 LOW
CVE-2026-54244 — Statamic: Incorrect authorization lets view-only users submit Live Preview content reserv…

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.74.0 and 6.20.3, the Live Preview endpoint for existing entries and terms in src/Http/Controllers/CP/PreviewControlle…

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.1 MEDIUM
CVE-2026-54243 — Statamic: CSV formula injection in form submission exports

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, form submission values in src/Forms/Exporters/CsvExporter.php were not neutralized for spreadsheet …

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.9 MEDIUM
CVE-2026-54242 — Statamic: Server-Side Request Forgery via Glide (DNS rebinding)

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, the Glide image proxy's URL validation in src/Imaging/RemoteUrlValidator.php and src/Imaging/Guzzle…

Remote | Server-Side Request Forgery
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.7 MEDIUM
CVE-2026-54163 — secure_headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…

secure_headers manages application of security headers with many safe defaults. Prior to 7.3.0, secure_headers builds the Content-Security-Policy value by stitching directives with ; separators, and …

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
10.0 CRITICAL
CVE-2026-54159 — ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE

PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0 until 4.0.4, the ps_facetedsearch module rebuilds selected search filters from the request URL, and the value …

Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.9 HIGH
CVE-2026-53727 — css_parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`

css_parser is a Ruby CSS parser. From 2.2.0 until 3.0.0, CssParser::Parser#read_remote_file in lib/css_parser/parser.rb, and therefore load_uri! and the @import-following branch of add_block!, issued…

Remote | Server-Side Request Forgery
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
Showing 20 of 7866 Results