Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-59149 — Mockoon: Path traversal in templated `filePath` lets a request escape the served director…

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.t…

Remote | Path Traversal
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.8 HIGH
CVE-2026-59148 — Mockoon: Unauthenticated admin API + wildcard CORS allows mock-state hijack and secret th…

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock route…

Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.5 MEDIUM
CVE-2026-58198 — ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer

ChatterBot is a machine learning, conversational dialog engine for creating chat bots. Prior to 1.2.14, UbuntuCorpusTrainer.extract() uses a predictable home-rooted output directory (~/ubuntu_data/ub…

Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.1 MEDIUM
CVE-2026-55590 — CakePHP: Open redirect weakness via backslash bypass

CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect() method contains a weakness …

Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.5 HIGH
CVE-2026-54695 — Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Suppli…

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Prior to 1.4.0, the pipecat development runner registers a /ws WebSocket endpoint for tel…

Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.1 HIGH
CVE-2026-54005 — Kirby: `pages.access` permission is not checked in the `site/find` REST API route

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites where a role has the pages.access permission disabled allowed authenticated users who know or guess page IDs o…

kirby | Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.3 MEDIUM
CVE-2026-54004 — Kirby: Access to files of top-level drafts is not protected by permissions

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites with content.fileRedirects enabled could redirect unauthenticated clean file URL requests for files stored in …

kirby | Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.1 CRITICAL
CVE-2026-54003 — Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` …

Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting t…

kirby | Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.5 HIGH
CVE-2026-54002 — Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize…

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins that use the writer or list fields or call Dom::sanitize(), Sane::sanitize(), Sane::Html::sanitize…

kirby | Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.9 MEDIUM
CVE-2026-50188 — Kirby: Request header injection in `Http\Remote`

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request(), Remote::get(), and Remote::post(),…

kirby | Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.4 HIGH
CVE-2026-49276 — Kirby: Self cross-site scripting (self-XSS) in the writer field

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the writer field in any blueprint allowed a scripting link to be included as the target of a link or ema…

kirby | Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.3 MEDIUM
CVE-2026-49274 — Kirby: `pages.access` permission is not checked in the pages picker for parent pages

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to…

kirby | Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.8 HIGH
CVE-2026-13492 — UsersWP <= 1.2.65 - Authenticated (Subscriber+) Arbitrary File Deletion via File Upload F…

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP_Validati…

Remote
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.6 MEDIUM
CVE-2026-0287 — PAN-OS: Denial of Service Vulnerabilities in Network Traffic Processing

Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending special…

Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.0 MEDIUM
CVE-2026-0286 — PAN-OS: Authenticated Command Injection in CLI

A command injection vulnerability in the management plane of Palo Alto Networks PAN-OS® software enables an authenticated administrator to execute arbitrary OS commands as root. The security risk …

Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
4.7 MEDIUM
CVE-2026-0285 — PAN-OS: Server-Side Request Forgery Vulnerability in Management Web Interface

A server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator with network access to the management web interface to make unauthorize…

Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
4.7 MEDIUM
CVE-2026-0284 — PAN-OS: XML Injection Vulnerability in Large Scale VPN (LSVPN)

An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to inject malicious XML cont…

Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
4.5 MEDIUM
CVE-2026-0283 — PAN-OS: Authentication Bypass Vulnerability in Large Scale VPN (LSVPN)

An authentication bypass vulnerability in Large Scale VPN ( LSVPN) functionality of Palo Alto Networks PAN-OS software allows an attacker with network access to bypass security restrictions and estab…

Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
2.7 LOW
CVE-2026-0282 — PAN-OS: File Deletion Vulnerability in Management Web Interface

A file deletion vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to the management web interface to delete files from a temporary directory…

Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
2.1 LOW
CVE-2026-0281 — PAN-OS: Information Disclosure Vulnerability in Management Web Interface

An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to the management web interface to obtain web session tokens. Th…

Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
Showing 20 of 7353 Results