Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-15502 — AojiaoZero Antaris PayPal IPN Payment ipn.php _rewardPurchase sql injection

A vulnerability was detected in AojiaoZero Antaris 1.0. This affects the function _rewardPurchase of the file /ipn.php of the component PayPal IPN Payment Handler. The manipulation of the argument it…

Remote | Injection
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
6.5 MEDIUM
CVE-2026-15501 — AstrBotDevs AstrBot MCP Test Endpoint tools.py ToolsRoute.test_mcp_connection server-side…

A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function ToolsRoute.test_mcp_connection of the file astrbot/dashboard/routes/tools.py of …

Remote | Server-Side Request Forgery
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
9.4 CRITICAL
CVE-2026-61876 — LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting

LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN cont…

luci | Cross-Site Scripting
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
8.8 HIGH
CVE-2026-61875 — luci-app-upnp Stored XSS via UPnP Port Mapping Description

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious…

luci | Cross-Site Scripting
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
3.1 LOW
CVE-2026-61874 — filebrowser before 2.63.17 Stale Public Share via Trailing-Slash Delete

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can de…

Remote | Path Traversal
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
8.8 HIGH
CVE-2026-59260 — OpenWrt luci-app-samba4 read ACL remote code execution via smbd

OpenWrt luci-app-samba4 read ACL grants file.exec permission on /usr/sbin/smbd, allowing authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attac…

luci | Remote | Authorization
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
6.9 MEDIUM
CVE-2026-56336 — Capgo - Information Disclosure via Unauthenticated SSO check-domain Endpoint

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /private/sso/check-domain endpoint that returns internal org_id and provider_id values. Attackers can enu…

Remote | Information Disclosure
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
8.1 HIGH
CVE-2026-56313 — Capgo - Cross-Organization Account Disruption via SSO Prelink Endpoint

Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in foreig…

Remote | Authentication
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
8.4 HIGH
CVE-2026-56308 — Capgo - Insufficient Authentication in Email Change Endpoint

Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cooki…

Remote | Authentication
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
5.1 MEDIUM
CVE-2026-56281 — Capgo - SQL Injection via Unvalidated limit Parameter in Admin Stats Endpoint

Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/admin_stats endpoint where the limit parameter is destructured from unvalidated request body and interpolated directl…

Remote | Injection
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
9.8 CRITICAL
CVE-2026-56271 — Flowise - Weak Default JWT Secrets in Authentication Middleware

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in th…

Remote | Authentication
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
9.1 CRITICAL
CVE-2026-56260 — Crawl4AI - Arbitrary File Write via output_path Parameter

Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. The output_path parameter accepts arbitrary filesystem paths without va…

Remote | Path Traversal
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
8.8 HIGH
CVE-2026-56259 — Crawl4AI - LLM Credential Exfiltration via base_url and Environment Variable Resolution

Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary envi…

Remote | Misconfiguration
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
5.4 MEDIUM
CVE-2026-56252 — Capgo - Scope Isolation Failure in Webhook Test Endpoint

Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped c…

Remote | Authorization
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
8.3 HIGH
CVE-2026-56241 — Capgo - RBAC Demotion Privilege Retention via Stale org_users.user_right

Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted super_admin users retain access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs due to stale org…

Remote | Authorization
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
8.7 HIGH
CVE-2026-56238 — Capgo - Unauthenticated Information Disclosure via PostgREST global_stats Endpoint

Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint that allows unauthenticated attackers to read sensitive financial and operationa…

Remote | Information Disclosure
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
6.5 MEDIUM
CVE-2026-15500 — AstrBotDevs AstrBot market_list Endpoint plugin.py get_online_plugins server-side request…

A weakness has been identified in AstrBotDevs AstrBot up to 4.25.2. Affected by this vulnerability is the function get_online_plugins of the file astrbot/dashboard/routes/plugin.py of the component m…

Remote | Server-Side Request Forgery
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
6.5 MEDIUM
CVE-2026-15499 — AstrBotDevs AstrBot Scheduled Task cron_tools.py FutureTaskTool.call improper authorizati…

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled Task Hand…

Remote | Authorization
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
7.5 HIGH
CVE-2026-15498 — sergomanov SmartHomeAdatum Login users.php sql injection

A vulnerability was identified in sergomanov SmartHomeAdatum up to cf495353d81b680675eb8d9aa14a318aa45ce12c. This impacts an unknown function of the file users.php of the component Login. Such manipu…

Remote | Injection
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
7.5 HIGH
CVE-2026-15497 — SonicCloudOrg sonic-agent JWT Authentication Filter ExchangeController.java code injection

A vulnerability was determined in SonicCloudOrg sonic-agent up to 2.7.2. This affects an unknown function of the file sonic-server-controller/src/main/java/org/cloud/sonic/controller/controller/Excha…

Remote | Injection
Jul 12, 2026 Jul 12, 2026
Jul 12, 2026
Jul 12, 2026
Showing 20 of 7296 Results