Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.8 MEDIUM
CVE-2026-12948 — Stored Cross-Site Scripting (XSS)

A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator …

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.9 MEDIUM
CVE-2026-12352 — Incorrect Authorization

This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.

Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.5 HIGH
CVE-2026-6101 — AMP for WP <= 1.1.12 - Authenticated (Author+) Arbitrary File Write via Role-Based Access…

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_…

Remote | Path Traversal
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.2 HIGH
CVE-2026-53479 — Dell PowerProtect Data Domain OS Command Injection Vulnerability

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 thro…

powerprotect_data_domain | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-44938 — Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent

A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) …

rancher | Remote | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-59709 — Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees t…

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-53878 — Header injection possibility since DomainNameValidator accepted newlines in input

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newl…

django | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-53877 — Heap buffer over-read in GDALRaster

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose…

django | Memory Corruption
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-48588 — Potential exposure of private data via cached Set-Cookie response

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carri…

django | Information Disclosure
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-14940 — 389-ds-base: 389-ds-base: heap-buffer-overflow in dn normalization via quoted multivalued…

A heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a multivalued nested Relative Dist…

Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.8 CRITICAL
CVE-2026-53483 — Dell PowerProtect Data Domain Improper Authentication Vulnerability

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 thro…

powerprotect_data_domain | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.8 CRITICAL
CVE-2026-53481 — Dell PowerProtect Data Domain Path Traversal Vulnerability

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 thro…

powerprotect_data_domain | Remote | Path Traversal
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
4.7 MEDIUM
CVE-2026-10659 — NULL pointer dereference in Zephyr Dhara FTL disk driver on flash read error during journ…

The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller…

zephyr zephyr | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-13696 — LDAP Injection in HAVELSAN's Liman MYS

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in HAVELSAN Inc. Liman MYS allows LDAP Injection. This issue affects Liman MYS: before release.Mast…

Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.1 HIGH
CVE-2026-11348 — Authentication Bypass in HAVELSAN's Open Source Project Liman MYS

Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data. This issue affects Liman MYS: before release.Master.1107.

Remote | Cryptography
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2011-10043 — Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be …

Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module path…

| Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.3 HIGH
CVE-2026-11340 — Authorization Bypass in HAVELSAN's Open Source Project Liman MYS

Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liman MYS: before release.Master.1107.

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.5 MEDIUM
CVE-2026-49487 — Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs

In Apache Airflow before 3.3.0, the REST API task-instance detail and list endpoints returned a deferred task's trigger kwargs without masking. When a deferred operator passed a secret (for example a…

airflow | Remote | Information Disclosure
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.5 MEDIUM
CVE-2026-49296 — Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dag…

Before apache-airflow 3.3.0, a user authorized to read one Dag could disclose the source of other Dags co-located in the same source file. `GET /api/v2/dagSources/{dag_id}` — and the equivalent Dag-s…

airflow | Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.5 MEDIUM
CVE-2026-48892 — Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthe…

The Config API in Apache Airflow surfaced per-key secrets-backend overrides (environment variables like `AIRFLOW__SECRETS__BACKEND_KWARG__SECRET_ID` and `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__SECR…

airflow | Remote | Information Disclosure
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
Showing 20 of 7595 Results