Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.1 HIGH
CVE-2026-46353 — BigBlueButton API checksum bypass via presentationUploadExternalUrl

BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web checksum validation could be bypassed when a presentationUploadExternalUrl parameter was supplied to API request handling i…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.1 HIGH
CVE-2026-46351 — BigBlueButton: Insecure Randomness allows to guess user's conference session token and im…

BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web generated conference sessionToken values with insufficiently secure randomness in bbb-common-web/src/main/java/org/bigblueb…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
4.3 MEDIUM
CVE-2026-46338 — PyMdown Extensions: Regression in pymdownx.snippets reintroduces sibling-prefix path trav…

PyMdown Extensions is a set of extensions for the Python-Markdown markdown project. From 10.0.1 until 10.21.3, pymdownx.snippets uses a string-prefix containment check in SnippetPreprocessor.get_snip…

Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.7 HIGH
CVE-2026-46687 — Emlog Local File Inclusion (LFI)

Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from api_controller.php without validation, and log…

Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.5 HIGH
CVE-2026-46686 — Emlog Reflected Cross-Site Scripting

Emlog is an open source website building system. In 2.6.13 and earlier, the admin backend user search module's keyword parameter from admin/user.php is processed with addslashes but not HTML-escaped …

Remote | Cross-Site Scripting
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.1 MEDIUM
CVE-2026-46341 — Apify MCP server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching

The Apify MCP server enables AI agents to extract data from websites using ready-made scrapers, crawlers, and automation tools available on the Apify Store. Prior to 0.9.21, the fetch-apify-docs tool…

Remote | Server-Side Request Forgery
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.1 HIGH
CVE-2026-46336 — Manyfold: Authenticated Path Traversal via File Rename

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. From 0.96.0 until 0.140.0, authenticated users can rename uploaded…

Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
10.0 CRITICAL
CVE-2026-45336 — HireFlow: Use of Hard-coded Credentials

HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secret_key used…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
3.1 LOW
CVE-2026-44970 — dbt-mcp: All MCP Tool Arguments Including Raw SQL and --vars Credentials Transmitted to d…

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DefaultUsageTracker.emit_tool_called_event() in src/dbt_mcp/tracking/tracking.py serialized every MCP tool call's…

Remote | Information Disclosure
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
2.5 LOW
CVE-2026-44969 — dbt-mcp: Tool Arguments Including SQL Queries and Credentials Logged in Plaintext Without…

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DbtMCP.call_tool() in src/dbt_mcp/mcp/server.py logged the raw arguments dictionary at INFO level before each too…

| Information Disclosure
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.3 MEDIUM
CVE-2026-44968 — dbt-mcp: Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type…

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, _run_dbt_command() in src/dbt_mcp/dbt_cli/tools.py appended unsanitized node_selection and resource_type values t…

| Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
4.3 MEDIUM
CVE-2026-15945 — Keycloak-services: keycloak-services: group hierarchy search discloses hidden parent grou…

A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions (FGAP) v2 is enabled, a delegated administrator can bypass access r…

single_sign-on data_grid build_of_keycloak | Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.7 MEDIUM
CVE-2026-15737 — Sensitive content disclosure via OpenTelemetry spans in AgentCore Python SDK

AWS Bedrock AgentCore Python SDK is an open-source Python library that provides client tools for building AI agents on the Amazon Bedrock AgentCore platform. Unintended logging of sensitive user c…

bedrock-agentcore | Remote | Information Disclosure
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.1 HIGH
CVE-2021-27137 — DD-WRT UPnP Buffer Overflow

An issue was discovered in router/upnp/src/ssdp.c in DD-WRT before 45724. An unsafe strcpy in the UPnP handling functionality allows an unauthenticated remote attacker to send a request that would ov…

Remote | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.3 HIGH
CVE-2026-9046 — Lenovo Legion Zone and App Store Local Privilege Escalation Vulnerability

A potential insecure permissions vulnerability was reported in Legion Zone and the Lenovo App Store Windows applications, distributed exclusively in the Chinese market, that when installed on a non‑s…

app_store legion_zone | Misconfiguration
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.8 MEDIUM
CVE-2026-6511 — Lenovo Smart Connect Improper Access Control Vulnerability

During an internal security assessment, a potential improper access control vulnerability was discovered in Lenovo Smart Connect for Windows that could allow a local authenticated user to access file…

smart_connect | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.6 HIGH
CVE-2026-63088 — stoatchat < 0.14.0 SSRF via DNS-based IP Blocklist Bypass

stoatchat before 0.14.0 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated network-accessible attackers to bypass the DNS-based IP blocklist by exploiting incompl…

Remote | Server-Side Request Forgery
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.8 CRITICAL
CVE-2026-63087 — Grafana OnCall 1.16.11 Unauthenticated Token Hijack via Plugin Install Endpoint

Grafana OnCall through 1.16.11 contains an unauthenticated access vulnerability that allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.6 HIGH
CVE-2026-63086 — text-generation-inference 3.3.7 SSRF via fetch_image in multimodal chat completions

text-generation-inference through 3.3.7 contains a server-side request forgery (SSRF) vulnerability in the OpenAI-compatible multimodal chat completions endpoint that allows unauthenticated network a…

Remote | Server-Side Request Forgery
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.8 HIGH
CVE-2026-63085 — Axelor Open Platform 8.x < 8.2.2 Authorization Bypass via Nested Relational Record Persis…

Axelor Open Platform versions 8.x prior to 8.2.2 contains an authorization bypass vulnerability that allows authenticated non-admin users to escalate privileges by exploiting unenforced field restric…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
Showing 20 of 8239 Results