Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-5074 — ARMember Premium <= 7.3.1 - Authenticated (Subscriber+) SQL Injection via 'sSortDir_0' Pa…

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir_0' parameter of the `get_private_content_data` AJAX action in all versions up to, and including, 7.3.1. This…

Remote | Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.5 HIGH
CVE-2026-5073 — ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection via 'order' Parameter

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This i…

Remote | Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.5 HIGH
CVE-2026-49120 — Medplum < 5.1.14 SSRF via FHIR Subscription Endpoint

Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHI…

Remote | Server-Side Request Forgery
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
0.0 NA
CVE-2026-48682 — FastNetMon Out-of-Bounds Read in IPv4 Packet Parser

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the IPv4 packet parser. In src/simple_packet_parser_ng.cpp, after validating that the packet contains at least sizeof(ipv4…

| Memory Corruption
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
2.1 LOW
CVE-2026-48598 — CRLF injection in Tesla.Multipart disposition parameters allows multipart part header inj…

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_fo…

| Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.2 HIGH
CVE-2026-48597 — Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint

Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.open_conn/2 conv…

Remote | Denial of Service
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
2.1 LOW
CVE-2026-48596 — CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_par…

| Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.2 HIGH
CVE-2026-48595 — Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middle…

Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips securit…

Remote | Information Disclosure
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.2 HIGH
CVE-2026-48594 — Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.…

Remote | Denial of Service
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
6.6 MEDIUM
CVE-2026-47265 — AIOHTTP vulnerable to cross-origin redirect with per-request cookies

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin r…

Remote | Information Disclosure
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.5 HIGH
CVE-2026-42342 — React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportio…

Remote | Denial of Service
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.1 HIGH
CVE-2026-42211 — React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_…

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through extern…

Remote | Misconfiguration
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
6.9 MEDIUM
CVE-2026-41577 — authentik: SAML source does not validate Conditions, timing, or audience on assertions

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on ass…

authentik | Remote | Authentication
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
6.6 MEDIUM
CVE-2026-40181 — React Router's same-origin redirect with path starting // causes open redirect via protoc…

React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to p…

Remote | Misconfiguration
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
0.0 NA
CVE-2026-38967 — Crow HTTP Response Header Injection

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.

| Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
2.3 LOW
CVE-2026-35202 — Pterodactyl has a database resource limit bypass via race condition in Client API

Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocat…

panel | Remote | Authorization
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
6.5 MEDIUM
CVE-2026-35049 — wire-ios has Persistent Remote DoS via Integer Underflow

wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter tha…

Remote | Denial of Service
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
6.4 MEDIUM
CVE-2026-34993 — AIOHTTP Vulnerable to Deserialization of Untrusted Data

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most appli…

| Authentication
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.5 HIGH
CVE-2026-34077 — React Router vulnerable to Denial of Service via reflected user input in single-fetch

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS…

Remote | Cross-Site Scripting
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
0.0 NA
CVE-2026-33553 — Northern.tech CFEngine Enterprise Cross-Site Scripting

Northern.tech CFEngine Enterprise 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1 allows XSS.

| Cross-Site Scripting
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
Showing 20 of 7173 Results