Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.7 HIGH
CVE-2026-44383 — Hydro-Québec Le Circuit Electrique charging station backend Insufficient Session Expirati…

Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.

Remote | Denial of Service
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.7 HIGH
CVE-2026-42952 — Hydro-Québec Le Circuit Electrique charging station backend Improper Restriction of Exces…

Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack.

Remote | Denial of Service
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
9.8 CRITICAL
CVE-2026-20744 — Hydro-Québec Le Circuit Electrique charging station backend Improper Access Control

The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation.

Remote | Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-11913 — Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045

vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*.

| Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-11914 — Composer - Critical - Unsupported - SA-CONTRIB-2026-046

vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.

| Misconfiguration
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-11915 — Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047

vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.

| Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-15087 — Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078

vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.

| Path Traversal
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-15086 — Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077

vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*.

| Information Disclosure
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-15089 — Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079

vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.

| Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-55175 — Spinnaker: Improper yaml processing on kustomize bake operations

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow …

| Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-9726 — Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA…

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal AlternativeCommerce (Basket) allows Object Injection. This issue affects Drupal Alternati…

| Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-7639 — GPU DDK - Page UAF read in PMMETA_PROTECT heap memory

Software installed and run as a non-privileged user may conduct a sequence of improper GPU system calls causing use after free, which helps in facilitating unprivileged memory access from a shader co…

| Memory Corruption
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.2 HIGH
CVE-2026-58499 — Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id

EverOS is a memory runtime for agents. Prior to 1.0.1, EverOS is vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint because the per-message sender_id field was not validat…

Remote | Path Traversal
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
9.8 CRITICAL
CVE-2026-57807 — WordPress OAuth Single Sign On - SSO (OAuth Client) plugin <= 38.5.8 - Broken Authenticat…

Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security Software Pvt Ltd. OAuth Single Sign On - SSO (OAuth Client) allows Password Recovery Exploitation. This …

Remote | Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.9 MEDIUM
CVE-2026-57575 — Misskey: SSRF bypass in URL Preview

Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a Server-Side Request Forgery (SSRF) vulnerability in URL preview functionality in UrlPreviewService. D…

Remote | Server-Side Request Forgery
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
7.4 HIGH
CVE-2026-57574 — Misskey: TOTP tokens can be reused

Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a vulnerability in Time-based One-Time Password (TOTP) authentication in UserAuthService where insuffic…

Remote | Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
5.4 MEDIUM
CVE-2026-57230 — OpenReplay: Authenticated ClickHouse SQL injection via session search

OpenReplay is a self-hosted session replay suite. Prior to 1.27.0, the session search and analytics API in enterprise editions with multi-tenancy enabled built ClickHouse queries by inserting user in…

Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
5.3 MEDIUM
CVE-2026-57221 — RabbitMQ: Passive queue/exchange declaration bypasses authorization checks, leaking queue…

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, RabbitMQ does not perform authorization checks on passive queue.declare and exchange.declare AMQP 0-9-1 oper…

Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
7.5 HIGH
CVE-2026-57220 — RabbitMQ: Stream listener does not enforce configured frame-size limit during authenticat…

RabbitMQ is a messaging and streaming broker. Prior to 4.2.6, the RabbitMQ stream listener does not enforce the configured stream frame-size limit while assembling frames during authentication and be…

Remote | Denial of Service
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.7 HIGH
CVE-2026-57219 — RabbitMQ: Unauthenticated disclosure of OAuth client credentials via an HTTP API endpoint…

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, the obsolete GET /api/auth endpoint can disclose the OAuth 2 client secret on RabbitMQ installations configu…

Remote | Information Disclosure
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
Showing 20 of 7446 Results