Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-54773 — CoreWCF: WS-Security signature substitution via document-wide Signature lookup

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF WS-Security signature verification performs a document-wide ds:Signatur…

| Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
0.0 NA
CVE-2026-54779 — CoreWCF: SAML token replay protection is inoperative

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML token replay protection is inoperative because DefaultTokenReplayC…

| Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
0.0 NA
CVE-2026-54772 — CoreWCF: Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp / net.pipe / …

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, an unauthenticated remote attacker that can reach a NetTcpBinding, NetNamedPipe…

| Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
0.0 NA
CVE-2026-54776 — CoreWCF: Unix Domain Socket PosixIdentity transport accepts connections that skip the sec…

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service hosted on Unix Domain Sockets with PosixIdentity client crede…

| Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.3 MEDIUM
CVE-2026-8472 — Missing Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticat…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.3 MEDIUM
CVE-2026-7492 — Missing Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthent…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.7 HIGH
CVE-2026-6896 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in G…

GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authentica…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
2.7 LOW
CVE-2026-6352 — Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticat…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.6 HIGH
CVE-2026-60105 — Monsta FTP < 2.14.5 SSRF via IPv4-Mapped IPv6 Address Bypass

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to de…

Remote | Server-Side Request Forgery
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.5 MEDIUM
CVE-2026-59818 — etcd: gRPC client listener does not enforce `--client-crl-file` certificate revocation

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints …

Remote | Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.2 HIGH
CVE-2026-58525 — Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.

Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.5 MEDIUM
CVE-2026-58494 — Wasmtime: WASI hard links bypass wasmtime-wasi's FilePerms for destination

Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source an…

wasmtime | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.4 MEDIUM
CVE-2026-58211 — NATS Server: `no_auth_user` pre-CONNECT fast path bypasses user connection restrictions

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client could be registered as the configured no_auth_user through a pa…

Remote | Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.8 MEDIUM
CVE-2026-58208 — NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before M…

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket pa…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.7 HIGH
CVE-2026-58207 — NATS Server: Remote crash via integer overflow in Connz pagination

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests coul…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.6 HIGH
CVE-2026-58192 — Appium: Unauthenticated arbitrary file/directory deletion in @appium/storage-plugin

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handle…

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.5 MEDIUM
CVE-2026-58191 — Appium: Reflected XSS / arbitrary JS in @appium/base-driver /test/guinea-pig* routes

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
2.3 LOW
CVE-2026-57481 — Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access c…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values th…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.7 HIGH
CVE-2026-57480 — Parse Server: Denial of service via exponential-time processing of deeply nested query op…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-56669 — Elysia: Inefficient Algorithmic Complexity and Interpretation Conflict

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for mul…

elysia | Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
Showing 20 of 7829 Results