Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.1 HIGH
CVE-2026-46627 — Twig: Sandbox resource exhaustion via unbounded `for` / `range()`

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrus…

Remote | Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
9.1 CRITICAL
CVE-2026-45363 — `jwt` (Ruby gem) - empty-key HMAC bypass

ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decode(token, '', true, algorithm: 'HS256') accepts an attacker-forged token because Op…

jwt | Remote | Cryptography
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
3.6 LOW
CVE-2026-42447 — jadx: HTML Injection in Summary panel

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived fr…

| Injection
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
8.4 HIGH
CVE-2026-42049 — jadx: RCE Via Groovy Code Injection in Gradle Export

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization wh…

| Injection
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2026-38450 — Aetopia Digital Asset Management Remote Code Execution

An issue in Aetopia Digital Asset Management DAM v.1.0.0 allows a remote attacker to execute arbitrary code via the name and description parameter of the Add/Update Project function

| Injection
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
3.1 LOW
CVE-2026-21840 — HCL BigFix Platform is affected by a user enumeration vulnerability

HCL BigFix Platform is affected by a user enumeration vulnerability which might allow an attacker, through careful system control and response time monitoring, to perform some level of user enumerati…

Remote | Authentication
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-15750 — mastergo-design mastergo-magic-mcp mcp__getComponentLink get-component-link.ts z.string s…

A weakness has been identified in mastergo-design mastergo-magic-mcp up to 0.2.0. Impacted is the function z.string of the file src/tools/get-component-link.ts of the component mcp__getComponentLink.…

Remote | Server-Side Request Forgery
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2025-56361 — Matter SDK Level Control Cluster Denial of Service Vulnerability

A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) 1.3 thru 1.4, specifically within the Level Control cluster's server tick logic (`emberAfLevelControlClusterServerTickCa…

| Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.7 HIGH
CVE-2026-61520 — Simple Machines Forum SSRF via image proxy

Simple Machines Forum 2.1 prior to commit 4bf35cf and 3.0 prior to commit b4d23df contains a server-side request forgery vulnerability in the image proxy that allows authenticated attackers to trigge…

smf | Remote | Server-Side Request Forgery
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.5 MEDIUM
CVE-2026-59889 — jackson-databind: @JsonView ypassed for @JsonUnwrapped container properties on deserializ…

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandle…

jackson-databind | Remote | Authorization
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
9.1 CRITICAL
CVE-2026-53486 — decompress: Archive extraction can create files and links outside the target directory

The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory…

decompress | Remote | Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2026-52101 — andreimarcu linux-server Information Disclosure Vulnerability

An issue in andreimarcu linux-server v.1.0 through v.2.3.8 allows a remote attacker to obtain sensitive information via the function uploadRemote function in upload.go

| Information Disclosure
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2026-52100 — linux-server Cross-Site Request Forgery to Remote Code Execution

Cross Site Request Forgery vulnerability in andreimarcu linux-server v.1.0 through v.2.3.8 allows a remote attacker to execute arbitrary code via the uploadPutHandler function

| Cross-Site Request Forgery
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.3 MEDIUM
CVE-2026-49978 — DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify IN_PLACE sanitization could skip shadow contents attached to an element inside <template>.c…

dompurify | Remote | Cross-Site Scripting
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-49855 — tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumu…

tornado | Remote | Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.3 MEDIUM
CVE-2026-49854 — Tornado: Out-of-bounds memory access in C extension

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argum…

tornado | Remote | Memory Corruption
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.7 HIGH
CVE-2026-49853 — Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPC…

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, SimpleAsyncHTTPClient shallow-copied redirected requests and removed only the Host header, leaving Authorization…

tornado | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-49477 — Soup Sieve: Regular Expression Denial of Service (ReDoS) in soupsieve Selector Parser

Soup Sieve is a CSS selector library designed to be used with Beautiful Soup 4. Prior to 2.8.4, the CSS selector parser in soupsieve contains a regular expression vulnerable to catastrophic backtrack…

Remote | Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-49476 — Soup Sieve: Memory Exhaustion via Large Comma-Separated Selector Lists in soupsieve

Soup Sieve is a CSS selector library designed to be used with Beautiful Soup 4. Prior to 2.8.4, the CSS selector parser in soupsieve allocates unbounded memory when compiling large comma-separated se…

Remote | Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.1 MEDIUM
CVE-2026-49459 — DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS v…

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitize(root, { IN_PLACE: true }) could preserve event-handler attributes on an attacker-c…

dompurify | Remote | Cross-Site Scripting
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
Showing 20 of 8374 Results