Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.6 HIGH
CVE-2026-55604 — @arikusi/deepseek-mcp-server has an Authorization Bypass Through User-Controlled Key

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global `SessionStore` accepts caller-supplied `session_id` values without bindi…

Remote | Authentication
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.4 HIGH
CVE-2026-55424 — Discourse: Topic featured link susceptible to stored XSS

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the …

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
2.1 LOW
CVE-2026-55170 — OpenFGA MySQL backend: case-insensitive collation on identifier columns causes incorrect …

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tup…

Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.3 HIGH
CVE-2026-53963 — Discourse: Stored-XSS in 2FA delete confirmation modal

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete co…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.4 MEDIUM
CVE-2026-53962 — Discourse: Insufficient SVG sanitization logic

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripti…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.5 MEDIUM
CVE-2026-53961 — Discourse: Forged AWS SNS bounce notifications can disable a targeted user's email (missi…

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon…

Remote | Authentication
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.3 MEDIUM
CVE-2026-49256 — Discourse: Hidden tag names leaked via category serializers

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allo…

Remote | Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.5 MEDIUM
CVE-2026-46413 — Discourse: Regular users can route multipart uploads into the admin backup store

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admi…

Remote | Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.3 MEDIUM
CVE-2026-45788 — Discourse: Secure uploads exposed by hotlinked image copying

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pull_hotlinked_images when an attacker knew the secured upload…

Remote | Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.3 MEDIUM
CVE-2026-45780 — Discourse: Private event sample invitees are serialized to non-invited event viewers

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to u…

Remote | Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.2 HIGH
CVE-2026-44787 — Discourse: Signup-time primary_group_id assignment grants whisperer access

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group…

Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-39246 — decompress Arbitrary Symlink Creation

decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to …

| Path Traversal
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-39245 — decompress Directory Traversal and Arbitrary File Write Vulnerability

decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. The safeMakeDir function (index.js line 29) and the extraction path vali…

| Path Traversal
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-39243 — decompress Arbitrary Hardlink Creation Vulnerability

decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries (type === 'link'), the x.link…

| Path Traversal
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-38076 — Artifex JBIG2 Integer Overflow

An integer overflow in the jbig2_arith_iaid_ctx_new() function of Artifex commit cc37d0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

| Denial of Service
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.9 MEDIUM
CVE-2026-33803 — Junos OS Evolved: A port which has been inadvertently exposed can be reached by an attack…

An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a limited informat…

Remote | Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.8 MEDIUM
CVE-2026-33802 — Junos OS: EX Series: Unauthorized users can execute service-impacting CLI command

A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on EX Series allows a local, authenticated attacker to cause a Denial-of-Service (DoS). On EX2300, EX4000, EX4100, EX4…

| Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
3.3 LOW
CVE-2026-15276 — pdeljanov Symphonia Metadata denial of service

A flaw has been found in pdeljanov Symphonia up to 0.6.0. This vulnerability affects unknown code of the component Metadata Handler. This manipulation causes denial of service. The attack needs to be…

| Denial of Service
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
3.3 LOW
CVE-2026-15274 — lo48576 fbxcel Node Header parser.rs denial of service

A vulnerability was detected in lo48576 fbxcel up to 0.9.0. This affects an unknown part of the file src/pull_parser/v7400/parser.rs of the component Node Header Handler. The manipulation results in …

| Denial of Service
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.7 HIGH
CVE-2026-15271 — TOTOLINK EX200 Web boa.conf least privilege violation

A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file…

a3100r a3000ru cp450 ex200 a950rg | Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
Showing 20 of 7322 Results