Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.4 CRITICAL
CVE-2026-23556 — oxenstored keeps quota related use counts across domain destruction

When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked. When the domain ID is eventually reused, the new domain can create fewer nodes before beeing de…

| Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.5 MEDIUM
CVE-2026-15189 — aerostackdev aerostack-mcp mcp-whatsapp upload_media server-side request forgery

A security vulnerability has been detected in aerostackdev aerostack-mcp up to 6315dfde7df0a15aaf743f88d91347115e09ba23. Affected by this issue is the function upload_media of the component mcp-whats…

Remote | Server-Side Request Forgery
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.5 MEDIUM
CVE-2026-15188 — manjurulhoque django-job-portal Employee Dashboard Endpoint views.py EditEmployeeProfileA…

A weakness has been identified in manjurulhoque django-job-portal up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f. Affected by this vulnerability is the function EditEmployeeProfileAPIView of the file…

Remote | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
4.3 MEDIUM
CVE-2026-15187 — enquirer Public Package API Enquirer.set prototype pollution

A security flaw has been discovered in enquirer up to 2.4.1. Affected is the function Enquirer.set of the component Public Package API. The manipulation of the argument question.name results in impro…

Remote | Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.7 HIGH
CVE-2026-11404 — Cesanta Mongoose < 7.22 Out-of-Bounds Read in MG_TLS_BUILTIN ClientHello Session ID Parsi…

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHell…

mongoose | Remote | Memory Corruption
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.4 CRITICAL
CVE-2025-58151 — varstored: TOCTOU issues with mapped guest memory

varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF. Within varstored, t…

| Race Condition
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.4 CRITICAL
CVE-2025-58146 — XAPI UTF-8 string handling

There are multiple issues. 1. Updates to the XAPI database sanitise input strings, but try generating the notification using the unsanitised input. This causes the database's event thread …

xapi | Denial of Service
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.4 CRITICAL
CVE-2025-27464 — WinPVDrivers: Excessive permissions on user-exposed devices

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several…

| Authentication
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.4 CRITICAL
CVE-2025-27463 — WinPVDrivers: Excessive permissions on user-exposed devices

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several…

| Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.4 CRITICAL
CVE-2025-27462 — WinPVDrivers: Excessive permissions on user-exposed devices

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Seve…

| Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.7 HIGH
CVE-2026-60109 — Zeek < 8.0.9 Null Pointer Dereference DoS via Kerberos KRB_ERROR Parsing

Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that allows unauthenticated remote attackers to crash the sensor by sending a crafted KRB_ERROR m…

Remote | Memory Corruption
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.7 HIGH
CVE-2026-60108 — Zeek < 8.0.9 Uncontrolled Memory Consumption DoS via FTP Analyzer

Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP cont…

Remote | Memory Corruption
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.4 MEDIUM
CVE-2026-5005 — Stored XSS in Twiser's OKRs & Goals

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals allows Stored XSS…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.2 CRITICAL
CVE-2026-56292 — Joomla Extension - acymailing.com - SQL Injection in AcyMailing extension < 10.11.1

A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting this flaw can lead to unauthorized database access and data leakage.

Remote | Injection
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.6 HIGH
CVE-2026-54801 — CPCI85 and SICORE Authentication Bypass Vulnerability

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application contains insufficient va…

Remote | Authentication
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.3 MEDIUM
CVE-2026-54800 — Siemens SICORE and CPCI85 OPC UA Insecure Default Configuration

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application ships with a default con…

Remote | Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.4 HIGH
CVE-2026-54799 — Siemens CPCI85 and SICORE Improper Signature Verification Vulnerability

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application contains a vulnerability…

| Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.1 HIGH
CVE-2026-54798 — CPCI85 and SICORE Base System Denial of Service Vulnerability

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application includes a debugging int…

Remote | Denial of Service
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.9 MEDIUM
CVE-2026-60095 — Vinchin Backup & Recovery 9.0.0.86562 Stack Buffer Overflow via ModuleHandShake

Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attacke…

Remote | Memory Corruption
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.9 MEDIUM
CVE-2026-60094 — Vinchin Backup & Recovery 9.0.0.86562 Heap Buffer Overflow via agentlink_server

Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malfo…

Remote | Memory Corruption
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
Showing 20 of 7324 Results