Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.3 HIGH
CVE-2025-45869 — LogicalDOC Enterprise Server-Side Request Forgery

LogicalDOC Enterprise Version up to and before v9.1.1 is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can exploit the ShareFileCallback servlet by manipulating input …

Remote | Server-Side Request Forgery
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
5.3 MEDIUM
CVE-2026-61505 — Rejetto HFS < 3.2.1 Limited File Disclosure via Path Traversal in lang Parameter

Rejetto HFS 3.0.0 through 3.2.0 allows path traversal through the lang query parameter, permitting a remote unauthenticated attacker to read certain JSON files outside the shared folders. Exploitatio…

Remote | Path Traversal
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
5.4 MEDIUM
CVE-2026-61504 — Rejetto HFS < 3.2.1 Stored XSS via File Names in Basic Web Listing

Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permissi…

Remote | Cross-Site Scripting
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
5.3 MEDIUM
CVE-2026-61503 — Rejetto HFS < 3.2.1 Username Enumeration via Login Response Differences

Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to co…

Remote | Authentication
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
4.3 MEDIUM
CVE-2026-61502 — Rejetto HFS < 3.2.1 Cross-Site Request Forgery via GET Requests

Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions i…

Remote | Cross-Site Request Forgery
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
6.1 MEDIUM
CVE-2026-61501 — Rejetto HFS < 3.2.1 Stored XSS in Admin Log Viewer

Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without sanitization. A remote unauthenticated attacker can submit a failed login with a crafted username that …

Remote | Cross-Site Scripting
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.8 CRITICAL
CVE-2026-61500 — Rejetto HFS < 3.2.1 Session Forgery via Predictable Signing Key

Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random() generator and discloses outputs of the same generator to unauthenticated clients during…

Remote | Cryptography
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.8 HIGH
CVE-2026-61463 — Shiori Authenticated Privilege Escalation via PATCH /api/v1/auth/account

Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. Attackers can escalate to a…

shiori | Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.2 CRITICAL
CVE-2026-61462 — mcp-gitlab Path Traversal via job_id Parameter

mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that allows attackers to redirect GitLab API requests to arbitrary endpoints. Attackers can supply crafted…

Remote | Path Traversal
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
6.8 MEDIUM
CVE-2026-60103 — Blender 3.0.0 - 5.1.2 Out-of-Bounds Read via crafted .blend SDNA block

Blender 3.0.0 through 5.1.2 contains an out-of-bounds read vulnerability that allows attackers to trigger a crash or read adjacent heap memory by supplying a crafted .blend file with a malicious sign…

| Memory Corruption
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
0.0 NA
CVE-2026-53365 — vsock/virtio: fix zerocopy completion for multi-skb sends

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix zerocopy completion for multi-skb sends When a large message is fragmented into multiple skbs, the zerocopy uar…

| Memory Corruption
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
0.0 NA
CVE-2026-53364 — Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate() hci_le_big_terminate() allocates iso_list_data via kzalloc_obj but…

| Memory Corruption
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
0.0 NA
CVE-2026-57433 — Storable versions before 3.41 for Perl have a signed integer overflow when deserializing …

Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record. retrieve_hook_common reads a signed 32-bit item count from an SX_HOOK record and ca…

| Memory Corruption
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
0.0 NA
CVE-2026-57432 — Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an …

Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack. S_measure_struct adds each item's size times its repeat count to …

perl | Memory Corruption
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
0.0 NA
CVE-2026-13221 — Perl versions through 5.43.9 produce silently incorrect regular expression matches when a…

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such…

perl | Denial of Service
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.1 HIGH
CVE-2026-59245 — Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-…

In the Apache Airflow FAB auth manager, a DAG whose `dag_id` is `DAGs` collided with the global all-DAGs permission resource name produced by `resource_name()`, so a user granted per-DAG `access_cont…

apache-airflow-providers-fab | Remote | Authorization
Jul 13, 2026 Jul 14, 2026
Jul 13, 2026
Jul 14, 2026
8.1 HIGH
CVE-2026-58065 — Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disa…

The Apache Airflow Git provider runs its git-over-SSH operations with `StrictHostKeyChecking=no` by default, disabling SSH host-key verification. An attacker who can intercept the network path betwee…

apache-airflow-providers-git | Remote | Misconfiguration
Jul 13, 2026 Jul 14, 2026
Jul 13, 2026
Jul 14, 2026
9.3 CRITICAL
CVE-2026-6847 — Unauthenticated Remote Code Execution in ThemisNETPanel

Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function. The application exposes an endpoint that allows unauthenticated attacke…

Remote | Authentication
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.8 CRITICAL
CVE-2026-61498 — Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via gen_graphs.php

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/gen_graphs.php endpoint that allows remote unauthenticated attackers to execute arbitrary comman…

Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.8 CRITICAL
CVE-2026-60121 — Vitec Flamingo 4.12.2 Unauthenticated OS Command Injection via ping.php

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint that allows remote attackers to execute arbitrary commands by exploiting a dou…

Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
Showing 20 of 7417 Results