Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-53820 — OpenClaw < 2026.5.12 - Exec Denylist Bypass in Bundle MCP Loopback Session Spawn

OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attac…

| Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
9.1 CRITICAL
CVE-2026-53609 — Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that …

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an a…

Remote | Injection
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
8.7 HIGH
CVE-2026-53608 — @apostrophecms/seo Vulnerable to Stored XSS via Unsanitized Google Analytics / GTM ID Inj…

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingI…

Remote | Cross-Site Scripting
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
6.8 MEDIUM
CVE-2026-53523 — Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL function in oauth2.go:22-29 constructs t…

Remote | Misconfiguration
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
6.5 MEDIUM
CVE-2026-53522 — Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-…

Remote | Denial of Service
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
6.4 MEDIUM
CVE-2026-53521 — Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, PATCH /server/{id} accepts and persists nonexistent ddns_p…

Remote | Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
6.5 MEDIUM
CVE-2026-53520 — Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preemp…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, authenticated users can claim the dashboard Host through N…

Remote | Authentication
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
9.1 CRITICAL
CVE-2026-53519 — Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_sec…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw…

Remote | Path Traversal
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
5.3 MEDIUM
CVE-2026-49397 — Nezha Monitoring: Private services (`EnableShowInService: false`) are enumerable via per-…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.0 to before version 2.0.14, private services (`EnableShowInService: false`) are enumer…

Remote | Information Disclosure
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
7.1 HIGH
CVE-2026-49396 — Nezha Monitoring: Cross-site GET request can trigger stored cron commands on a victim's a…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.0.14, cross-site GET request can trigger stored cron commands on…

Remote | Cross-Site Request Forgery
Jun 12, 2026 Jun 13, 2026
Jun 12, 2026
Jun 13, 2026
7.1 HIGH
CVE-2026-48119 — Nezha Monitoring: Authenticated agents can forge service-monitor results for other users'…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.12, authenticated agents can forge service-monitor results fo…

Remote | Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
6.4 MEDIUM
CVE-2026-47268 — Nezha Monitoring: Authenticated DDNS webhook configuration allows blind SSRF from the das…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or updat…

Remote | Server-Side Request Forgery
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
6.5 MEDIUM
CVE-2026-47124 — Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated me…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the serve…

Remote | Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
7.1 HIGH
CVE-2026-47120 — Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTa…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember can fire other users' cron tasks via AlertRule…

Remote | Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
7.7 HIGH
CVE-2026-46717 — Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role=…

Remote | Server-Side Request Forgery
Jun 12, 2026 Jun 13, 2026
Jun 12, 2026
Jun 13, 2026
9.9 CRITICAL
CVE-2026-46716 — Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /a…

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cov…

Remote | Misconfiguration
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
0.0 NA
CVE-2026-41158 — GPU DDK - Backed sparse PMRs are not handled by deferred free mechanism after shrink

Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages. Physical memory allocated and freed, without the deferred free mechanis…

| Memory Corruption
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
0.0 NA
CVE-2026-41157 — GPU DDK - OOB Write in CalculateNPOTTwiddleSparsePageMap3D

A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger an out-of-bound write in the GPU user-space driver, leading to memory corruption and possible b…

| Memory Corruption
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
0.0 NA
CVE-2026-41155 — GPU DDK - SharedSecMem mapped into all GPU virtual address spaces

An attacker could cooperatively pass data from one secure GPU process to another secure GPU process through shared secure memory allocations in the kernel module. Additionally, an attacker could disr…

| Memory Corruption
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
0.0 NA
CVE-2026-34195 — GPU DDK - Kernel heap OOB write in PMRChangeSparseMemOSMem due to incorrect physical page…

Software installed and run as a non-privileged user may conduct intentional GPU sparse memory API calls to cause out of bounds write in the kernel. The product incorrectly indexes internal state w…

| Memory Corruption
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
Showing 20 of 6957 Results