Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.4 HIGH
CVE-2026-39118 — Kandji Agent Privilege Escalation

An issue in Iru, Inc Kandji Agent before v.4.7.5(5374) allows a local attacker to escalate privileges via a client validation gap to invoke restricted agent functionality.

| Authorization
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
7.5 HIGH
CVE-2026-39007 — Observeinc Observe CSV Log Export Information Disclosure

An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component.

Remote | Information Disclosure
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-39006 — SNMP4J-Agent Arbitrary Code Execution

An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.

Remote | Information Disclosure
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-38812 — RuoYi SQL Injection

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges…

Remote | Injection
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-38329 — Bludit CMS API Plugin Remote Code Execution

Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks…

Remote | Authorization
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-38065 — Tenda Command Injection

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the ims_apn parameter.

Remote | Injection
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-38064 — Tenda Command Injection

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_dial_call via the dialNumber parameter.

Remote | Injection
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-38063 — Tenda Command Injection

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.

Remote | Injection
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-38062 — Tenda Command Injection

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter.

Remote | Injection
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-38061 — Tenda Command Injection

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.

Remote | Injection
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-38060 — Tenda Command Injection

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter.

Remote | Injection
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
6.1 MEDIUM
CVE-2026-37216 — Ruoyi Cross-Site Scripting

Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.

Remote | Cross-Site Scripting
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
6.8 MEDIUM
CVE-2026-36933 — Boyleep K11 Factory Test Command Injection

An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.

| Authentication
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
8.8 HIGH
CVE-2026-36670 — OpenSIPS Control Panel Time-Based Blind SQL Injection

A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL co…

Remote | Injection
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-36537 — ThingsBoard Authentication Bypass via OAuth Code Exchange

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of…

Remote | Authentication
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
6.1 MEDIUM
CVE-2026-36521 — PublicCMS Cross-Site Scripting

PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.

Remote | Cross-Site Scripting
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
7.8 HIGH
CVE-2026-36213 — Microvirt MEmu Privilege Escalation

An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local attacker to escalate privileges via the MemuService.exe component.

| Authorization
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.1 CRITICAL
CVE-2026-30121 — remotion-dev Arbitrary File Write

remotion-dev remotion v4.0.409 was discovered to contain an arbitrary file write vulnerability.

Remote | Path Traversal
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
9.8 CRITICAL
CVE-2026-30120 — remotion-dev Remotion Remote Code Execution

remotion-dev remotion v4.0.409 was discovered to contain a remote code execution (RCE) vulnerability.

Remote | Injection
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
6.8 MEDIUM
CVE-2026-11931 — Insecure Permissions on Authentication Token Cache File in Kiro IDE

Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions …

kiro_ide | Misconfiguration
Jun 15, 2026 Jun 16, 2026
Jun 15, 2026
Jun 16, 2026
Showing 20 of 7024 Results