Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.8 HIGH
CVE-2026-12505 — Cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upc…

A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, lo…

enterprise_linux openshift_container_platform enterprise_linux | Authentication
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
9.3 CRITICAL
CVE-2026-12569 — Remote Code Execution (RCE) vulnerability in Windchill PDMlink

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * …

Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-38714 — InHand Networks Command Injection

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulner…

| Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-38715 — InHand Networks Command Injection

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability a…

| Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-38716 — InHand Networks Command Injection

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This v…

| Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-38718 — InHand Networks IR912/IR915 Buffer Overflow Denial-of-Service Vulnerability

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a buffer overflow vulnerability in the device registration function. This vulnerabi…

| Denial of Service
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
0.0 NA
CVE-2026-38717

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the file upload function. The vulnerability al…

| Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
8.2 HIGH
CVE-2026-48764 — TypeBot has SSRF in HTTP request and script fetch flows via DNS rebinding bypass

TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF validation is implemented by resolving a hostname once and checking whether the resolved IP belongs to a forbidden range allowing …

typebot | Remote | Server-Side Request Forgery
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.3 CRITICAL
CVE-2026-48768 — TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized…

TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 ob…

typebot | Remote | Authentication
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.6 HIGH
CVE-2026-53676 — ThingsBoard Prototype Pollution

ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant adminis…

thingsboard | Remote | Information Disclosure
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.5 HIGH
CVE-2026-45357 — LiquidJS: Memory and render limit bypass via unbounded width padding in `date` filter (st…

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %999999…

liquidjs | Remote | Memory Corruption
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
5.3 MEDIUM
CVE-2026-44646 — LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Con…

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn() creates a child Context for the {% render %} tag but does not …

liquidjs | Remote | Misconfiguration
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
6.9 MEDIUM
CVE-2026-54533 — vantage6 node has an Improper Access Control issue

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, malicious algorithms can potentially access other algorithms input and output files. Version 5.0.0 f…

vantage6 | Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
6.9 MEDIUM
CVE-2026-54445 — Vantage6: Set admin user and password from environment or configuration

vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` and password `root`. This is not ideal because attacker…

vantage6 | Remote | Authentication
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.5 HIGH
CVE-2026-45617 — LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quanti…

liquidjs | Remote | Denial of Service
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
5.9 MEDIUM
CVE-2024-27928 — Vantage6: 2FA can be circumvented with hacked email access

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email …

vantage6 | Remote | Authentication
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
6.5 MEDIUM
CVE-2026-44645 — LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the renderLimit option can be fully bypassed by a {% for %} (or {% tablerow %}…

liquidjs | Remote | Denial of Service
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
2.1 LOW
CVE-2024-24769 — Vantage6: No limit on emails sent for password/MFA reset

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emai…

vantage6 | Remote | Denial of Service
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
1.9 LOW
CVE-2026-50268 — Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `enc…

| Cryptography
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
4.7 MEDIUM
CVE-2026-50267 — Steeltoe: TLS private keys written to /tmp with default permissions, never deleted

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or …

| Misconfiguration
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Showing 20 of 7599 Results