Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-53726 — Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator coul…

| Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
8.8 HIGH
CVE-2026-12043 — Heap double-free in AWS Common Runtime aws-c-http

Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting clie…

Remote | Memory Corruption
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
0.0 NA
CVE-2026-53725 — Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _U…

| Authentication
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
0.0 NA
CVE-2026-53724 — Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blockl…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be …

| Cross-Site Scripting
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
5.1 MEDIUM
CVE-2026-50099 — Naxclow IoT Platform Insertion of sensitive information into Externally-Accessible file o…

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled…

| Information Disclosure
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
0.0 NA
CVE-2026-50008 — Parse Server: Server option routeAllowList is bypassable through batch sub-requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts …

| Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
5.1 MEDIUM
CVE-2026-10715 — Camaleon CMS 2.9.2 - Improper authorization in draft autosave endpoint

Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post…

Remote | Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
0.0 NA
CVE-2026-47138 — Parse Server: Pre-authentication denial of service via client version header regex backtr…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-kn…

| Denial of Service
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
0.0 NA
CVE-2026-47248 — Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenti…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema me…

| Information Disclosure
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
6.9 MEDIUM
CVE-2026-50244 — Naxclow IoT Platform Missing Authorization

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relat…

Remote | Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
6.9 MEDIUM
CVE-2026-42932 — Naxclow IoT Platform Generation of Predictable Numbers or Identifiers

Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endp…

Remote | Information Disclosure
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
7.8 HIGH
CVE-2026-53406 — Zoom Contact Center for Windows Remote Control Authentication Bypass

Insufficient Verification of Data Authenticity in Remote Control for Zoom Contact Center for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via loca…

| Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
10.0 CRITICAL
CVE-2026-48558 — SimpleHelp Authentication Bypass via Missing OIDC JWT Signature Verification

SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity toke…

Remote | Authentication
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
8.0 HIGH
CVE-2026-48165 — MariaDB: unsafe usage of `wsrep_sst_receive_address` values on the joiner side

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high…

Remote | Injection
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
8.0 HIGH
CVE-2026-48163 — MariaDB: wsrep SST unsafe parameter handling on the donor side (rsync)

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during…

Remote | Injection
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
7.8 HIGH
CVE-2026-47965 — Acrobat Reader | Out-of-bounds Write (CWE-787)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. E…

acrobat_reader | Memory Corruption
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
6.0 MEDIUM
CVE-2026-47225 — Improper Search Cache Isolation for Scoped Search API Keys in Typesense

Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search requests that use both server-side search result caching and Scope…

Remote | Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
5.4 MEDIUM
CVE-2026-47223 — NanaZip: Heap out-of-bounds read in NanaZip AVB hashtree descriptor parser via 32-bit uns…

NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) v…

nanazip | Remote | Memory Corruption
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
8.7 HIGH
CVE-2026-47216 — Typesense: Unauthenticated Denial of Service in the Typesense /multi_search Endpoint

Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is an unauthenticated denial-of-service vulnerability in the /multi_search endpoint. A specially crafted reque…

Remote | Denial of Service
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
5.0 MEDIUM
CVE-2026-44173 — MariaDB: FILE privilege was not checked for subqueries in the FROM clause

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaD…

Remote | Authorization
Jun 12, 2026 Jun 12, 2026
Jun 12, 2026
Jun 12, 2026
Showing 20 of 6982 Results