Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-59929 — Mistune renderers/html.safe_url: HARMFUL_PROTOCOLS list misses legacy and chained schemes…

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allo…

| Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.9 MEDIUM
CVE-2025-3110 — OpenVPN Access Server HTTP Request Smuggling Vulnerability

OpenVPN Access Server 2.7.2 through 3.1.0 accepts bare line-feed sequences inside HTTP header values, allowing remote attackers to perform HTTP request smuggling when deployed behind a reverse proxy

access_server | Remote | Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
0.0 NA
CVE-2026-59925 — inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work…

| Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.1 CRITICAL
CVE-2026-9074 — IBM API Connect SQL Injection

IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.

api_connect | Remote | Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.7 HIGH
CVE-2026-59880 — Immutable.js: Hash-collision algorithmic complexity denial of service in Immutable.Map/Set

Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision b…

Remote | Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.3 MEDIUM
CVE-2026-59877 — protobufjs: Denial of Service via infinite loop in .proto option parsing

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.5 and 8.6.6, protobufjs parsed option names by advancing through schema tokens until reaching an = token without …

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.8 MEDIUM
CVE-2026-59876 — protobufjs: Text Format string map parsing can mutate returned map object prototype

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignmen…

Remote | Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.3 MEDIUM
CVE-2026-59875 — node-tar: Uncaught Exception DoS via NUL byte in PAX path/linkpath records

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.7 HIGH
CVE-2026-59874 — node-tar: Negative tar entry size causes infinite loop in archive replace

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner t…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.2 CRITICAL
CVE-2026-59873 — node-tar: Decompression/parse DoS via unlimited input

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.3 MEDIUM
CVE-2026-59871 — node-tar: Process crash via PAX numeric path type confusion

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handl…

Remote | Memory Corruption
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.3 MEDIUM
CVE-2026-59870 — js-yaml quadratic-complexity denial of service via YAML11_SCHEMA !!omap parsing

js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11_SCHEMA support for the !!omap tag in src/tag/sequence/omap.ts uses omapTag.addItem() to perform a linear duplicate-key …

js-yaml | Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-59869 — js-yaml: YAML merge-key chains can force quadratic CPU consumption

js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a cha…

js-yaml | Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.3 MEDIUM
CVE-2026-59868 — js-yaml: YAML merge-key chains can force quadratic CPU consumption

js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a cha…

js-yaml | Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-59725 — Socket.IO: Engine.IO Polling Transport Connection Exhaustion

Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invali…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-59724 — Socket.IO: Engine.IO WebTransport SID DoS

Socket.IO enables bidirectional and low-latency communication for every platform. From 6.5.0 before 6.6.7, Engine.IO servers with WebTransport enabled can resolve a crafted session ID such as __proto…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.3 CRITICAL
CVE-2026-59702 — repomix - Server-Side Request Forgery via Unvalidated Repository URLs in POST /api/pack

repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly v…

Remote | Server-Side Request Forgery
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.1 HIGH
CVE-2026-59262 — AFFiNE - Unauthorized Document Edit History Access via GraphQL histories Field

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attack…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.0 MEDIUM
CVE-2026-57439 — CyberChef: Prototype pollution in Series Chart operation

CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while parsing user-supplied CSV, allowing proto…

cyberchef | Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.1 HIGH
CVE-2026-55761 — Portainer: Unauthenticated Restore Endpoint Allows Admin Takeover on Uninitialised Portai…

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In versions 2.39.0 thr…

Remote | Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
Showing 20 of 7748 Results