Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.2 CRITICAL
CVE-2026-13014 — Remote Code Execution vulnerability in "Suspicious" application

A vulnerability in Thales CERT "Suspicious" application =< 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including …

Remote | Path Traversal
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
4.5 MEDIUM
CVE-2026-14846 — Incorrect neutralisation in the PrestaShop firmware

In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ func…

Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
0.0 NA
CVE-2026-15557 — waooAI waoowaoo Internal Task Header api-auth.ts requireProjectAuthLight improper authent…

A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAu…

| Authentication
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
4.9 MEDIUM
CVE-2026-9708 — Incoming webhook user attribution via unvalidated webhook owner

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester …

Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
5.4 MEDIUM
CVE-2026-9597 — Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API l…

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated g…

Remote | Authentication
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
5.9 MEDIUM
CVE-2026-9571 — Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh to…

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in p…

Remote | Authentication
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
6.5 MEDIUM
CVE-2026-6850 — Crafted message attachment causes client-side denial of service via markdown parser regex…

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause…

Remote | Denial of Service
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.3 HIGH
CVE-2026-62143 — Server-Side Request Forgery protection bypass in misp-modules html_to_markdown via IPv4-m…

A Server-Side Request Forgery (SSRF) protection bypass existed in the html_to_markdown expansion module of misp-modules. The module attempts to prevent requests to loopback, private, link-local, and…

Remote | Server-Side Request Forgery
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
7.5 HIGH
CVE-2026-15574 — Vllm-orchestrator-gateway: vllm-orchestrator-gateway: authorization header and full chat …

A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable i…

openshift_ai | Remote | Information Disclosure
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
6.5 MEDIUM
CVE-2026-15547 — Shibby Tomato CIFS Mount sub_2D048 os command injection

A weakness has been identified in Shibby Tomato up to 1.28.0000. This affects the function sub_2D048 of the component CIFS Mount Handler. Executing a manipulation of the argument cifs1/cifs2 can lead…

tomato | Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
6.5 MEDIUM
CVE-2026-15546 — Shibby Tomato start_jffs2 sub_2D568 os command injection

A security flaw has been discovered in Shibby Tomato up to 1.28.0000. Affected by this issue is the function sub_2D568 of the component start_jffs2. Performing a manipulation of the argument jffs2_ex…

tomato | Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.0 HIGH
CVE-2026-15545 — Shibby Tomato apcupsd tomatodata.cgi main out-of-bounds write

A vulnerability was identified in Shibby Tomato up to 1.28.0000. Affected by this vulnerability is the function main of the file www/apcupsd/tomatodata.cgi of the component apcupsd. Such manipulation…

tomato | Remote | Memory Corruption
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.6 CRITICAL
CVE-2026-14453 — A user with low privileges can inject SSTI templates that can lead to RCE in open-tickets

This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. The message_confirm field is stored without sani…

infra_monitoring | Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
6.5 MEDIUM
CVE-2026-10106 — Unauthorized users can trigger interactive post actions in private channels via action co…

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an auth…

Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
4.3 MEDIUM
CVE-2026-10103 — Authenticated remote cluster can modify or delete posts it does not own in Mattermost Con…

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to m…

Remote | Authentication
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
5.4 MEDIUM
CVE-2026-10085 — Ordinary group/direct message member can enable group_constrained and remove all channel …

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel flag to public and private channels that support group synchronization, whic…

Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.3 CRITICAL
CVE-2026-22103 — Command injection in NPC start web endpoint

The NPC start endpoint on the web server at port 8090 is vulnerable to command injection.

Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.2 CRITICAL
CVE-2026-22098 — Sensitive information is written to logs

Various sensitive information such as passwords and charging card UIDs are written to log files.

Remote | Information Disclosure
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.3 CRITICAL
CVE-2026-22097 — Missing firmware validation allows remote code execution

The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to ar…

Remote | Cryptography
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.7 HIGH
CVE-2026-22099 — Missing authentication for Bluetooth communication

The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firm…

| Authentication
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
Showing 20 of 7289 Results