Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.7 HIGH
CVE-2026-58207 — NATS Server: Remote crash via integer overflow in Connz pagination

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests coul…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.6 HIGH
CVE-2026-58192 — Appium: Unauthenticated arbitrary file/directory deletion in @appium/storage-plugin

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handle…

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.5 MEDIUM
CVE-2026-58191 — Appium: Reflected XSS / arbitrary JS in @appium/base-driver /test/guinea-pig* routes

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
2.3 LOW
CVE-2026-57481 — Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access c…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values th…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.7 HIGH
CVE-2026-57480 — Parse Server: Denial of service via exponential-time processing of deeply nested query op…

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-56669 — Elysia: Inefficient Algorithmic Complexity and Interpretation Conflict

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for mul…

elysia | Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
2.1 LOW
CVE-2026-55778 — Parse Server: Stored XSS via non-standard file extension bypassing file upload extension …

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be by…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.7 HIGH
CVE-2026-55596 — Plate: Media embed provider metadata can bypass URL sanitization and execute iframe JavaS…

Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protoco…

plate | Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
1.3 LOW
CVE-2026-55542 — Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL

Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated user…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.7 HIGH
CVE-2026-55206 — py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, PackInfo._read() in archiveinfo.py used an O(n^2) cumulative…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.7 HIGH
CVE-2026-55195 — py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, py7zr's Worker.decompress() extracted archive entries withou…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.1 HIGH
CVE-2026-54591 — AsyncSSH: SCP Path Traversal to Arbitrary File Write

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Prior to 2.23.1, a malicious SSH server can …

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.9 MEDIUM
CVE-2026-54590 — AsyncSSH AuthorizedKeysFile username substitution bypass through ~ and environment expans…

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix fo…

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.1 HIGH
CVE-2026-54528 — jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories

JupyterLab Git is a Git extension for JupyterLab. Prior to 0.54.0, jupyterlab-git uses fnmatch.fnmatchcase() in GitHandler.prepare() in jupyterlab_git/handlers.py to enforce excluded_paths, allowing …

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.3 CRITICAL
CVE-2026-54527 — JupyterLab Git: Stored XSS leading to RCE

JupyterLab Git is a Git extension for JupyterLab. From 0.30.0b3 before 0.54.0, the PlainTextDiff.ts createHeader() method passes Git filenames directly to innerHTML when rendering renamed files in co…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-49866 — libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to 16.0.0, @libp2p/gossipsub defaultDecodeRpcLimits set maxIhaveMessageIDs and maxIwantMessageIDs to Infinity, allowing oversiz…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.5 MEDIUM
CVE-2026-35211 — OpenCTI: Elasticsearch Painless Script Injection via GraphQL `script` filter operator all…

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260401.0, the OpenCTI GraphQL API exposes a script filter operator in its FilterOperato…

Remote | Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.1 HIGH
CVE-2026-35210 — OpenCTI: Authorization Bypass via `synchronized-upsert` HTTP Header Injection

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated use…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.5 MEDIUM
CVE-2026-15174 — Heap-based Buffer Overflow in Wireshark

Catapult DCT2000 protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service

| Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.7 MEDIUM
CVE-2026-15173 — Heap-based Buffer Overflow in Wireshark

pcapng file parser crash in Wireshark 4.6.0 to 4.6.6 allows denial of service

| Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
Showing 20 of 7778 Results