Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.8 HIGH
CVE-2026-23697 — Vtiger CRM < 8.4.0 Authenticated File Upload RCE via Documents Module

Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code t…

crm | Remote | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.1 HIGH
CVE-2026-14904 — RES Auth.GetUserPrivateKey Arbitrary File Read

AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS. Improper li…

Remote | Path Traversal
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.1 HIGH
CVE-2026-13020 — Weak Password Recovery Mechanism in Portal for ArcGIS

A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume owner…

portal_for_arcgis | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.8 CRITICAL
CVE-2026-13019 — Missing Authentication

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access…

portal_for_arcgis | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.5 MEDIUM
CVE-2025-12799 — Jastow: jastow cross-site scripting attack due to unsanitized uri

A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow,…

jboss_enterprise_application_platform single_sign-on | Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.3 MEDIUM
CVE-2026-56812 — Phoenix JavaScript presence client crashes on presence keys colliding with Object.prototy…

Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent clien…

phoenix | Remote | Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.7 HIGH
CVE-2026-56811 — Phoenix transports do not limit channel joins per connection, enabling process-exhaustion…

Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket module) allows an unauthenticated attacker to cause a denial of service against any endp…

phoenix | Remote | Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
4.4 MEDIUM
CVE-2026-14969 — 389-ds-base: 389-ds-base: static initialization vector in aes-cbc/3des-cbc attribute encr…

A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged fil…

Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.7 LOW
CVE-2026-14935 — Gstreamer: gstreamer: webrtcbin accepts remote sdp without a=fingerprint due to inverted …

A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that …

enterprise_linux enterprise_linux | Remote | Cryptography
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-59709 — Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees t…

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.1 MEDIUM
CVE-2026-53878 — Header injection possibility since DomainNameValidator accepted newlines in input

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newl…

django | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.3 MEDIUM
CVE-2026-53877 — Heap buffer over-read in GDALRaster

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose…

django | Remote | Memory Corruption
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.1 LOW
CVE-2026-48588 — Potential exposure of private data via cached Set-Cookie response

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carri…

django | Remote | Information Disclosure
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-14940 — 389-ds-base: 389-ds-base: heap-buffer-overflow in dn normalization via quoted multivalued…

A heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a multivalued nested Relative Dist…

Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
4.8 MEDIUM
CVE-2026-12948 — Stored Cross-Site Scripting (XSS)

A stored cross-site scripting (XSS) vulnerability in the web management interface of the Digi PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA allows a remote, authenticated administrator …

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.9 MEDIUM
CVE-2026-12352 — Incorrect Authorization

This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.

Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.5 HIGH
CVE-2026-6101 — AMP for WP <= 1.1.12 - Authenticated (Author+) Arbitrary File Write via Role-Based Access…

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_…

Remote | Path Traversal
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.2 HIGH
CVE-2026-53479 — Dell PowerProtect Data Domain OS Command Injection Vulnerability

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 thro…

powerprotect_data_domain | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-44938 — Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent

A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml (or BundleDeployment.spec.options.namespaceLabels) …

rancher | Remote | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.8 CRITICAL
CVE-2026-53483 — Dell PowerProtect Data Domain Improper Authentication Vulnerability

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 thro…

powerprotect_data_domain | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
Showing 20 of 7624 Results