Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-15752 — zhinianboke xianyu-auto-reply Backend User Endpoint users authorization

A vulnerability was found in zhinianboke xianyu-auto-reply up to dcb445ad97816ad65299a7580ee0c8c8f929da84. Affected is an unknown function of the file /api/v1/users/ of the component Backend User End…

Remote | Authorization
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.3 MEDIUM
CVE-2026-15751 — mastergo-design mastergo-magic-mcp mcp__getComponentGenerator component-workflow.md execu…

A security vulnerability has been detected in mastergo-design mastergo-magic-mcp up to 0.2.0. The affected element is the function execute of the file mastergo/component-workflow.md of the component …

| Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2025-56365 — Matter SDK Reachable Assertion Vulnerability

A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, in the interaction model command processing logic. When an InvokeCommandRequest is sent to a nonexistent e…

| Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2025-56364 — Matter SDK Use of Uninitialized Value Vulnerability

A use of uninitialized value vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, where the `GetDestinationGroupId().Value()` method is called without first checking whether a value…

| Memory Corruption
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2025-56363 — Matter SDK Null Pointer Dereference Denial of Service Vulnerability

A null pointer dereference vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, affecting the ReadRevisionAttribute function used in multiple clusters (Channel, Account Login, Targe…

| Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2025-56362 — Matter SDK Level Control Cluster Reachable Assertion Denial of Service

A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.2, specifically within the Level Control cluster's periodic server tick logic. When a MoveToLevel command is …

| Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
8.8 HIGH
CVE-2026-59733 — rclone `serve restic --private-repos` authorization bypass: `..` in the URL path lets an …

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the rou…

Remote | Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.0 MEDIUM
CVE-2026-59732 — rclone archive extract allows S3 destination prefix escape via crafted archive paths

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-select…

| Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.0 HIGH
CVE-2026-54684 — jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code…

jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack dire…

| Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-54572 — rclone: Unvalidated symlink target in local `--links` — arbitrary file write from an untr…

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects …

Remote | Path Traversal
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
8.8 HIGH
CVE-2026-50130 — Pi-hole: Local privilege escalation from `pihole` user to root via `/etc/pihole/logrotate`

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to 6.4.2, a user with code execution as the unprivileged pihole user can es…

| Authentication
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.0 MEDIUM
CVE-2026-49981 — Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes betwe…

Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after san…

twig | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.0 MEDIUM
CVE-2026-48808 — Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterf…

Twig is a template language for PHP. Prior to 3.27.0, the column filter passes the active sandbox state as a boolean but does not forward the current Source to SandboxExtension::checkPropertyAllowed(…

twig | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.1 HIGH
CVE-2026-48807 — Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filt…

Twig is a template language for PHP. Prior to 3.27.0, the sandbox __toString() checks do not fully cover Traversable values passed to join and replace filters or operands evaluated by the in and not …

twig | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.1 HIGH
CVE-2026-48806 — Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys

Twig is a template language for PHP. Prior to 3.27.0, ArrayExpression does not guard dynamic mapping keys that are coerced to strings, allowing PHP to invoke __toString() on a Stringable object used …

twig | Remote | Injection
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.3 MEDIUM
CVE-2026-48805 — Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

Twig is a template language for PHP. Prior to 3.27.0, deprecated internal wrappers in src/Resources/core.php do not forward the current sandbox state to CoreExtension::checkArrow(), arraySome(), and …

twig | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.2 MEDIUM
CVE-2026-48357 — CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)

CAI Content Credentials is affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust sys…

| Denial of Service
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
6.2 MEDIUM
CVE-2026-48354 — CAI Content Credentials | Integer Overflow or Wraparound (CWE-190)

CAI Content Credentials is affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the…

| Denial of Service
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
5.5 MEDIUM
CVE-2026-48353 — CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files…

| Path Traversal
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-48352 — CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the appl…

Remote | Denial of Service
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
Showing 20 of 8372 Results