Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
1.8 LOW
CVE-2026-10717 — Open-Seachest/Seachest show SCSI Defect List Vulnerability

Out of bounds write and reads in openSeaChest’s --showSCSIDefects in Seagate’s openSeaChest v25.05.3 on all supported platforms allows for writing defect information out of bounds for very large defe…

| Memory Corruption
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
0.0 NA
CVE-2026-42507 — Arbitrary inputs are included in errors without any escaping in net/textproto

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or log…

| Information Disclosure
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
0.0 NA
CVE-2026-42504 — Quadratic complexity in WordDecoder.DecodeHeader in mime

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

| Denial of Service
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
0.0 NA
CVE-2026-27145 — Inefficient candidate hostname parsing in crypto/x509

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the sa…

| Misconfiguration
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
0.0 NA
CVE-2026-10662 — ahujasid blender-mcp ZIP File server.py requests.get server-side request forgery

A vulnerability was found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The affected element is the function requests.get of the file src/blender_mcp/server.py of the compon…

| Server-Side Request Forgery
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
9.8 CRITICAL
CVE-2026-49448 — authentik: SourceStage bypass via empty POST

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions …

authentik | Remote | Authentication
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.8 HIGH
CVE-2026-49443 — authentik: `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable t…

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured…

authentik | Remote | Authentication
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.1 HIGH
CVE-2026-49144 — BrowserStack Runner 0.9.5 Path Traversal via _default HTTP Handler

BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files.…

| Path Traversal
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.8 HIGH
CVE-2026-49143 — BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitti…

| Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.5 HIGH
CVE-2026-47201 — authentik: XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary f…

authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstre…

authentik | Remote | Authentication
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
5.3 MEDIUM
CVE-2026-45289 — CloudburstMC Protocol: Partially missing validation for FULL type authentication tokens

CloudburstMC Protocol is a protocol library for Minecraft Bedrock Edition. Prior to version 3.0.0.Beta12-20260420.182526-15, CloudburstMC Protocol is partially missing validation for FULL type authen…

Remote | Authentication
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
9.3 CRITICAL
CVE-2026-42849 — authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more comp…

authentik | Remote | Cross-Site Scripting
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
6.9 MEDIUM
CVE-2026-41569 — authentik: WS-Federation wreply origin bypass can exfiltrate signed login responses to at…

authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper UR…

authentik | Remote | Authentication
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
4.3 MEDIUM
CVE-2026-10624 — SourceCodester Human Resource Management Employee View detailview.php resource injection

A vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the component Employee View P…

Remote | Path Traversal
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.5 HIGH
CVE-2026-10620 — code-projects Student Admission System index.php sql injection

A flaw has been found in code-projects Student Admission System 1.0. Affected is an unknown function of the file /index.php. This manipulation of the argument eid/did causes sql injection. The attack…

Remote | Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.5 HIGH
CVE-2026-10619 — sayan365 student-management-system improper authentication

A vulnerability was detected in sayan365 student-management-system up to 7f3c9ce7d410332335c2affac93a385485051800. This impacts an unknown function. The manipulation results in improper authenticatio…

Remote | Authentication
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.4 HIGH
CVE-2026-8036 — Local privilege escalation in NI-PAL

Improper input validation in NI-PAL may allow a local authenticated user to access arbitrary system memory, potentially leading to privilege escalation. This vulnerability affects NI-PAL 26.3.0 and p…

ni-pal | Memory Corruption
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.1 HIGH
CVE-2026-8035 — NULL pointer dereference in NI-PAL

Improper input validation in the NI-PAL kernel driver may allow a local authenticated user to cause a denial of service by triggering a crash due to a NULL pointer dereference. This vulnerability aff…

ni-pal | Denial of Service
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.4 HIGH
CVE-2026-5385 — GLPI 11.0.0 - Stored XSS in knowledge base

An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before 11.0.7.

glpi | Remote | Cross-Site Scripting
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
9.8 CRITICAL
CVE-2026-5076 — ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privileg…

The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset k…

Remote | Authentication
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
Showing 20 of 7173 Results