Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.0 MEDIUM
CVE-2026-46685 — RustFS: Reflective CORS with credentials on S3 listener; unauthenticated license metadata…

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origi…

Remote | Misconfiguration
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.0 MEDIUM
CVE-2026-46526 — Local Deep Research: SSRF bypass in `safe_get`

Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attac…

Remote | Server-Side Request Forgery
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.2 HIGH
CVE-2026-46509 — deepobj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Po…

deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not b…

Remote | Misconfiguration
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.5 HIGH
CVE-2026-45332 — Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password …

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcr…

Remote | Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.8 HIGH
CVE-2026-45044 — RustFS: Authentication bypass in /profile/cpu and /profile/memory allows unauthenticated …

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any…

Remote | Denial of Service
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.1 HIGH
CVE-2026-45042 — RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing dest…

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.7 HIGH
CVE-2026-45041 — RustFS: Hard-coded RSA private key in license verifier permits arbitrary license forgery

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses i…

Remote | Cryptography
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.3 MEDIUM
CVE-2026-45040 — RustFS: Sensitive Information Leakage (SessionToken and SecretAccessKey) in RustFS Logs […

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, RustFS suffers from sensitive information leakage in log outputs. When the server is run with RUST_LOG=debug sensit…

Remote | Information Disclosure
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
9.8 CRITICAL
CVE-2026-45039 — RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer …

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The functi…

Remote | Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.0 MEDIUM
CVE-2026-44394 — OpenStack Keystone Infinite Token Lifetime Vulnerability

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federate…

Remote | Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.0 MEDIUM
CVE-2026-43979 — Local Deep Research: HTML Injection via Unescaped User Input in PDF Export (`pdf_service.…

Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.0, PDFService._markdown_to_html() constructs an HTML document by interpolating user-controlled value…

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.0 MEDIUM
CVE-2026-43000 — OpenStack Keystone Trust Delegation Privilege Escalation Vulnerability

An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to ad…

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.0 MEDIUM
CVE-2026-42999 — OpenStack Keystone JSON Injection Vulnerability

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary …

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.0 MEDIUM
CVE-2026-42998 — OpenStack Keystone Credential Authentication Impersonation

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the…

Remote | Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
0.0 NA
CVE-2026-30761 — SourceBans Material Admin File Upload RCE

An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file.

| Misconfiguration
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
0.0 NA
CVE-2026-30760 — SourceBans Material Admin Unauthenticated Arbitrary Data Manipulation Vulnerability

An issue in SourceBans Material Admin before v.1.1.6 (3ecd95e) allows attackers to manipulate arbitrary user data in the web app via a crafted XAJAX call.

| Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.9 MEDIUM
CVE-2026-49130 — Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx

Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF by…

Remote | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.9 MEDIUM
CVE-2026-49129 — Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin

Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allow…

Remote | Server-Side Request Forgery
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.6 HIGH
CVE-2026-9039 — Initialization of a resource with an insecure default in XCharge C6

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The se…

| Misconfiguration
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.6 HIGH
CVE-2026-9038 — Stack-based buffer overflow in XCharge C6

A stack-based buffer overflow vulnerability in the charging controller’s signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed…

| Memory Corruption
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
Showing 20 of 6728 Results