Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-58643 — Windows Admin Center Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Windows Admin Center allows an unauthorized attacker to perform spoofing over a network.

Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.0 HIGH
CVE-2026-58598 — Windows Backup Service Elevation of Privilege Vulnerability

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Backup Engine allows an authorized attacker to elevate privileges locally.

Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-57077 — YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded new…

YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len. In the bundled libsyck newline_len and is_newline dereference the scan pointer, and…

| Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-57076 — YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name r…

YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor. In the bundled libsyck an anchor name allocated by syc…

| Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-57075 — YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lo…

YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64dec. The base64 decoder in the bundled libsyck indexes the 256-entry static ta…

| Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.8 CRITICAL
CVE-2026-53412 — Zoom Workplace VDI Plugin for Windows - Improper Input Validation

Improper Input Validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an account takeover via networ…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.8 HIGH
CVE-2026-53411 — Zoom Workplace VDI Plugin for Windows - Improper Input Validation

A time-of-check to time-of-use (TOCTOU) race condition in the installation and uninstallation process of certain Zoom Clients for Windows could allow an authenticated local user to escalate privilege…

| Race Condition
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.4 HIGH
CVE-2026-45368 — Kirby: Cross-site scripting (XSS) from links in KirbyTags and image blocks in the site fr…

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the underlying URL methods for the KirbyTags and image blocks components did not filter out malicious URL valu…

kirby | Remote | Cross-Site Scripting
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.3 MEDIUM
CVE-2026-45334 — Kirby: Content locks disclose IDs and emails of inaccessible users from `users.access/lis…

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the content-locking feature returned lock information without checking the requesting user's access permission…

kirby | Remote | Information Disclosure
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.8 CRITICAL
CVE-2026-44180 — Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids can be Bypassed

Jupyter Enterprise Gateway launches remote Jupyter Notebook kernels across distributed clusters like Apache Spark, Kubernetes, and Docker Swarm. Versions 2.0.0rc1 and above prior to 3.3.0 have a proh…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.8 HIGH
CVE-2026-44177 — Kirby: Pre-authentication path traversal and PHP file inclusion during user lookup

Kirby is an open-source content management system. In versions 5.3.0 and above but prior to 5.4.1, Kirby did not correctly validate the provided user ID, resulting in a path traversal vulnerability. …

kirby | Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.0 MEDIUM
CVE-2026-44176 — Kirby: `pages.access` permission is not checked during rendering of page drafts

Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the `pages.access` permission during page draft rendering. Permissions are defined for each user rol…

kirby | Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.5 HIGH
CVE-2026-44175 — Kirby: Cross-site scripting (XSS) from list field content in the site frontend

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, Kirby did not securely sanitize the contents of the list field on save, leaving it vulnerable to cross-site sc…

kirby | Remote | Cross-Site Scripting
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.7 HIGH
CVE-2026-44174 — Kirby: Arbitrary Method Call via REST API search and collection query endpoints

Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitr…

kirby | Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
4.9 MEDIUM
CVE-2026-14782 — Booking for Appointments and Events Calendar – Amelia <= 2.4.3 - Authenticated (Custom+) …

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient e…

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-13713 — YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an an…

YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack. In the bundled libsyck, when an anchor name is redefin…

| Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.8 MEDIUM
CVE-2026-61378 — AutomationDirect Productivity Suite Divide By Zero

A divide-by-zero vulnerability in the Productivity Suite allows a local attacker to cause a division by zero leading to a system crash.

productivity_suite | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.9 MEDIUM
CVE-2026-60073 — AutomationDirect Productivity Suite Out-of-bounds Read

An out-of-bounds read in the Productivity Suite allows a physical attacker to control the length of data sent to a USB device. This can lead to a system crash or disclosure of kernel memory.

productivity_suite | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.9 MEDIUM
CVE-2026-57896 — AutomationDirect Productivity Suite Out-of-bounds Read

An out-of-bounds read vulnerability in the Productivity Suite allows a local attacker to trigger kernel memory corruption by sending a crafted IOCTL request. This could lead to limited information …

productivity_suite | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.1 HIGH
CVE-2026-55173 — AVideo incomplete fix for CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&'…

WWBN AVideo is an open source video platform. Versions 29.0 and below remain vulnerable to OS command injection because the fix for CVE-2026-33482 was incomplete and still does not neutralize a singl…

avideo | Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
Showing 20 of 8330 Results