Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-35447 — NamelessMC: Private or blocking profile pages can be bypassed with direct POST requests, …

NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page (modules/Core/pages/profile.php) processes wall post submissions and replies before verifying whether the view…

nameless | Remote | Authorization
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
5.3 MEDIUM
CVE-2026-35443 — NamelessMC: Forum reactions bypass the "view own topics only" restriction

NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enfor…

nameless | Remote | Authorization
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
5.4 MEDIUM
CVE-2026-33244 — React Router has stored XSS via unescaped Location header in prerendered redirect HTML

React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cros…

Remote | Cross-Site Scripting
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.8 HIGH
CVE-2026-24237 — NVIDIA NVTabular Improper Deserialization

NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampe…

| Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.8 HIGH
CVE-2026-24221 — NVIDIA NVTabular Improper Deserialization

NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampe…

| Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.1 HIGH
CVE-2026-1871 — Authenticated Stack-based Buffer Overflow in RTSP Authentication of Tapo C200

TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted …

tapo_c200 | Memory Corruption
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.5 HIGH
CVE-2026-10606 — DedeCMS Feedback feedback.php TrimMsg sql injection

A vulnerability was determined in DedeCMS 5.7.88. The affected element is the function TrimMsg of the file /plus/feedback.php of the component Feedback Handler. Executing a manipulation of the argume…

Remote | Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
9.8 CRITICAL
CVE-2026-0611 — Spacelabs Healthcare Sentinel 10.5.x < 11.6.0 Unauthenticated RCE via .NET Remoting

Spacelabs Healthcare Sentinel versions 10.5.x and higher and 11.x.x before 11.6.0 contain an unauthenticated remote code execution vulnerability through a deprecated .NET Remoting HTTP channel expose…

Remote | Misconfiguration
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
3.1 LOW
CVE-2024-42206 — HCL iReflection Use of Third party vulnerable and outdated components issue was detected …

HCL iReflection Third party vulnerable and outdated components issue was detected in the web application

Remote | Supply Chain
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
5.3 MEDIUM
CVE-2026-9590 — Devolutions Server Access Control Vulnerability

Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without …

devolutions_server | Remote | Authorization
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
5.4 MEDIUM
CVE-2026-9522 — Devolutions Server Improper Access Control Leads to Scan Configuration Deletion

Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery sca…

devolutions_server | Remote | Authorization
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
6.3 MEDIUM
CVE-2026-7299 — CVE-2026-7299

Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a …

Remote | Cross-Site Scripting
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.2 HIGH
CVE-2026-49754 — HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood). When …

Remote | Denial of Service
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
6.3 MEDIUM
CVE-2026-49753 — HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on share…

Remote | Misconfiguration
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
8.2 HIGH
CVE-2026-48862 — Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurren…

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding. In lib/…

Remote | Denial of Service
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
2.1 LOW
CVE-2026-48861 — CRLF injection in HTTP/1 request line via unvalidated method in Mint

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling. In lib/mint/http1/request.ex, the encode_requ…

| Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
9.8 CRITICAL
CVE-2026-47117 — OpenMed < 1.5.2 Remote Code Execution via PII Model Loading

OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied mode…

Remote | Injection
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.5 HIGH
CVE-2026-45686 — OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, a remotely reachable integer overflow in OBI's memcac…

opentelemetry_ebpf_instrumentation | Remote | Denial of Service
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
7.5 HIGH
CVE-2026-45685 — OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.1.0 to before version 0.9.0, malformed MongoDB wire messages can trigger uncaught …

opentelemetry_ebpf_instrumentation | Remote | Denial of Service
Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
4.9 MEDIUM
CVE-2026-45684 — OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite u…

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, OBI's log enricher mishandles writev buffers by readi…

Jun 02, 2026 Jun 02, 2026
Jun 02, 2026
Jun 02, 2026
Showing 20 of 7153 Results