Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-48942 — Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26

K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.

k2 | Remote | Cross-Site Scripting
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
6.5 MEDIUM
CVE-2026-48941 — Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla <…

The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`

k2 | Remote | Path Traversal
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
3.4 LOW
CVE-2026-48940 — Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26

A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped t…

k2 | Remote | Cross-Site Scripting
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
7.5 HIGH
CVE-2026-12844 — List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pair…

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a heap buffer sized to the longer in…

Remote | Memory Corruption
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-6432 — Improper bounds validation in EmberZNet SDK

Improper bounds validation in EmberZNet SDK versions 9.0.2 and earlier may result in crashes or dynamic memory leakage.

Remote | Memory Corruption
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
3.3 LOW
CVE-2026-57588 — SQL Injection in Nessus via Malicious Scan Result File Import

A SQL injection vulnerability in Nessus allows an attacker to craft a malicious scan result file that, when imported by a privileged user, injects malicious SQL into the scan results database, potent…

nessus | Injection
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-57587 — SQL Injection in Nessus via Reverse DNS Lookup

A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potential…

nessus | Remote | Injection
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.3 MEDIUM
CVE-2026-57536 — Insufficient validation of payment status in pretix-mollie

Our payment integration with Mollie did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a…

Remote | Authentication
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
2.1 LOW
CVE-2026-57535 — Adobe Reader SSRF

Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would d…

pretix | Remote | Server-Side Request Forgery
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
2.1 LOW
CVE-2026-57534 — Stored XSS in pretix-pages

Malicious HTML content could be injected into the content of a page in the pretix-pages plugin.

Remote | Cross-Site Scripting
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
2.1 LOW
CVE-2026-57533 — Pretix HTML Injection

Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing…

pretix | Remote | Cross-Site Scripting
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-57532 — Adobe Acrobat Reader PDF Ticket HTML Injection

Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject J…

pretix | Remote | Cross-Site Scripting
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-57437 — Nokogiri: Possible Use-After-Free when directly using `NokogirI::XML::XPathContext` beyon…

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XP…

nokogiri | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-57436 — Nokogiri: Possible Use-After-Free when setting `Document#root=` to an invalid node type

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing …

nokogiri | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-57435 — Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Att…

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacin…

nokogiri | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-57434 — Nokogiri: Null Pointer Dereference calling methods on uninitialized wrapper classes

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper …

nokogiri | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-57236 — Nokogiri: Possible Use-After-Free when `Nokogiri::XML::Document#encoding=` raises an exce…

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a n…

nokogiri | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-57235 — Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]`

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested index against the node set's…

nokogiri | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
2.6 LOW
CVE-2026-57234 — Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2…

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-…

nokogiri | Remote | XML External Entity
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.9 MEDIUM
CVE-2026-49319 — Alps Electric Co., Ltd. R53R0 Remote Keyless Entry System (RKES) Replay Attack

Remote Keyless Entry System (RKES), using the 433 MHz key fob bearing FCC ID CWTR53R0 manufactured by ALPS ALPINE CO., LTD., is vulnerable to a roll-back attack against its rolling-code authenticatio…

| Authentication
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
Showing 20 of 7989 Results