Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-43920 — FOSSBilling: Unauthenticated update patcher endpoint allows remote maintenance execution

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, w…

fossbilling | Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
3.8 LOW
CVE-2026-13322 — Kubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-serial readline in virt-handler …

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is …

openshift_virtualization | Denial of Service
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
6.4 MEDIUM
CVE-2026-13318 — Virt-api-rhel9: kubevirt: kubevirt: ssrf in virt-api port-forward via unvalidated guest-a…

A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP…

openshift_virtualization | Remote | Server-Side Request Forgery
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
4.2 MEDIUM
CVE-2026-13218 — Kubevirt: kubevirt: symlink following in writetocachedfile allows host file overwrite fro…

A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A …

openshift_virtualization | Path Traversal
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
6.9 MEDIUM
CVE-2026-13083 — Pen-drive: pen-drive: stored xss via unescaped cluster data in html report

A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can i…

Remote | Cross-Site Scripting
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-12993 — Apicurio/apicurio-registry: apicurio-registry: xml entity-expansion denial of service via…

A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An at…

Remote | XML External Entity
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.1 HIGH
CVE-2026-40941 — Cacti: Package Import Signature Validation Bypass Allows Self-Signed Packages

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue ha…

cacti | Remote | Misconfiguration
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
6.5 MEDIUM
CVE-2026-40084 — Cacti: Arbitrary File Read via Path Traversal in Report `format_file` Parameter

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. …

cacti | Remote | Path Traversal
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
7.2 HIGH
CVE-2026-40083 — Cacti: SQL Injection in managers.php

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php,…

cacti | Remote | Injection
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
5.4 MEDIUM
CVE-2026-40082 — Cacti: Session Fixation via missing session_regenerate_id() after login

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is…

cacti | Remote | Authentication
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
6.1 MEDIUM
CVE-2026-40080 — Cacti: Open Redirect via HTTP_REFERER substring check in auth_login_redirect

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($refer…

cacti | Remote | Misconfiguration
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
7.5 HIGH
CVE-2026-8720 — HMAC-BLAKE2 final discards message when key length exceeds block size

wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the …

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-7532 — iPAddress name constraints not enforced when WOLFSSL_IP_ALT_NAME is undefined

iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced in that configuration, allowing a certificate to bypass an issuing CA's IP addr…

wolfssl | Remote | Misconfiguration
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
7.5 HIGH
CVE-2026-7511 — PKCS7_verify signer confusion allows forged signatures to be accepted

PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted.

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-6331 — HMAC zero-length tag forgery in EVP_DigestVerifyFinal

HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the supplied signatur…

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
6.5 MEDIUM
CVE-2026-6330 — ML-KEM ARM64 NEON ciphertext comparison only compares half of the input

The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The consta…

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
6.5 MEDIUM
CVE-2026-6329 — PKCS#12 MAC verification uses attacker-controlled comparison length

PKCS#12 MAC verification uses an attacker-controlled comparison length, weakening the integrity check on the MAC and allowing a mismatched MAC to be accepted. The PKCS#12 verify path compared the loc…

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-6325 — Out-of-bounds write in SetSuitesHashSigAlgo on oversized signature algorithms list

Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write past the bounds of the destination buffer.

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-6092 — Encrypt-then-MAC could fall back to MAC-then-Encrypt when HAVE_ENCRYPT_THEN_MAC is config…

When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing Encrypt-then-MAC.

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
6.5 MEDIUM
CVE-2026-55962 — TLS 1.3 post-handshake authentication: server accepts Finished without client Certificate…

TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The post-handshake-auth e…

wolfssl | Remote | Authentication
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
Showing 20 of 7983 Results