Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-54314 — n8n: Denial of Service via ZIP decompression in webhook workflow

n8n is an open source workflow automation platform. Prior to 2.24.0, the Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompre…

n8n | Remote | Denial of Service
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
7.7 HIGH
CVE-2026-54313 — n8n: NoSQL Injection in MongoDB Node Find And Replace Operation

n8n is an open source workflow automation platform. Prior to 2.24.0, an authenticated user with workflow edit access could supply a malicious filter value in the MongoDB node's Find And Replace opera…

n8n | Remote | Injection
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
8.5 HIGH
CVE-2026-54312 — n8n: Microsoft SQL Node Prototype Pollution

n8n is an open source workflow automation platform. Prior to 2.24.0, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL…

n8n | Remote | Injection
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
7.7 HIGH
CVE-2026-54311 — n8n: Merge Node SQL Mode Prototype Pollution

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, an authenticated user with permission to create or modify workflows could pollute the sandbox used by the Merge node's …

n8n | Remote | Misconfiguration
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
9.9 CRITICAL
CVE-2026-54310 — n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, an authenticated user with permission to create or modify workflows could supply a crafted parameters to the TimescaleD…

n8n | Remote | Injection
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
10.0 CRITICAL
CVE-2026-54309 — n8n: n8n MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocatio…

n8n | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.8 MEDIUM
CVE-2026-54303 — n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verificati…

n8n is an open source workflow automation platform. Prior to 2.24.0, an endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization o…

n8n | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.5 MEDIUM
CVE-2026-52673 — Cboard SQL Injection

SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component

Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
7.1 HIGH
CVE-2025-62180 — Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization wea…

Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.

pega_platform | Remote | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
6.5 MEDIUM
CVE-2025-55639 — GPAC MP4Box NULL Pointer Dereference Denial of Service

GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Servi…

gpac | Remote | Denial of Service
Jun 23, 2026 Jun 30, 2026
Jun 23, 2026
Jun 30, 2026
3.5 LOW
CVE-2025-15619 — HCL Connections is vulnerable to broken access control

HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario.

Remote | Authorization
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
7.4 HIGH
CVE-2026-56815 — Pwnlift Symlink Following Vulnerability

pwnlift before d7a9544, in a privileged deployment, contains a symlink following vulnerability in the upload handler in Components/Pages/Home.razor.

| Path Traversal
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
9.2 CRITICAL
CVE-2026-35019 — NetComm NF20MESH < R6B032 Hardcoded AES Key Authentication Bypass

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcod…

nf20mesh | Remote | Authentication
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.8 HIGH
CVE-2026-35018 — NetComm NF20MESH < R6B032 Authenticated RCE via OS Command Injection

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by …

nf20mesh | Remote | Injection
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
9.4 CRITICAL
CVE-2026-28496 — FOSSBilling: Server-side template injection in Twig template rendering enables informatio…

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administr…

fossbilling | Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
10.0 CRITICAL
CVE-2026-27604 — FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Priv…

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated …

fossbilling | Remote | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
5.3 MEDIUM
CVE-2026-12969 — Dnsmasq: dnsmasq: out-of-bounds read in find_soa() due to missing extrabytes validation

An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 …

Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
5.1 MEDIUM
CVE-2026-11772 — Reflected XSS in DRIMO CMS

DRIMO CMS is vulnerable to Reflected XSS via q parameter in searching functionality. An attacker can prepare an URL that, when opened, results in arbitrary JavaScript execution in the victim's browse…

Remote | Cross-Site Scripting
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
6.8 MEDIUM
CVE-2026-10609 — Openshift/cluster-logging-operator: cluster logging operator creates and forwards service…

A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogF…

logging_subsystem_for_red_hat_openshift | Remote | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.6 HIGH
CVE-2026-56784 — OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint

OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging t…

openremote | Remote | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Showing 20 of 7989 Results