Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.1 HIGH
CVE-2026-47110 — Tiptap for PHP < 2.1.1 DoS via Malformed href Attribute

Tiptap for PHP before version 2.1.1 contains an input validation vulnerability that allows authenticated attackers to cause a denial of service by submitting Tiptap JSON with the attrs.href field set…

Remote | Denial of Service
Jun 24, 2026 Jun 30, 2026
Jun 24, 2026
Jun 30, 2026
6.1 MEDIUM
CVE-2026-39897 — Cacti has a Reflected XSS Vulnerability via html_auth_footer

Cacti is an open source performance and fault management framework. Versions 1.2.30 and below contain a Reflected XSS vulnerability in the html_auth_footer. This issue has been fixed in version 1.2.3…

cacti | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
2.9 LOW
CVE-2026-39894 — Cacti: RRDtool metric shift via LC_NUMERIC locale comma decimal formatting

Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtool_function_update() can corrupt RRDtool metric value…

cacti | Misconfiguration
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.8 CRITICAL
CVE-2026-39893 — Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpo…

cacti | Remote | Injection
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
7.8 HIGH
CVE-2026-2050 — GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User inte…

gimp | Memory Corruption
Jun 24, 2026 Jun 30, 2026
Jun 24, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2026-10642 — Unbounded TX busy-loop DoS in Zephyr PL011 UART driver under CTS hardware flow control

The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX …

zephyr zephyr | Denial of Service
Jun 24, 2026 Jul 02, 2026
Jun 24, 2026
Jul 02, 2026
7.8 HIGH
CVE-2026-10043 — MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability

MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MosaicML Com…

| Misconfiguration
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.5 MEDIUM
CVE-2025-60468 — GPAC Use-After-Free Heap Overflow

GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_c…

gpac | Memory Corruption
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
7.3 HIGH
CVE-2026-7539 — HP Dock Accessory WMI Provider Installer Security Update

A potential security vulnerability has been identified in the HP Accessory WMI Provider installer for some HP Docking Stations, which might allow escalation of privilege and/or arbitrary code executi…

| Misconfiguration
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
5.4 MEDIUM
CVE-2026-52816 — Gogs: Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs lead…

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions,…

gogs | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.5 MEDIUM
CVE-2026-52815 — Gogs: Unauthenticated Organization Teams Information Disclosure via API

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v…

gogs | Remote | Information Disclosure
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.5 MEDIUM
CVE-2026-52814 — Gogs: Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File De…

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accept…

gogs | Remote | Denial of Service
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
10.0 CRITICAL
CVE-2026-52813 — Gogs: Path Traversal in organization name results in RCE through Git hooks

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths fo…

gogs | Remote | Path Traversal
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
7.1 HIGH
CVE-2026-52812 — Gogs: LFS dedupe path leaks private repo content across tenants

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_obj…

gogs | Remote | Authorization
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
9.0 CRITICAL
CVE-2026-52811 — Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym

Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings Upda…

gogs | Remote | Path Traversal
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
7.1 HIGH
CVE-2026-52810 — Gogs: Write to readonly repositories using receive-pack + service=git-upload-pack confusi…

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evalu…

gogs | Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.8 MEDIUM
CVE-2026-52809 — Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE…

Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCo…

gogs | Remote | Authentication
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
7.1 HIGH
CVE-2026-52808 — Gogs: Write-level collaborators can mutate admin-only repository settings via API

Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:o…

gogs | Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
4.8 MEDIUM
CVE-2026-52807 — Gogs: DOM-based XSS via Milestone Name on New Issue Page

Gogs is an open source self-hosted Git service. Prior to 0.14.3, in new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to &lt; etc. This prevent…

gogs | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.9 CRITICAL
CVE-2026-52806 — Gogs: RCE via git rebase --exec argument injection in pull request merge

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially craft…

gogs | Remote | Injection
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
Showing 20 of 8012 Results