Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.9 MEDIUM
CVE-2026-12725 — Dnsmasq: dnsmasq: heap buffer overflow in log_query() when logging unsupported ds/dnskey …

A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can caus…

Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
9.1 CRITICAL
CVE-2026-12628 — Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorize…

IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hard…

Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
4.8 MEDIUM
CVE-2026-12549 — Libsoup: incomplete fix for cve-2026-2443: range suffix overflow in libsoup soupserver

The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length…

enterprise_linux enterprise_linux | Remote | Denial of Service
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.1 MEDIUM
CVE-2026-12479 — Path Traversal in keras-team/keras

A path traversal vulnerability exists in keras-team/keras version 3.14.0, specifically in the `DiskIOStore.make` method within the Keras 3 model saving and loading library. This vulnerability arises …

keras | Path Traversal
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
4.8 MEDIUM
CVE-2026-11943 — Akaunting 3.1.21 - Authenticated stored XSS in document timeline

Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the document timeline shown on invoice and bill detail pages. An authenticated user can store HTML/JavaScript i…

akaunting | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
4.8 MEDIUM
CVE-2026-11942 — Akaunting 3.1.21 - Stored XSS in delete confirmation modal

Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the reusable delete confirmation flow. A user with permission to create or modify records, such as Items, can s…

akaunting | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
5.4 MEDIUM
CVE-2026-11372 — IBM TRIRIGA Cross-Site Scripting Vulnerability

IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus alter…

tririga_application_platform | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
7.3 HIGH
CVE-2026-10845 — IBM WebSphere Application Server is affected by an authentication bypass vulnerability

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications.

Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.5 MEDIUM
CVE-2024-51454 — IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vul…

IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by imp…

engineering_workflow_management | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2023-33854 — Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Clou…

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 could allow an authenticated user to bypass client-side validation and manipulate input data…

Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
4.3 MEDIUM
CVE-2026-9162 — Global session revocation does not invalidate active WebSocket connections

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session rev…

mattermost_server legal_hold | Remote | Authentication
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.3 HIGH
CVE-2026-9029 — Stored XSS via Geomap Panel Template Variable Attribution Injection

The geomap panel's XYZ tile layer has a sanitize-then-interpolate ordering bug. sanitizeTextPanelContent() runs on the raw template string before getTemplateSrv().replace() substitutes the variable v…

grafana | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
3.8 LOW
CVE-2026-8074 — Improper Permission Check Allows User Manager to Deactivate Bot Accounts

Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write acc…

mattermost_server legal_hold | Remote | Authorization
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.9 MEDIUM
CVE-2026-7167 — Multiple vulnerabilities in the Assassin game by Gaudire

The vulnerability arises when the system fails to properly validate the 'email' field during the authentication process, allowing unverified or fake email addresses to be accepted. This lack of valid…

Remote | Authentication
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
9.2 CRITICAL
CVE-2026-7166 — Multiple vulnerabilities in the Assassin game by Gaudire

Vulnerability involving the exposure of sensitive data provided without adequate protection. The API exposes email and phone number data from the ‘email’ and ‘telefon’ fields. This vulnerability is a…

Remote | Information Disclosure
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
9.4 CRITICAL
CVE-2026-7165 — Multiple vulnerabilities in the Assassin game by Gaudire

The vulnerability is present in the ‘/addJugador’ endpoint: * The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior autho…

Remote | Authorization
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
6.4 MEDIUM
CVE-2026-6673 — Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pe…

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to…

mattermost_server legal_hold | Remote | Authentication
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.0 HIGH
CVE-2026-6653 — libxml2: Use after free in xmlParseInternalSubset via improper entity resolution handling

Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper en…

Remote | Memory Corruption
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
6.4 MEDIUM
CVE-2026-6062 — IDOR in Jira plugin subscription edit endpoint

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an auth…

mattermost_server legal_hold | Remote | Authorization
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
5.4 MEDIUM
CVE-2026-5139 — GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab conne…

mattermost_server legal_hold | Remote | Authorization
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
Showing 20 of 7972 Results