Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.6 HIGH
CVE-2026-54317 — Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthe…

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant…

home-assistant | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
9.6 CRITICAL
CVE-2026-53662 — immich: One-click account takeover via XSS in login page continue redirect

immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows a…

Remote | Cross-Site Scripting
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
2.9 LOW
CVE-2026-57062 — GnuPG gpgsm AES-GCM ICV Length Validation Bypass

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is …

| Cryptography
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
4.3 MEDIUM
CVE-2026-55517 — Deno: Denial of service via non-ASCII bytes in WebSocket response headers

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket …

deno | Remote | Denial of Service
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
7.4 HIGH
CVE-2026-44726 — Deno: TLS retry copies stale upgrade hook, risking plaintext traffic

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext …

deno | Remote | Cryptography
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
7.3 HIGH
CVE-2026-49401 — Deno Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path su…

deno | Misconfiguration
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
7.1 HIGH
CVE-2025-71382 — MuPDF < 1.27.0-rc1 Stack Exhaustion DoS via EPUB CSS Rendering

MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted …

Remote | Denial of Service
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.1 HIGH
CVE-2026-49402 — Deno: Command Injection via spawnSync & spawn on Windows

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn …

deno | Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
5.5 MEDIUM
CVE-2026-49406 — Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allo…

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.12, when Deno was run in BYONM mode (nodeModulesDir: "manual"), the module resolver did not validate that a package's resolved …

deno | Path Traversal
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
6.5 MEDIUM
CVE-2026-49411 — Deno Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then di…

deno | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
5.2 MEDIUM
CVE-2026-49983 — Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with o…

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist w…

deno | Misconfiguration
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
5.2 MEDIUM
CVE-2026-49860 — Deno: WebSocket API sandbox bypass via missing post-DNS check

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check …

deno | Misconfiguration
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
5.2 MEDIUM
CVE-2026-49859 — Deno: `fetch()` API sandbox bypass via missing DNS resolution check

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresse…

deno | Misconfiguration
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
7.4 HIGH
CVE-2026-49440 — Deno: Miller-Rabin Primality Test Allows Zero Rounds

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrime(candidate[, options][, callback]) and crypto.checkPrimeSync(candidate[, options]) ran no Miller-Rabin…

deno | Remote | Cryptography
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
9.3 CRITICAL
CVE-2026-54257 — Electron: Buffer performs incorrect byte length calculations resulting in heap buffer und…

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 42.3.1 until 42.3.3, Buffer performs incorrect byte length calculations resulting in heap …

electron | Remote | Memory Corruption
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
6.0 MEDIUM
CVE-2026-54316 — Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch

Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including att…

claude_desktop | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
5.3 MEDIUM
CVE-2026-50221 — OpenStack Swift: Server-Side Request Forgery via Internal Header Injection

In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwardi…

swift | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
7.1 HIGH
CVE-2026-54007 — Open WebUI: Cross-origin postMessage confirmation bypass via action:submit

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit mess…

open_webui | Remote | Cross-Site Request Forgery
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
4.3 MEDIUM
CVE-2026-54006 — Open WebUI: Calendar event re-parenting allows writing events into another user's calendar

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{event_id}/update validates that the caller has write …

open_webui | Remote | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.5 HIGH
CVE-2026-54008 — Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url`

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.py::_process_picture_url calls validate_url(picture_u…

open_webui | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Showing 20 of 7731 Results