Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.6 HIGH
CVE-2026-56414 — H.VIEW HV-500S6 IP Camera Unrestricted Upload of File with Dangerous Type

A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validatin…

Remote | Misconfiguration
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
8.6 HIGH
CVE-2026-55975 — H.VIEW HV-500S6 IP Camera OS Command Injection

A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which are incorporated into a bac…

Remote | XML External Entity
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
8.4 HIGH
CVE-2026-33560 — Daktronics Controller Firmware Unrestricted Upload of File with Dangerous Type

The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No fi…

Remote | Authentication
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
9.3 CRITICAL
CVE-2026-31928 — Daktronics Controller Firmware Use of Hard-coded Credentials

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using the…

Remote | Authentication
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
9.8 CRITICAL
CVE-2026-28701 — Daktronics Controller Firmware Path Traversal

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.

Remote | Path Traversal
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
8.7 HIGH
CVE-2026-55069 — Kestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force Attack

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. …

kestra | Remote | Authentication
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-53577 — Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains …

kestra | Remote | Authorization
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
10.0 CRITICAL
CVE-2026-53576 — Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /co…

kestra | Remote | Authentication
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
5.4 MEDIUM
CVE-2026-50767 — Koha Cross-Site Scripting

A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administr…

koha | Remote | Cross-Site Scripting
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
5.4 MEDIUM
CVE-2026-50766 — Koha Stored Cross-Site Scripting

A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edit_items permis…

koha | Remote | Cross-Site Scripting
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
6.1 MEDIUM
CVE-2026-50765 — Koha Cross-Site Scripting

A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker …

koha | Remote | Cross-Site Scripting
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
7.7 HIGH
CVE-2026-49984 — Kestra: Path traversal in `LocalStorage` allows any authenticated user to read arbitrary …

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows…

kestra | Remote | Path Traversal
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
10.0 CRITICAL
CVE-2026-49869 — Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `Authenticatio…

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public confi…

kestra | Remote | Authentication
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
7.7 HIGH
CVE-2026-45807 — Kestra: Path traversal via URL-encoded "%2E%2E" in execution and namespace file endpoints…

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.par…

kestra | Remote | Path Traversal
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
4.6 MEDIUM
CVE-2026-38571 — Tenda N300 F3 UART Cleartext Credential Storage and Memory Corruption

Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a p…

| Authentication
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
5.5 MEDIUM
CVE-2026-36908 — Axiomatic Systems Bento4 Stack Overflow Denial of Service

A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

| Memory Corruption
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
5.5 MEDIUM
CVE-2026-36907 — Bento4 Stack Overflow Denial of Service

A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

| Memory Corruption
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.5 HIGH
CVE-2026-36478 — Technitium DNS Server Denial of Service

An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components

Remote | Denial of Service
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
8.5 HIGH
CVE-2026-54353 — Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation

Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow vali…

budibase | Remote | Server-Side Request Forgery
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
9.6 CRITICAL
CVE-2026-54352 — Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload

Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with extract-zip…

budibase | Remote | Path Traversal
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
Showing 20 of 7989 Results