Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-49461 — pypdf: Possible large memory usage for form XObjects during text extraction

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text …

pypdf | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-49460 — pypdf: Inefficient decoding of FlateDecode PNG predictor streams

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which …

pypdf | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
5.8 MEDIUM
CVE-2026-47242 — Net::IMAP: Command Injection via ID command argument

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id is called with a hash argument, although the ID field value str…

| Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
2.1 LOW
CVE-2026-47241 — Net::IMAP: Denial of Service via incomplete raw argument validation

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated t…

Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
5.8 MEDIUM
CVE-2026-47240 — Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim aft…

| Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
9.2 CRITICAL
CVE-2026-45034 — PhpSpreadsheet: File::prohibitWrappers bypass

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.5, CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parse_url($filename,…

phpspreadsheet | Remote | Path Traversal
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
9.3 CRITICAL
CVE-2026-44727 — Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing…

Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox …

jupyter_server | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
5.4 MEDIUM
CVE-2026-41479 — Authlib OAuth 2.0 authorization endpoint open redirects to attacker-controlled redirect_u…

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect wh…

authlib | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.1 HIGH
CVE-2026-39904 — Gophish 0.12.1 Denial of Service via Office Document Upload

Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email templa…

Remote | Denial of Service
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
3.7 LOW
CVE-2026-48931 — Node.js HTTP Agent Request Smuggling

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js…

node.js | Remote | Race Condition
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
7.8 HIGH
CVE-2026-44274 — Dell Wyse Management Suite Improper Link Resolution Before File Access

Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Link Resolution Before File Access vulnerability. A low privileged attacker with local access could potentially explo…

wyse_management_suite | Path Traversal
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
6.0 MEDIUM
CVE-2026-44273 — Dell Wyse Management Suite Default Credentials Information Disclosure

Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain a Use of Default Credentials vulnerability. A high privileged attacker with local access could potentially exploit this vulnerabi…

wyse_management_suite | Authentication
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.8 HIGH
CVE-2026-44272 — Dell Wyse Management Suite SQL Injection

Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker …

wyse_management_suite | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.8 HIGH
CVE-2026-44271 — Dell Wyse Management Suite SQL Injection

Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker …

wyse_management_suite | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-10852 — Websphere Application Server is Affected By a Denial of Service in IBM WebSphere Applicat…

IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted reques…

i i | Remote | Denial of Service
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
5.5 MEDIUM
CVE-2026-55443 — LangChain: Path traversal and sandbox escape in LangChain file-search middleware and load…

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.3.9, several LangChain components that resolve filesystem paths or expand search patterns do not consistently con…

langchain langchain_core | Path Traversal
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-54300 — @astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config

@astrojs/netlify is an adapter that allows Astro to deploy your hybrid or server rendered site to Netlify. Prior to 7.0.13, @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN…

astro | Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-54299 — Astro: Host-header full-read SSRF in core prerendered error-page fetch (prerenderedErrorP…

Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. T…

astro | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.1 MEDIUM
CVE-2026-54298 — Astro: XSS via Unescaped Attribute Names in Spread Props

Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolate…

astro | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-54293 — NLTK: URL-Encoded Path Traversal in nltk.data.load() Allows Arbitrary Local File Read

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Prior to 3.10.0-rc1, nltk.data.l…

nltk | Remote | Path Traversal
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
Showing 20 of 7989 Results