Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-48514 — MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocat…

messagepack | Remote | Memory Corruption
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48513 — MessagePack-CSharp: DynamicUnionResolver generated deserializers miss depth enforcement

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref …

messagepack | Remote | Information Disclosure
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48512 — MessagePack-CSharp: JSON conversion APIs can recurse without consistent depth enforcement

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a dep…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48511 — MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untru…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48510 — MessagePack-CSharp: LZ4 decompression allocates from unbounded declared output lengths

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-48509 — MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HT…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessageP…

messagepack | Remote | Misconfiguration
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48506 — MessagePack-CSharp: MessagePackReader.Skip can recurse without enforcing maximum object g…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth o…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.4 HIGH
CVE-2026-48505 — Filament: Multi-factor authentication (app) recovery codes can still be used multiple tim…

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentic…

filament | Remote | Authentication
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.2 HIGH
CVE-2026-48502 — MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the proc…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension len…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.5 MEDIUM
CVE-2026-48500 — Filament: Unauthenticated temporary file upload on auth pages

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies…

filament | Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.4 MEDIUM
CVE-2026-48167 — Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without …

filament | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
5.3 MEDIUM
CVE-2026-48166 — Filament: Timing-based user enumeration on login page

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticat…

filament | Remote | Information Disclosure
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.2 HIGH
CVE-2026-48109 — MessagePack-CSharp: LZ4 decompression may fail with AccessViolationException after derefe…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4…

messagepack | Remote | Memory Corruption
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.5 MEDIUM
CVE-2026-48067 — Filament: Inconsistent scope enforcement for AttachAction and AssociateAction Select fiel…

Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelect…

filament | Remote | Authorization
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.1 MEDIUM
CVE-2026-44889 — WebOb: Location header normalization during redirect leads to open redirect

WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect ta…

webob | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
6.1 MEDIUM
CVE-2026-44311 — Fabric.js: Improper escaping in fabric.Gradient colorStops leads to XSS in SVG serializat…

Fabric.js is a Javascript HTML5 canvas library. Prior to 7.4.0, a potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG s…

fabric.js | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.1 HIGH
CVE-2025-71358 — picklescan - Remote Code Execution via idlelib.autocomplete.AutoComplete.get_entity

picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.autocomplete.AutoComplete.get_entity function in reduce methods. Attackers can embed undetected code in pickle fil…

picklescan | Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.1 HIGH
CVE-2025-71344 — picklescan - Arbitrary Code Execution via Undetected ensurepip._run_pip Function

picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Mali…

picklescan | Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.1 HIGH
CVE-2025-71339 — Picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran._eval_length Gadget

Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files th…

picklescan | Remote | Authentication
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-55603 — http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequ…

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed …

http-proxy-middleware | Remote | Injection
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
Showing 20 of 8012 Results