Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.4 HIGH
CVE-2026-48505 — Filament: Multi-factor authentication (app) recovery codes can still be used multiple tim…

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentic…

filament | Remote | Authentication
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.2 HIGH
CVE-2026-48502 — MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the proc…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension len…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.5 MEDIUM
CVE-2026-48500 — Filament: Unauthenticated temporary file upload on auth pages

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies…

filament | Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.4 MEDIUM
CVE-2026-48167 — Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without …

filament | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
5.3 MEDIUM
CVE-2026-48166 — Filament: Timing-based user enumeration on login page

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticat…

filament | Remote | Information Disclosure
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.2 HIGH
CVE-2026-48109 — MessagePack-CSharp: LZ4 decompression may fail with AccessViolationException after derefe…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4…

messagepack | Remote | Memory Corruption
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.5 MEDIUM
CVE-2026-48067 — Filament: Inconsistent scope enforcement for AttachAction and AssociateAction Select fiel…

Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelect…

filament | Remote | Authorization
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.1 MEDIUM
CVE-2026-44889 — WebOb: Location header normalization during redirect leads to open redirect

WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect ta…

webob | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
6.1 MEDIUM
CVE-2026-44311 — Fabric.js: Improper escaping in fabric.Gradient colorStops leads to XSS in SVG serializat…

Fabric.js is a Javascript HTML5 canvas library. Prior to 7.4.0, a potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG s…

fabric.js | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.1 HIGH
CVE-2025-71358 — picklescan - Remote Code Execution via idlelib.autocomplete.AutoComplete.get_entity

picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.autocomplete.AutoComplete.get_entity function in reduce methods. Attackers can embed undetected code in pickle fil…

picklescan | Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.1 HIGH
CVE-2025-71344 — picklescan - Arbitrary Code Execution via Undetected ensurepip._run_pip Function

picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Mali…

picklescan | Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.1 HIGH
CVE-2025-71339 — Picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran._eval_length Gadget

Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files th…

picklescan | Remote | Authentication
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-55603 — http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequ…

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed …

http-proxy-middleware | Remote | Injection
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
5.8 MEDIUM
CVE-2026-55599 — phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (serv…

phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() r…

phpseclib | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
6.9 MEDIUM
CVE-2026-54651 — pypdf: Possible infinite loop when processing threads/articles in writer

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with th…

pypdf | Denial of Service
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
6.9 MEDIUM
CVE-2026-54531 — pypdf: Possible infinite loop when processing outlines/bookmarks in writer

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with ou…

pypdf | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
6.9 MEDIUM
CVE-2026-54530 — pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in…

pypdf | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
9.8 CRITICAL
CVE-2026-49468 — LiteLLM: Authentication Bypass via Host Header Injection

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0.

litellm | Remote
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
6.9 MEDIUM
CVE-2026-49461 — pypdf: Possible large memory usage for form XObjects during text extraction

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text …

pypdf | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-49460 — pypdf: Inefficient decoding of FlateDecode PNG predictor streams

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which …

pypdf | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
Showing 20 of 7983 Results