Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.2 CRITICAL
CVE-2026-45034 — PhpSpreadsheet: File::prohibitWrappers bypass

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.5, CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parse_url($filename,…

phpspreadsheet | Remote | Path Traversal
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
9.3 CRITICAL
CVE-2026-44727 — Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing…

Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox …

jupyter_server | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
5.4 MEDIUM
CVE-2026-41479 — Authlib OAuth 2.0 authorization endpoint open redirects to attacker-controlled redirect_u…

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect wh…

authlib | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.1 HIGH
CVE-2026-39904 — Gophish 0.12.1 Denial of Service via Office Document Upload

Gophish through 0.12.1 contains a denial of service vulnerability that allows authenticated users with the User role to exhaust server memory by uploading a crafted Office document as an email templa…

Remote | Denial of Service
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
3.7 LOW
CVE-2026-48931 — Node.js HTTP Agent Request Smuggling

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js…

node.js | Remote | Race Condition
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
7.8 HIGH
CVE-2026-44274 — Dell Wyse Management Suite Improper Link Resolution Before File Access

Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Link Resolution Before File Access vulnerability. A low privileged attacker with local access could potentially explo…

wyse_management_suite | Path Traversal
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
6.0 MEDIUM
CVE-2026-44273 — Dell Wyse Management Suite Default Credentials Information Disclosure

Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain a Use of Default Credentials vulnerability. A high privileged attacker with local access could potentially exploit this vulnerabi…

wyse_management_suite | Authentication
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.8 HIGH
CVE-2026-44272 — Dell Wyse Management Suite SQL Injection

Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker …

wyse_management_suite | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.8 HIGH
CVE-2026-44271 — Dell Wyse Management Suite SQL Injection

Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker …

wyse_management_suite | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-10852 — Websphere Application Server is Affected By a Denial of Service in IBM WebSphere Applicat…

IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted reques…

i i | Remote | Denial of Service
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
5.5 MEDIUM
CVE-2026-55443 — LangChain: Path traversal and sandbox escape in LangChain file-search middleware and load…

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.3.9, several LangChain components that resolve filesystem paths or expand search patterns do not consistently con…

langchain langchain_core | Path Traversal
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-54300 — @astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config

@astrojs/netlify is an adapter that allows Astro to deploy your hybrid or server rendered site to Netlify. Prior to 7.0.13, @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN…

astro | Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-54299 — Astro: Host-header full-read SSRF in core prerendered error-page fetch (prerenderedErrorP…

Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. T…

astro | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.1 MEDIUM
CVE-2026-54298 — Astro: XSS via Unescaped Attribute Names in Spread Props

Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolate…

astro | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-54293 — NLTK: URL-Encoded Path Traversal in nltk.data.load() Allows Arbitrary Local File Read

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Prior to 3.10.0-rc1, nltk.data.l…

nltk | Remote | Path Traversal
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2026-54288 — Hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body i…

hono | Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.7 HIGH
CVE-2026-53779 — WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with…

Remote | Path Traversal
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
3.1 LOW
CVE-2026-53663 — React Router: `handleDocumentRequest` CSRF check covers `POST` only; PUT/PATCH/DELETE byp…

React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE r…

react-router | Remote | Cross-Site Request Forgery
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.1 HIGH
CVE-2026-50146 — Astro: Reflected XSS via unescaped slot name

Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowin…

astro | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.7 HIGH
CVE-2026-11834 — Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers

A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An…

Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
Showing 20 of 7989 Results