Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.3 CRITICAL
CVE-2026-54088 — File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentic…

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Brows…

filebrowser | Remote | Injection
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
7.8 HIGH
CVE-2026-53925 — Glances: Arbitrary file write and command execution via `secure_popen` redirection and ch…

Glances is an open-source system cross-platform monitoring tool. From 4.0.8 until 4.5.5, the secure_popen() function in glances/secure.py interprets > (file redirection), | (pipe), and && (command ch…

glances | Injection
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
9.8 CRITICAL
CVE-2026-50549 — Cursor Desktop sandbox escape via symlink and failed path canonicalization

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it…

cursor | Remote | Path Traversal
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
9.8 CRITICAL
CVE-2026-50548 — Cursor Desktop sandbox escape via agent-controlled working directory

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the sandbox grants write access to the command's working director…

cursor | Remote | Misconfiguration
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.1 HIGH
CVE-2026-4930 — DPA Countermeasures weakening on Series 3 devices

SYMCRYPTO is the SiXG301's host side hardware engine accessed by PSA crypto library that accelerates symmetric cryptographic operations (AES encryption/decryption and hashing). DPA Countermeasures …

Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-46611 — Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leav…

glances | Remote | Misconfiguration
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.4 HIGH
CVE-2026-46608 — Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incompl…

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation fo…

glances | Remote | Misconfiguration
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.8 HIGH
CVE-2026-46607 — Glances: Insecure Pickle Deserialization in Version Cache Leads to Arbitrary Code Executi…

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible pa…

glances | Information Disclosure
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
7.8 HIGH
CVE-2026-46606 — Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/vi…

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly fr…

glances | Injection
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-28898 — swift-nio-http2 HTTP/2 to HTTP/1.1 Codec Control Character Header Injection

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validatio…

swiftnio_http\/2 | Remote | Misconfiguration
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
8.4 HIGH
CVE-2026-12921 — Use after free in AzeoTech DAQFactory

In AzeoTech DAQFactory versions 21.1 and prior, a Use After Free vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.

daqfactory | Memory Corruption
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.4 HIGH
CVE-2026-12897 — Out-of-bounds read in Horner Automation Cscape

Horner Automation Cscape versions prior to 10.2 SP3 are vulnerable to an Out-of-Bounds Read vulnerability through parsing CSP files. Successful exploitation of this vulnerability could allow an attac…

cscape | Information Disclosure
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
6.5 MEDIUM
CVE-2026-6291 — Bleichenbacher padding oracle in PKCS#7 KTRI RSA PKCS#1 v1.5 decryption

Bleichenbacher padding oracle in PKCS#7 KTRI decryption. When decrypting PKCS#7 EnvelopedData using RSA PKCS#1 v1.5 key transport, wolfSSL returned distinguishable error codes depending on whether RS…

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
9.1 CRITICAL
CVE-2026-6094 — Heap buffer overread in wc_PKCS7_DecodeEnvelopedData parsing crafted PKCS7 EnvelopedData

Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.5 MEDIUM
CVE-2026-6091 — Partial-chain verification accepts untrusted intermediate as trust anchor

Partial-chain certificate verification may accept chains that terminate at a peer-supplied, untrusted intermediate certificate rather than a trusted anchor. An attacker could present a chain that end…

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-55967 — AES-GCM streaming APIs do not reject >64 GiB cumulative single messages, enabling counter…

AES-GCM encryption/decryption with extremely large cumulative single message sizes (>64 GiB) were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent p…

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-55961 — wolfSSL_PKCS7_verify() reports success for degenerate (certs-only) PKCS#7 with no signer

wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds…

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.1 HIGH
CVE-2026-55700 — pnpm: stage download writes outside destination via manifest version traversal

pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selec…

pnpm | Remote | Path Traversal
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
6.5 MEDIUM
CVE-2026-55699 — pnpm: reserved bin name deletes PNPM_HOME during global remove

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, Manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global …

pnpm | Remote | Misconfiguration
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
8.8 HIGH
CVE-2026-55698 — pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockf…

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trust…

pnpm | Remote | Supply Chain
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
Showing 20 of 7990 Results