Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.7 HIGH
CVE-2026-56225 — Capgo - Authorization Bypass in API Key Management via App-Limited Keys

Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via…

Remote | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.6 HIGH
CVE-2026-56222 — Capgo - Cross-Organization App Takeover via Mismatched org_id and app_id in /private/role…

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with adm…

Remote | Authorization
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
8.7 HIGH
CVE-2026-54892 — Plug: quadratic-time decoding of nested query/body parameters enables denial of service

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2…

plug | Remote | Denial of Service
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
6.4 MEDIUM
CVE-2026-4610 — ProfileGrid <= 5.9.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Mess…

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author functi…

profilegrid | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
9.4 CRITICAL
CVE-2026-44089 — Buffer Overflow in Totolink EX1200L router

Totolink EX1200L router is vulnerable to Buffer Overflow in the login functionality in cgi-bin/cstecgi.cgi endpoint. This vulnerability could be exploited to cause the program to crash and to execute…

ex1200l_firmware ex1200l | Memory Corruption
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
6.1 MEDIUM
CVE-2026-10857 — Reflected XSS in Akinsoft's e-Commerce

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. E-Commerce allows Reflected XSS. Th…

Remote | Cross-Site Scripting
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.8 HIGH
CVE-2026-10711 — RCE in Akınsoft's CafePlus

Missing authentication for critical function vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. CafePlus allows Accessing Functionality Not Properly Constrained by ACLs. T…

| Authentication
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.1 HIGH
CVE-2025-71376 — picklescan - Arbitrary Code Execution via Undetected idlelib.autocomplete.AutoComplete.fe…

picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. Attackers can embed undetected code in pickle files that e…

picklescan | Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.1 HIGH
CVE-2025-71370 — picklescan - Remote Code Execution via torch.jit.unsupported_tensor_ops.execWrapper

picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported_tensor_ops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass pickles…

picklescan | Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.1 HIGH
CVE-2025-71365 — picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran.myeval Detection Bypass

picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arb…

picklescan | Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.1 HIGH
CVE-2025-71341 — picklescan - Remote Code Execution via Undetected profile.Profile.runctx

picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious p…

picklescan | Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.7 HIGH
CVE-2025-71337 — Flowise - Unverified Email Change via Account Profile Endpoint

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier a…

flowise | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
8.7 HIGH
CVE-2023-54365 — Traefik - Denial of Service via HTTP/2 Request Handling

Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-…

traefik | Remote | Denial of Service
Jun 23, 2026 Jun 30, 2026
Jun 23, 2026
Jun 30, 2026
5.4 MEDIUM
CVE-2026-4983 — Open VSX Registry Stored Cross-Site Scripting via Malicious SVG Icons

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy o…

open_vsx | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
9.0 CRITICAL
CVE-2026-11374 — Account Takeover via Predictable SSO Ticket Generation

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, l…

Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
9.1 CRITICAL
CVE-2026-9733 — Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure de…

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using …

Remote | Cross-Site Request Forgery
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.6 HIGH
CVE-2026-10521 — Authenticated unintended access to critical program parameters

An high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This can result in a total loss of confi…

Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-8379 — Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by…

frontend_file_manager_plugin | Remote | Authentication
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
5.4 MEDIUM
CVE-2026-8378 — Frontend File Manager Plugin <= 23.6 - Subscriber+ Stored Cross-Site Scripting via File R…

The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it b…

frontend_file_manager_plugin | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
7.1 HIGH
CVE-2026-8172 — Simple Basic Contact Form <= 20250114 - Reflected XSS

The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cros…

simple_basic_contact_form | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Showing 20 of 7970 Results