Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.6 HIGH
CVE-2026-9717 — [Product/Vendor Name] OS Command Injection

CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting s…

powerlogic_p7_firmware powerlogic_p7 | Remote | Injection
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
8.7 HIGH

CWE-476 NULL Pointer Dereference vulnerability exists that could cause a denial-of-service condition, rendering the device’s HMI and configuration functionality unavailable when malformed requests ar…

powerlogic_p7_firmware powerlogic_p7 | Remote | Denial of Service
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
6.7 MEDIUM

CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileg…

| Misconfiguration
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.7 HIGH

CWE-522 Insufficiently Protected Credentials vulnerability that could cause unauthorized access and exposure of sensitive information when unauthenticated attacker accesses credentials stored within …

Remote
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.4 HIGH
CVE-2026-57456 — Vim: Arbitrary Code Execution via Python Omni-Completion Docstrings

Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed functi…

vim | Injection
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.8 HIGH
CVE-2026-57455 — Vim: Stack out-of-bounds write in `spell_soundfold_sofo()` via an over-length `soundfold(…

Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte …

vim | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.8 MEDIUM
CVE-2026-57454 — Vim: Out-of-bounds Read with Text Properties

Vim is an open source, command line text editor. From 9.2.0320 until 9.2.0679, a crafted undo or swap file can store a virtual-text property whose offset and length point outside the line's property …

vim | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.3 HIGH
CVE-2026-57453 — Vim: PowerShell Command Injection via Unescaped Filename in zip.vim Extraction

Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries…

vim | Misconfiguration
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
5.5 MEDIUM
CVE-2026-57452 — Vim: Out-of-bounds Read with libsodium-encrypted Files

Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whos…

vim | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.1 MEDIUM
CVE-2026-57451 — Vim: Out-of-bounds Read in Text Property Count

Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of …

vim | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.6 MEDIUM
CVE-2026-57438 — Nokogiri: Possible Use-After-Free in XInclude Processing

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> in pl…

nokogiri | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.8 HIGH
CVE-2026-55895 — Vim: Vimscript Code Injection in netrw NetrwLocalRmFile() via crafted filename

Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/n…

vim | Injection
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
5.5 MEDIUM
CVE-2026-55892 — Vim: Out-of-bounds Write in Spell File Prefix Dump

Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefi…

vim | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.8 HIGH
CVE-2026-55693 — Vim: Out-of-bounds Write in Spell File Word Count

Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iterative…

vim | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.2 HIGH
CVE-2026-55477 — Authenticated Arbitrary File Write via Database Import and Xray Log Path Manipulation

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by …

3x-ui | Remote | Path Traversal
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.1 HIGH
CVE-2026-54036 — LibreChat: 2FA Re-enrollment Allows Full Account 2FA Takeover Without OTP Verification

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen…

librechat | Remote | Authentication
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.7 MEDIUM
CVE-2026-4522 — HYPR Passwordless: Missing Authentication for Critical Function

Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception. This issue affects HYPR Passwordless: before 11.1.1.

| Authentication
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-48946 — Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < …

The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload …

k2 | Remote | Misconfiguration
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
5.3 MEDIUM
CVE-2026-48945 — Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < …

The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (incl…

k2 | Remote | Misconfiguration
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
6.5 MEDIUM
CVE-2026-48944 — Joomla Extension - getk2.org - Exposure of sensitive files via attachment copy in K2 exte…

The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and the…

k2 | Remote | Path Traversal
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
Showing 20 of 7990 Results