Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-50129 — Mastodon: Persistent anonymous DoS via unhandled NoMethodError in MATH_TRANSFORMER

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception …

mastodon | Remote | Denial of Service
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-50128 — Mastodon: Spoofing of attribution domains

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent fal…

mastodon | Remote | Misconfiguration
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.7 MEDIUM
CVE-2026-49278 — Rocket.Chat: Livechat Visitor Profile Disclosure Leaks Bearer Token and Enables Visitor I…

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://devel…

rocket.chat rocket.chat | Remote | Information Disclosure
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
2.3 LOW
CVE-2026-49277 — Rocket.Chat: OAuth access and refresh tokens remain valid after account deactivation

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or …

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
4.4 MEDIUM
CVE-2026-47733 — Rocket.Chat: Missing URL protocol sanitization in ImageElement allows javascript: URLs in…

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into <a…

rocket.chat rocket.chat | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.3 HIGH
CVE-2026-47267 — Gogs: SSRF in webhook deliveries

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, …

gogs | Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.3 CRITICAL
CVE-2026-46423 — Rocket.Chat: SAML signature validation skipped when IdP certificate field is empty

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML service provider implemen…

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
2.3 LOW
CVE-2026-45757 — Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login t…

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through…

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-45689 — Rocket.Chat: Pre-Auth NoSQL Injection in OAuth2 Token Endpoint leading to Arbitrary User …

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains …

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
9.1 CRITICAL
CVE-2026-45688 — Rocket.Chat: Pre-Auth NoSQL Injection in CAS Login Handler leading to Arbitrary CAS/SAML …

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the…

rocket.chat rocket.chat | Remote | Injection
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
8.5 HIGH
CVE-2026-45687 — Rocket.Chat: Authenticated Arbitrary Data Export Theft via Mass Assignment in sendFileMes…

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method pas…

rocket.chat rocket.chat | Remote | Injection
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
8.7 HIGH
CVE-2026-45677 — Rocket.Chat: Lack of SAML Signature Check During Logout Could Lead To DoS

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML integration does not veri…

rocket.chat rocket.chat | Remote | Authentication
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
9.3 CRITICAL
CVE-2026-33543 — FOSSBilling: Authentication bypass allows unauthenticated administrator creation

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. D…

fossbilling | Remote | Authentication
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.7 HIGH
CVE-2026-33235 — AutoGPT: Denial of Service (DoS) via Resource Exhaustion in text templating features

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions prior to 0.6.52, the Fill Text Template block is vulnerable to a…

autogpt_platform | Remote | Denial of Service
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.5 MEDIUM
CVE-2026-32315 — motionEye: World-Readable Configuration File Exposes Admin Password Hash

motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with…

motioneye | Information Disclosure
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.5 MEDIUM
CVE-2026-31978 — motionEye: Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint

motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and …

motioneye | Remote | Path Traversal
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.7 HIGH
CVE-2026-25119 — Gogs: Authentication Bypass via Unvalidated Reverse Proxy Headers

Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) direc…

gogs | Remote | Authentication
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.7 HIGH
CVE-2026-1840 — Missing authentication for critical function in Hubbell Aclara Metrum Cellular Web Interf…

The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration…

Remote | Authentication
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.5 MEDIUM
CVE-2026-13208 — Kubevirt: virt-handler-rhel9: kubevirt: virt-handler notify server trusts vmi identity fr…

A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body with…

openshift_virtualization | Authentication
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.3 HIGH
CVE-2026-13201 — Kubevirt: virt-handler-rhel9: kubevirt: safepath symlink following in virt-handler enable…

A flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve …

openshift_virtualization | Path Traversal
Jun 24, 2026 Jun 26, 2026
Jun 24, 2026
Jun 26, 2026
Showing 20 of 7989 Results