Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-12151 — undici WebSocket client vulnerable to denial of service via fragment count bypass

Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket serve…

undici | Remote | Denial of Service
Jun 17, 2026 Jul 02, 2026
Jun 17, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2025-71325 — picklescan - Detection Bypass via STACK_GLOBAL Opcode Parsing Logic Flaw

picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the correct range and allowing malicious pickle…

picklescan | Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2025-71323 — picklescan - Remote Code Execution via Unblocked ctypes Module

picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw memory. Attackers can craft malicious pick…

picklescan | Remote | Memory Corruption
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.8 HIGH
CVE-2025-71322 — PickleScan - Unsafe Globals Check Bypass via pty.spawn Function

PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn t…

picklescan | Remote | Injection
Jun 17, 2026 Jun 18, 2026
Jun 17, 2026
Jun 18, 2026
9.8 CRITICAL
CVE-2025-71321 — picklescan - Arbitrary File Writing via distutils Module Bypass

picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util.write_file. Attackers can construct mali…

picklescan | Remote | Misconfiguration
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2025-71320 — picklescan - Remote Code Execution via Incomplete Disallowed Inputs

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craf…

picklescan | Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
4.3 MEDIUM
CVE-2025-32748 — Dell PowerFlex Host Header Injection

Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) a Host Header Injection vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to t…

powerflex_rack | Remote | Misconfiguration
Jun 17, 2026 Jun 25, 2026
Jun 17, 2026
Jun 25, 2026
8.4 HIGH
CVE-2025-26240 — python-pdfkit Local File Read and Remote Code Execution

In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.

pdfkit | Information Disclosure
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
6.0 MEDIUM
CVE-2026-55748 — OpenStack Horizon: Arbitrary Command Injection via Crafted Project Name in RC File Downlo…

OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardenin…

horizon horizon | Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.6 CRITICAL
CVE-2026-55743 — OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution

The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privile…

Remote
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.3 CRITICAL
CVE-2026-54812 — WordPress Motors plugin <= 1.4.109 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Motors allows Blind SQL Injection. This issue affects Motors: from n/a through 1.…

Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.5 HIGH
CVE-2026-54810 — WordPress Nexi XPay plugin <= 8.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1.

Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.6 HIGH
CVE-2026-54415 — Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover

Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to cre…

Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2026-49502 — Dell PowerFlex Manager Improper Authentication

Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulne…

Jun 17, 2026 Jun 25, 2026
Jun 17, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-48142 — NGINX ngx_http_charset_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset d…

Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
6.8 MEDIUM
CVE-2026-48117 — DroneAware's Improper Account Activation in Registration and SSO Flows Leads to Account T…

DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account usin…

Remote | Authentication
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2026-47103 — Python StateMachine 3.0.0 < 3.2.0 RCE via SCXML eval() Injection

Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafte…

Remote | Injection
Jun 17, 2026 Jun 18, 2026
Jun 17, 2026
Jun 18, 2026
9.2 CRITICAL
CVE-2026-42530 — NGINX Open-Source ngx_http_v3_module vulnerability

NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions bey…

nginx_open_source | Remote | Memory Corruption
Jun 17, 2026 Jun 30, 2026
Jun 17, 2026
Jun 30, 2026
9.2 CRITICAL
CVE-2026-42055 — NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directi…

nginx_plus nginx_open_source | Remote | Memory Corruption
Jun 17, 2026 Jun 30, 2026
Jun 17, 2026
Jun 30, 2026
4.8 MEDIUM
CVE-2026-40641 — Dell PowerFlex Manager Cryptographic Algorithm Weakness

Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Use of a Broken or Risky Cryptographic Algorithm vulnerability. An unauthenticated attacker with remote access could potentially exp…

Jun 17, 2026 Jun 25, 2026
Jun 17, 2026
Jun 25, 2026
Showing 20 of 7983 Results