Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-11714 — IBM WebSphere Application Server Liberty is affected by an authorization bypass vulnerabi…

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled.

Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
9.3 CRITICAL
CVE-2026-11712 — IBM WebSphere Application Server is affected by a cross-site scripting vulnerability

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system.

websphere_application_server | Remote | Cross-Site Scripting
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
9.3 CRITICAL
CVE-2026-11708 — IBM WebSphere Application Server is affected by a cross-site scripting vulnerability

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system.

websphere_application_server | Remote | Cross-Site Scripting
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
7.5 HIGH
CVE-2026-11595 — IBM WebSphere Application Server is affected by a Path Traversal vulnerability

IBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system.

websphere_application_server | Remote | Information Disclosure
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2026-11546 — IBM WebSphere Application Server Liberty is affected by a server-side request forgery vul…

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled.

Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.2 HIGH
CVE-2026-10564 — SSRF Vulnerability in Langflow OSS Legacy Components Bypasses Protection

IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery (SSRF). The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-…

langflow langflow_oss | Remote | Server-Side Request Forgery
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
9.1 CRITICAL
CVE-2026-10560 — Unauthenticated Access to Private Flow Build Events and Cancellation in Langflow OSS

IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel …

langflow langflow_oss | Remote | Authentication
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
7.1 HIGH
CVE-2026-10546 — DNS Rebinding TOCTOU Bypass of SSRF Protection in Langflow OSS URL Component

IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL component ( src/lfx/src/lfx/components/data_source/url.py ) due to a Time-of-Check/Time-of-…

langflow langflow_oss | Remote | Server-Side Request Forgery
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
9.6 CRITICAL
CVE-2026-10140 — Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache stat…

langflow langflow_oss | Remote | Misconfiguration
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
10.0 CRITICAL
CVE-2026-10134 — Unauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows

IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in …

langflow langflow_oss | Remote | Server-Side Request Forgery
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.5 HIGH
CVE-2026-10129 — SSRF via HTTP Redirect Following in Langflow API Request Component

IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the API Request component. An authenticated attacker with low-level privileges (f…

langflow langflow_oss | Remote | Server-Side Request Forgery
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2026-10109 — IBM® Db2® is vulnerable to remote code execution due to improper pre-auth DRDA handshake …

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling.

db2 | Remote | Authentication
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
6.5 MEDIUM
CVE-2025-36372 — IBM® Db2® could disclose sensitive information to an authenticated user from the monitori…

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information to an authenticated user from the monitoring an…

linux_kernel db2 windows unix | Remote | Information Disclosure
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2026-58138 — Orkes Conductor 3.21.21 < 3.30.2 Unauthenticated RCE via GraalVM Script Evaluators

Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow defin…

Remote | Injection
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
7.2 HIGH
CVE-2026-10513 — Webmention <= 5.8.0 - Unauthenticated Stored Cross-Site Scripting via MF2 'photo'/'url' A…

The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficie…

Remote | Cross-Site Scripting
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-9263 — Out-of-bounds read in Bluetooth Controller ISOAL framed RX reassembly leaks adjacent memo…

The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification …

zephyr zephyr | Memory Corruption
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
7.3 HIGH
CVE-2026-8864 — HP Fan Control App – Potential Escalation of Privilege

The HP Fan Control App might allow local escalation of privileges. An updated version of HP Fan Control App has been released to mitigate this potential vulnerability.

hp_fan_control_app | Authorization
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.6 HIGH
CVE-2026-58377 — JeecgBoot 3.9.2 - Missing Authorization on OpenAPI Credential Management Endpoints Expose…

JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials…

jeecgboot | Remote | Authorization
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
7.6 HIGH
CVE-2026-58376 — Dolibarr - SQL Injection via sqlfilters Parameter in Multiple REST API List Endpoints

Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to…

dolibarr_erp\/crm | Remote | Injection
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.7 HIGH
CVE-2026-58375 — JimuReport 2.5.0 - Unauthenticated Report Export via /jmreport/auto/export

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication …

jimureport | Remote | Authentication
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
Showing 20 of 7912 Results