Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-57521 — Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organization…

server | Remote | Authorization
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
7.1 HIGH
CVE-2026-57520 — Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by expl…

server | Remote | Authorization
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
6.3 MEDIUM
CVE-2026-55964 — Chain intermediate CA:TRUE without keyCertSign accepted as a signing CA (temporary CA exe…

Chain intermediate CA:TRUE without keyCertSign accepted as a signing CA. Intermediate CA certificates are required to have the keyCertSign key usage when a Key Usage extension is present, but chain-s…

wolfssl | Remote | Misconfiguration
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-55960 — Un-negotiated Raw Public Key (RFC 7250) accepted in place of X.509, bypassing chain valid…

Un-negotiated Raw Public Key (RFC 7250) accepted in place of an X.509 certificate, bypassing chain validation. A raw public key has no chain, so ParseCertRelative() accepts it without performing any …

wolfssl | Remote | Misconfiguration
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.3 HIGH
CVE-2026-55958 — Renesas TSIP TLS 1.3 transcript buffer out-of-bounds write in tsip_StoreMessage

Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. In tsip_StoreMessage() the capacity check guarding the fixed message bag (MSGBAG_SIZE) sets an error code but fails to return, so ex…

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-46602 — Lack of limit on tile sizes in x/image/tiff in golang.org/x/image

The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.

tiff | Remote | Denial of Service
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-46601 — Panic on VP8 alpha channel size mismatch in x/image/webp in golang.org/x/image

The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.

image | Remote | Denial of Service
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-37454 — MSI NBFoundation Service Insecure Permissions

Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the 3DES-ECB encryption

Remote | Cryptography
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-37453 — MSI NBFoundation Service Insecure Permissions Vulnerability

Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSI_SERVICE_2 pipe

Remote | Information Disclosure
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.7 HIGH
CVE-2026-37149 — Grocery Store Management System PHP SQL Injection

GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability …

| Injection
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
4.2 MEDIUM
CVE-2026-2299 — Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint

The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Googl…

Remote | Authorization
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-12340 — Out-of-bounds heap read in SM2/SM3 certificate Subject Key Identifier computation

Out-of-bounds heap read during SM2/SM3 certificate signature verification. When parsing a certificate with an SM3wSM2 signature, the Subject Key Identifier computation reads the trailing 65 bytes of …

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.7 HIGH
CVE-2026-11310 — X.509 trust-chain bypass in wolfSSL_X509_verify_cert() via untrusted intermediate anchori…

X.509 trust-chain bypass in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra (OPENSSL_EXTRA) and whose application vali…

wolfssl | Remote | Authentication
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.3 MEDIUM
CVE-2026-10592 — Wildcard DNS SAN bypasses CA name-constraint checks

Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS n…

wolfssl | Remote | Misconfiguration
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-10512 — X25519 x86_64 assembly final reduction leaves non-canonical field element

The X25519 x86_64 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19…

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.3 HIGH
CVE-2026-10097 — ML-KEM-1024 x64 AVX2 incomplete cipher text comparison enables IND-CCA2 break and static …

wolfSSL's AVX2-optimized ML-KEM implementation (mlkem_cmp_avx2) compares only 1536 of the 1568 ciphertext bytes during the Fujisaki-Okamoto re-encryption check in ML-KEM-1024 decapsulation. Ciphertex…

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.1 MEDIUM
CVE-2025-60465 — GPAC MP4Box Use-After-Free Denial-of-Service

A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted …

gpac | Memory Corruption
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
7.8 HIGH
CVE-2025-60464 — GPAC MP4Box Use-After-Free

A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafte…

gpac | Memory Corruption
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-57700 — WordPress OMGF Pro plugin <= 5.2.6 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through 5.2.6.

Remote | Misconfiguration
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
7.3 HIGH
CVE-2026-56790 — CANBoat - Off-by-One Global Buffer Overflow in searchForPgn()

CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn() function in analyzer/pgn.c that allows remote attackers to crash the application. At…

| Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
Showing 20 of 7989 Results