Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-56213 — Capgo - Unauthenticated Cross-Tenant Metrics Poisoning via upsert_version_meta RPC

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to inser…

Remote | Authorization
Jun 20, 2026 Jun 22, 2026
Jun 20, 2026
Jun 22, 2026
5.1 MEDIUM
CVE-2026-56212 — Capgo - Improper 2FA Enforcement Logic via Team Security Settings

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team member…

Remote | Authentication
Jun 20, 2026 Jun 23, 2026
Jun 20, 2026
Jun 23, 2026
9.8 CRITICAL
CVE-2026-11551 — Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated P…

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's ide…

branda | Remote | Authentication
Jun 20, 2026 Jun 23, 2026
Jun 20, 2026
Jun 23, 2026
8.7 HIGH
CVE-2026-56082 — Capgo - Unauthenticated Cross-Tenant Billing Log Tampering via public.record_build_time R…

Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and c…

Remote | Authorization
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
9.3 CRITICAL
CVE-2026-56081 — Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-fac…

Remote | Authentication
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
6.9 MEDIUM
CVE-2026-56080 — Cap-go - Authentication Logic Flaw in Enforce Password Policy

Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not u…

Remote | Authentication
Jun 19, 2026 Jun 24, 2026
Jun 19, 2026
Jun 24, 2026
7.1 HIGH
CVE-2026-56079 — Capgo - Cross-Tenant Authorization Bypass via PostgREST Webhook Access

Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs…

Remote | Authorization
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
9.4 CRITICAL
CVE-2026-56073 — Cap-go - OTP Bypass via Response Manipulation in Email Verification

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OT…

Remote | Authentication
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
7.5 HIGH
CVE-2026-50559 — Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies …

quarkus | Remote | Authorization
Jun 19, 2026 Jun 30, 2026
Jun 19, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-50519 — Microsoft Visual Studio Code CoPilot Chat Security Feature Bypass Vulnerability

Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Jun 19, 2026 Jun 29, 2026
Jun 19, 2026
Jun 29, 2026
7.1 HIGH
CVE-2026-49346 — libde265 has a heap buffer overflow in de265_image_get_buffer via SPS dimension integer o…

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow i…

libde265 | Remote | Memory Corruption
Jun 19, 2026 Jun 26, 2026
Jun 19, 2026
Jun 26, 2026
4.3 MEDIUM
CVE-2026-49337 — libde265 has an unbounded memory leak via orphaned slice headers in `read_slice_NAL`

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`…

libde265 | Remote | Denial of Service
Jun 19, 2026 Jun 23, 2026
Jun 19, 2026
Jun 23, 2026
7.1 HIGH
CVE-2026-49295 — libde265 has an out-of-bounds write in process_reference_picture_set via predicted short-…

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_pi…

libde265 | Remote | Memory Corruption
Jun 19, 2026 Jun 26, 2026
Jun 19, 2026
Jun 26, 2026
1.3 LOW
CVE-2026-48794 — Authelia has an Edge Case Access Control Rule Mismatch

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, …

authelia | Remote | Authorization
Jun 19, 2026 Jun 23, 2026
Jun 19, 2026
Jun 23, 2026
9.9 CRITICAL
CVE-2026-48584 — Microsoft Azure Synapse Elevation of Privilege Vulnerability

Execution with unnecessary privileges in Azure Synapse allows an authorized attacker to elevate privileges over a network.

Jun 19, 2026 Jun 29, 2026
Jun 19, 2026
Jun 29, 2026
9.6 CRITICAL
CVE-2026-48582 — Microsoft Exchange Online Elevation of Privilege Vulnerability

Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.

Jun 19, 2026 Jun 24, 2026
Jun 19, 2026
Jun 24, 2026
6.5 MEDIUM
CVE-2026-48129 — Kestra task inputFiles accepts traversal filenames for worker file writes

Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task workin…

kestra | Remote | Path Traversal
Jun 19, 2026 Jun 23, 2026
Jun 19, 2026
Jun 23, 2026
8.8 HIGH
CVE-2026-47645 — Microsoft 365 Copilot's Business Chat Elevation of Privilege Vulnerability

Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.

Jun 19, 2026 Jun 26, 2026
Jun 19, 2026
Jun 26, 2026
2.9 LOW
CVE-2026-47203 — Authelia Missing Username Canonicalization in Basic Auth (LDAP)

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, …

authelia | Remote | Authentication
Jun 19, 2026 Jun 23, 2026
Jun 19, 2026
Jun 23, 2026
10.0 CRITICAL
CVE-2026-45480 — Azure Active Directory Elevation of Privilege Vulnerability

Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.

Jun 19, 2026 Jun 24, 2026
Jun 19, 2026
Jun 24, 2026
Showing 20 of 7972 Results