Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NONE
CVE-2026-44961 — WordPress XML-RPC addUser Username Validation Bypass

The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper…

revive_adserver adserver | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
0.0 NONE
CVE-2026-44960 — OWASP ZAP Stored Cross-Site Scripting

A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the u…

revive_adserver adserver | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-44959 — Revive Adserver: Stored Cross-Site Scripting (XSS) via Insufficient Input Validation

A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected component parameter and inject malicious…

revive_adserver adserver | Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
5.4 MEDIUM
CVE-2026-44958 — Revive Adserver Access Control Bypass Vulnerability

An access control bypass allows an advertiser‑level user to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php scri…

revive_adserver adserver | Remote | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
4.3 MEDIUM
CVE-2026-44957 — Revive Adserver XML-RPC Missing Access Control

A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, le…

revive_adserver adserver | Remote | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
0.0 NONE

Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the details field of the userlog table.…

revive_adserver adserver | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
9.0 CRITICAL
CVE-2026-44792 — n8n: Source Control Pull SQL Injection

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could c…

n8n | Remote | Injection
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
9.9 CRITICAL
CVE-2026-44791 — n8n: XML Node Prototype Pollution Patch Bypass

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-4223…

n8n | Remote | Authentication
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
9.4 CRITICAL
CVE-2026-44790 — n8n: Arbitrary File Read via Git Node

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's…

n8n | Remote | Injection
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
9.9 CRITICAL
CVE-2026-44789 — n8n: HTTP Request Node Pagination Prototype Pollution to RCE

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution…

n8n | Remote | Injection
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
6.5 MEDIUM
CVE-2026-42867 — Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This…

langflow | Remote | Path Traversal
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
4.3 MEDIUM

Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain …

revive_adserver adserver | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-34916 — Revive Adserver PHP Code Injection

A missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to use the logical parameter to inject malicious PHP code in…

revive_adserver | Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
6.1 MEDIUM
CVE-2026-34915 — Revive Adserver Blind SQL Injection

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injec…

revive_adserver adserver | Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.3 HIGH
CVE-2026-34914 — Revive Adserver Blind SQL Injection

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploit the clientid parameter to perform blind SQL injection att…

revive_adserver adserver | Remote | Injection
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
4.3 MEDIUM
CVE-2026-34913 — Revive Adserver Broken Access Control

A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to link their tracker…

revive_adserver adserver | Remote | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
4.3 MEDIUM
CVE-2026-34912 — Revive Adserver Missing Access Control Zone Linking Vulnerability

A missing access control check when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API allows a low‑privileged user could …

revive_adserver adserver | Remote | Authorization
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
8.8 HIGH
CVE-2026-33760 — Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on…

langflow | Remote | Authorization
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
8.7 HIGH
CVE-2026-13007 — Insecure Public Caching on REST API Endpoints in Tenable Identity Exposure

Tenable Identity Exposure contains multiple unauthenticated API endpoints under /w/api/* that expose sensitive application configuration data including cleartext LDAP credentials, SAML configuration,…

identity_exposure | Remote | Information Disclosure
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
8.5 HIGH
CVE-2026-12958 — Arbitrary file write in Language Servers for AWS

Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously…

| Path Traversal
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Showing 20 of 7990 Results