Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
10.0 CRITICAL
CVE-2026-49869 — Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `Authenticatio…

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public confi…

kestra | Remote | Authentication
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
7.7 HIGH
CVE-2026-45807 — Kestra: Path traversal via URL-encoded "%2E%2E" in execution and namespace file endpoints…

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.par…

kestra | Remote | Path Traversal
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
4.6 MEDIUM
CVE-2026-38571 — Tenda N300 F3 UART Cleartext Credential Storage and Memory Corruption

Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a p…

| Authentication
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
5.5 MEDIUM
CVE-2026-36908 — Axiomatic Systems Bento4 Stack Overflow Denial of Service

A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

| Memory Corruption
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
5.5 MEDIUM
CVE-2026-36907 — Bento4 Stack Overflow Denial of Service

A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

| Memory Corruption
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.5 HIGH
CVE-2026-36478 — Technitium DNS Server Denial of Service

An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components

Remote | Denial of Service
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
8.5 HIGH
CVE-2026-54353 — Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation

Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow vali…

budibase | Remote | Server-Side Request Forgery
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
9.6 CRITICAL
CVE-2026-54352 — Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload

Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with extract-zip…

budibase | Remote | Path Traversal
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
9.6 CRITICAL
CVE-2026-54351 — Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution …

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution paramete…

budibase | Remote | Authentication
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-54350 — Budibase: Anonymous NoSQL operator injection via published-app query templates

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB…

budibase | Remote | Injection
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-52885 — Notepad++ TOCTOU: HMAC Checks Disk, Executes from Memory

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the…

notepad\+\+ | Misconfiguration
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.8 HIGH
CVE-2026-52884 — Notepad++: CVE-2026-48800 Bypass

Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent)…

notepad\+\+ | Path Traversal
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
9.4 CRITICAL
CVE-2026-50137 — Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous c…

Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this endpoint…

budibase | Remote | Misconfiguration
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
7.4 HIGH
CVE-2026-50136 — Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with st…

Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a work…

budibase | Remote | Authentication
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
7.3 HIGH
CVE-2026-50132 — Budibase: Chat Identity Link Hijacking via Missing Consent & CSRF — Account Impersonation…

Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operati…

budibase | Remote | Authentication
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
7.8 HIGH
CVE-2026-48800 — Notepad++: Arbitrary Code Execution via shortcuts.xml UserCommand Injection

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <Command> tag text content inside <UserDefinedCommands> in shortcuts.xml is read by NppXml::value(aNode) (Parameters.cpp:…

notepad\+\+ | Misconfiguration
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
7.8 HIGH
CVE-2026-48778 — Notepad++: Arbitrary Code Execution via config.xml commandLineInterpreter

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored i…

notepad\+\+ | Misconfiguration
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
5.0 MEDIUM
CVE-2026-48770 — Notepad++ WM_COPYDATA COPYDATA_FULL_CMDLINE local DoS crash

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYD…

notepad\+\+ | Memory Corruption
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.8 HIGH
CVE-2026-46710 — Notepad++: Privilege Escalation in the Installer via Uncontrolled Executable Search Path

Notepad++ is a free and open-source source code editor. From 8.9.4 until 8.9.6, Notepad++ contains a local privilege escalation vulnerability in the installer. During installation, the installer invo…

notepad\+\+ | Misconfiguration
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.5 HIGH
CVE-2026-46604 — Panic decoding image with out-of-bounds strip offset in x/image/tiff in golang.org/x/image

The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.

tiff | Remote | Memory Corruption
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
Showing 20 of 7972 Results