Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
2.0 LOW
CVE-2026-12888 — HTML injection in the Canarytoken Google Chat notification

An HTML injection vulnerability exists in the Google Chat webhook notification  sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert l…

Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.8 HIGH
CVE-2026-12602 — Incorrect permissions in ArubaSign by Aruba

Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriate permissions during the software’s default installation, …

| Misconfiguration
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
5.4 MEDIUM
CVE-2026-10601 — Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpo…

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) ca…

grafana | Remote | Path Traversal
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-10561 — Unauthenticated Remote Code Execution in Langflow OSS PythonREPLComponent via Builtins In…

IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute ar…

langflow langflow_oss | Remote | Authentication
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2025-66389 — GitHub Copilot Unauthorized Filesystem Access via Fetch Webpage

GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there i…

github_copilot | Remote | Misconfiguration
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
5.4 MEDIUM
CVE-2025-33128 — IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vul…

IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to …

engineering_workflow_management | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
6.5 MEDIUM
CVE-2025-2669 — Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Clou…

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3 could allow a privileged user to perform operations and obtain sensitive information outside of …

Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2024-54178 — Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Clou…

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8,5.0,5.1,5.2,5.3 could allow an authenticated user to cause a denial of service when creating new databases due to im…

Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
9.4 CRITICAL
CVE-2026-56422 — MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_i…

misp misp | Remote | Authorization
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
9.1 CRITICAL
CVE-2026-11373 — Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed fr…

Remote | Injection
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
5.1 MEDIUM
CVE-2026-12863 — Open redirect

An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains.

Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
5.1 MEDIUM
CVE-2026-12862 — XLSX formula injection in exports

Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data …

Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.7 HIGH
CVE-2026-12581 — Digiwin|EasyFlow .NET - Session Fixation

EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID for a user, they can gain the user's privilege once the user…

easyflow_.net | Remote | Authentication
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
5.4 MEDIUM
CVE-2026-12580 — Digiwin|EasyFlow .NET - Stored Cross-Site Scripting

EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page …

easyflow_.net | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
8.7 HIGH
CVE-2025-4994 — Authentication Bypass for SafeLine SL6 and SL6+

The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirem…

| Authentication
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
8.1 HIGH
CVE-2023-45796 — XSS vulnerability in Pilz PASvisu and PMI v8xx

A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker t…

pasvisu pmi_v8xx | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
7.8 HIGH
CVE-2023-45795 — Pilz: XSS vulnerability in Pilz PASvisu and PMI v8xx

A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the devic…

pasvisu pmi_v8xx | Cross-Site Scripting
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
6.3 MEDIUM
CVE-2026-54665 — Apache NiFi: Missing Validation for Proxy Host Headers

Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided…

nifi | Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-44914 — Apache NiFi: Missing Authorization of Restricted Permissions when Replacing Flow Contents

Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The R…

nifi | Remote | Authorization
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
7.2 HIGH
CVE-2026-44913 — Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted bound…

nifi | Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
Showing 20 of 8036 Results