Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.4 CRITICAL
CVE-2026-44939 — Command injection through unsanitized YAML parameter in Rancher

A command injection vulnerability in the Rancher Manager cluster before 2.14.2 import endpoint /v3/import/{token}_{clusterId}.yaml through unsanitized YAML parameters could allow remote attackers to…

rancher rancher | Remote | Injection
Jun 19, 2026 Jun 24, 2026
Jun 19, 2026
Jun 24, 2026
6.5 MEDIUM
CVE-2026-12706 — Ffmpeg: ffmpeg: heap use-after-free read in rasc decoder decode_move()

A use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same b…

openshift_ai enterprise_linux_ai | Remote | Memory Corruption
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
5.6 MEDIUM
CVE-2026-11941 — Use-after-free in connection ID iterator and FFI functions

Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions. The “quiche_connection_id_iter_next” and “quiche_conn_retired_scid_next” functions w…

quiche | Remote | Memory Corruption
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
5.6 MEDIUM
CVE-2026-8296 — Octopus Server Artifact Cross-Site Scripting

In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts.

octopus_server | Remote | Cross-Site Scripting
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
5.3 MEDIUM
CVE-2026-56138 — Authenticated Path Traversal in AIL framework /objects/item/diff Allows Reading Gzip-Comp…

AIL framework contains a path traversal vulnerability in the /objects/item/diff endpoint. The endpoint accepts item identifiers through the s1 and s2 query parameters and, prior to the fix, attempted…

ail_framework | Remote | Path Traversal
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
7.7 HIGH
CVE-2026-41156 — GPU DDK - kernel<->fw CCB contains SYNC_PRIMITIVE_BLOCK firmware address without holding …

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources creating a write use after free scenario. A shared resource (memory pa…

ddk | Memory Corruption
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
7.7 HIGH
CVE-2026-34192 — GPU DDK - _MMU_AllocLevel error recovery paths leave dangling page table entries

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause an error path leading to UAF of GPU page tables. The vulnerability allows physical memory allocat…

ddk | Memory Corruption
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
7.5 HIGH
CVE-2026-11576 — eclipse-threadx NetX Duo HTTP Server fx_file_close Uninitialized Handle Vulnerability

The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally cal…

threadx_netx_duo | Remote | Memory Corruption
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
5.3 MEDIUM
CVE-2026-6798 — 2Download Connector for 2DL Hosted Checkout <= 0.1.5 - Missing Authorization to Unauthent…

The 2Download Connector for 2DL Hosted Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 0.1.5. This is due to the plugin not properly verifying…

Remote | Authorization
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
7.8 HIGH
CVE-2026-46461 — Dell Server Hardware Manager Improper Access Control

Dell Server Hardware Manager, versions prior to 3.2.2, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, lea…

server_hardware_manager | Authorization
Jun 19, 2026 Jun 26, 2026
Jun 19, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-3640 — STRABL <= 4.5 - Unauthenticated Arbitrary Webhook Creation via REST API Endpoint

The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/str…

Remote | Authentication
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
6.5 MEDIUM
CVE-2026-9822 — WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' b…

wp_hotel_booking | Remote | Authorization
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
4.3 MEDIUM
CVE-2026-9013 — Bogo <= 3.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Informatio…

The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authent…

Remote | Information Disclosure
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
9.1 CRITICAL
CVE-2026-8713 — Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry…

The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and includi…

avada_builder | Remote | Path Traversal
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
6.5 MEDIUM
CVE-2026-8118 — Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1058 - 1.7.1059 -…

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wpr_get_csv…

royal_elementor_addons | Remote | Path Traversal
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
4.9 MEDIUM
CVE-2026-7547 — Woosa <= 2.0.5 - Authenticated (Administrator+) Arbitrary File Read via 'log_file' Parame…

The Woosa – Marktplaats for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in versions up to and including 2.0.4. This is due to insufficient path sanitizati…

Remote | Path Traversal
Jun 19, 2026 Jun 23, 2026
Jun 19, 2026
Jun 23, 2026
9.8 CRITICAL
CVE-2026-7515 — BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion via doc_style

The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attacke…

Remote | Path Traversal
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
6.9 MEDIUM
CVE-2026-56132 — Expat Heap-Based Buffer Overflow

In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.

libexpat | Memory Corruption
Jun 19, 2026 Jun 23, 2026
Jun 19, 2026
Jun 23, 2026
4.9 MEDIUM
CVE-2026-56131 — Expat XML_ResumeParser Use-After-Free Vulnerability

libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50…

libexpat | Memory Corruption
Jun 19, 2026 Jun 23, 2026
Jun 19, 2026
Jun 23, 2026
9.8 CRITICAL
CVE-2026-54414 — FileRise shared-folder upload path traversal allows arbitrary file write and admin takeov…

FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover.…

filerise | Remote | Path Traversal
Jun 19, 2026 Jun 22, 2026
Jun 19, 2026
Jun 22, 2026
Showing 20 of 7989 Results