Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.3 CRITICAL
CVE-2025-71327 — Flowise - Authentication Bypass via Unprotected Registration Endpoint

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploi…

flowise | Remote | Authentication
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
8.7 HIGH
CVE-2025-71324 — Flowise - Arbitrary File Read via chatId Parameter

Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is no…

flowise | Remote | Path Traversal
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
7.7 HIGH
CVE-2021-47987 — Parse Server - Arbitrary Code Execution via Malicious Version Tags

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with…

parse-server | Remote | Supply Chain
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.7 HIGH
CVE-2021-47986 — Parse Server - Unreviewed Code Execution via Malicious Version Tags

Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this…

parse-server | Remote | Supply Chain
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
5.4 MEDIUM
CVE-2020-37256 — Grav - Cross-Site Scripting in Admin Plugin Page Editor

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious s…

grav grav-plugin-admin | Remote | Cross-Site Scripting
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-6731 — X.509 name constraint bypass via Subject CN treated as a DNS name

X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS name constraints could be accepted.

wolfssl | Remote | Misconfiguration
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-6681 — PKCS#7 decode ignores caller output buffer size, writing past buffer bounds

The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0 and earlier…

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
8.8 HIGH
CVE-2026-6679 — DTLS 1.3 ACK serialization heap buffer overflow via integer truncation

A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation when computing the length o…

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-6678 — Integer underflow in wc_PKCS7_DecryptOri handling crafted Other Recipient Info

Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other Recipient Info, leading to incorrect length handling during decryption.

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
5.3 MEDIUM
CVE-2026-6450 — CRL critical extension bypass in ParseCRL_Extensions

A CRL critical extension bypass exists in ParseCRL_Extensions where critical extensions are not properly enforced, allowing a crafted CRL with an unhandled critical extension to be accepted. This onl…

wolfssl | Remote | Misconfiguration
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
4.3 MEDIUM
CVE-2026-6412 — Continued acceptance of SHA-1/MD5 digests in certificate processing

Certificate policy and RFC 8446 compliance concerns regarding the continued acceptance of SHA-1/MD5 in certificate processing.

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
9.1 CRITICAL
CVE-2026-56445 — pydicom pynetdicom Library Path Traversal

The qrscp application's C-STORE handler uses a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths.

Remote | Path Traversal
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-38640 — Relibc: Reachable Unwrap Leading to Denial of Service

A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string.

Remote | Denial of Service
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-38637 — relibc pthread_rwlockattr_setpshared() Denial of Service

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.

Remote | Denial of Service
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-37452 — MSI NBFoundation Service Insecure Permissions

Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component

Remote | Information Disclosure
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.3 HIGH
CVE-2026-12473 — OHIF Viewers DICOM Server-Side request forgery

Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects …

Remote | Server-Side Request Forgery
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
9.8 CRITICAL
CVE-2026-7531 — Use-after-free in PQC hybrid key-share handling

Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still…

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
5.0 MEDIUM
CVE-2026-57522 — Bitwarden Server < 2026.5.0 JSON Injection via Webhook Templates

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens(), which substitutes user-controlled values into event-integration templates wit…

server | Remote | Injection
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-57521 — Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organization…

server | Remote | Authorization
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
7.1 HIGH
CVE-2026-57520 — Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by expl…

server | Remote | Authorization
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
Showing 20 of 7992 Results