Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-58449 — txtai - Unauthenticated Remote Code Execution via Unsafe Reflection in API /reindex funct…

txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr on the cal…

txtai | Remote | Injection
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
7.1 HIGH
CVE-2026-58448 — yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-contr…

yudao-cloud yudao-cloud | Remote | Authorization
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
7.1 HIGH
CVE-2026-58447 — Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by…

invidious | Remote | Authorization
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
6.9 MEDIUM
CVE-2026-58446 — Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoi…

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PASSWORD), is reachable unauthenticated at /mcp because…

presenton | Remote | Authentication
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
7.5 HIGH
CVE-2026-57585 — MessagePack: Out-of-bounds read/crash on Unpacker reuse after caught error

MessagePack is the serializer implementation for Python msgpack.org. Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker reuse after a caught error, potentially leading to a DoS attack. …

Remote | Denial of Service
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
6.9 MEDIUM
CVE-2026-57204 — pypdf: Missing stream length values ignore defined limits

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.3, a maliciously crafted PDF can cause DoS. An attacker who uses this vulnerability can craft a PDF which leads to large memory …

pypdf | Remote | Denial of Service
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.8 HIGH
CVE-2026-52868 — OFFIS DCMTK Toolkit Path Traversal

An unauthenticated attacker can read worklist records from a directory outside the intended per-AE worklist storage area. In a multi-area deployment, this can cross departmental or clinic data separa…

dcmtk | Remote | Path Traversal
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
7.5 HIGH
CVE-2026-52196 — UTT nv518G Buffer Overflow

Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_416f28 component

Remote | Memory Corruption
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.7 HIGH
CVE-2026-50254 — OFFIS DCMTK Toolkit Missing Release of Memory after Effective Lifetime

An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is…

dcmtk | Remote | Memory Corruption
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2026-50003 — OFFIS DCMTK Toolkit Path Traversal

A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative (../) paths and absolute paths.

dcmtk | Remote | Path Traversal
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2026-37106 — DokuWiki Remote Code Execution via register Function

An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in inc/auth.php. NOTE: this is disputed by the Supplier because this is the i…

Remote | Authentication
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.7 HIGH
CVE-2026-35505 — OFFIS DCMTK Toolkit Missing Release of Memory after Effective Lifetime

An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops respon…

dcmtk | Remote | Denial of Service
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2026-11541 — IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by…

IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.

Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
6.3 MEDIUM
CVE-2026-10585 — Stored cross-site scripting vulnerability in GitHub Enterprise Server allowed arbitrary J…

A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a …

enterprise_server | Remote | Cross-Site Scripting
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
6.5 MEDIUM
CVE-2026-9132 — Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of pri…

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The C…

enterprise_server | Remote | Authorization
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
5.5 MEDIUM
CVE-2026-9106 — UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organ…

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could e…

enterprise_server | Remote | Authorization
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.7 HIGH
CVE-2026-44628 — OFFIS DCMTK Toolkit Type Confusion

An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a valid Called AE Title / storage directory, the expected lockfile, and at least one matching…

dcmtk | Remote | Denial of Service
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
8.7 HIGH
CVE-2026-13207 — Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applyin…

Remote | Authentication
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
8.5 HIGH
CVE-2026-11594 — IBM WebSphere Application Server is affected by multiple cross-site scripting vulnerabili…

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console.

websphere_application_server | Cross-Site Scripting
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
5.9 MEDIUM
CVE-2026-10562 — Unauthenticated Open Redirect Vulnerability on TP-Link Archer AX20 Web Interface

An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface.  An unauthenticated attacker can…

Remote | Information Disclosure
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
Showing 20 of 7983 Results