Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-48937 — Node.js HTTP/2 Denial of Service

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js …

node.js | Remote | Denial of Service
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
6.9 MEDIUM
CVE-2026-47833 — BPM: Container-to-Host Privilege Escalation via Symlink Following

setupBpmLogs follows symlink for bpm.log open and chown — container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary hos…

| Path Traversal
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
8.4 HIGH
CVE-2026-12390 — Access of resource using incompatible type ('type confusion') in AzeoTech DAQFactory

In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.

daqfactory | Memory Corruption
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
9.8 CRITICAL
CVE-2026-54390 — JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer

JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplie…

Remote | Injection
Jun 18, 2026 Jun 23, 2026
Jun 18, 2026
Jun 23, 2026
4.7 MEDIUM
CVE-2026-48986 — pam_usb: Infinite loop DoS in process-tree walk when parent process exits during authenti…

pam_usb provides hardware authentication for Linux using removable media. In pam_usb 0.9.1 and earlier, usb_get_process_parent_id() can cause an infinite loop DoS because it does not initialize *ppid…

| Denial of Service
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
5.5 MEDIUM
CVE-2026-48985 — pam_usb: NULL Dereference Crash in pusb_is_loginctl_local when loginctl Returns Empty Rem…

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, pusb_is_loginctl_local() can cause a NULL dereference crash when parsing loginctl outpu…

| Denial of Service
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
4.7 MEDIUM
CVE-2026-48984 — pam_usb: xfree() does not call explicit_bzero — sensitive cryptographic material may ling…

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer cont…

| Memory Corruption
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
6.5 MEDIUM
CVE-2026-56024 — WordPress WP EasyPay plugin <= 4.5.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal WP EasyPay allows Cross Site Request Forgery. This issue affects WP EasyPay: from n/a through 4.5.0.

wp_easypay | Remote | Cross-Site Request Forgery
Jun 18, 2026 Jul 01, 2026
Jun 18, 2026
Jul 01, 2026
6.9 MEDIUM
CVE-2026-56022 — Webmin MFA bypass

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.

webmin | Remote | Authentication
Jun 18, 2026 Jun 24, 2026
Jun 18, 2026
Jun 24, 2026
6.9 MEDIUM
CVE-2026-56021 — Webmin information disclosure via regex pattern

Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.

webmin | Remote | Information Disclosure
Jun 18, 2026 Jun 24, 2026
Jun 18, 2026
Jun 24, 2026
9.2 CRITICAL
CVE-2026-56020 — Webmin HTTP header authentication bypass

The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof cer…

webmin | Remote | Authentication
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
8.8 HIGH
CVE-2026-55237 — AutoGPT SignUp Page has DOM-Based XSS and Open Redirect

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting (XSS) vulnera…

autogpt_platform | Remote | Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
6.9 MEDIUM
CVE-2026-55205 — Hermes WebUI < 0.51.468 - Resource Exhaustion via Unauthenticated OAuth Flow Endpoint

Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state a…

hermes_web_ui | Remote | Denial of Service
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
8.7 HIGH
CVE-2026-55204 — HAProxy - NULL Pointer Dereference in hpack_dht_insert Function

HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_de…

haproxy aloha | Remote | Memory Corruption
Jun 18, 2026 Jun 26, 2026
Jun 18, 2026
Jun 26, 2026
9.1 CRITICAL
CVE-2026-55203 — HAProxy - Integer Overflow in FCGI Demux Record Length Field

HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentL…

haproxy aloha | Remote
Jun 18, 2026 Jun 26, 2026
Jun 18, 2026
Jun 26, 2026
5.1 MEDIUM
CVE-2026-54106 — U.S. GAO EPDS and CBCA EDS network access control bypass

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-…

Remote | Authentication
Jun 18, 2026 Jun 24, 2026
Jun 18, 2026
Jun 24, 2026
6.9 MEDIUM
CVE-2026-54105 — U.S. GAO EPDS and CBCA EDS user information disclosure

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account inf…

Remote | Information Disclosure
Jun 18, 2026 Jun 24, 2026
Jun 18, 2026
Jun 24, 2026
8.8 HIGH
CVE-2026-54104 — U.S. GAO EPDS and CBCA EDS client-based privilege escalation

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided value…

Remote | Authorization
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
9.8 CRITICAL
CVE-2026-54103 — U.S. GAO EPDS and CBCA EDS unauthenticated password change

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate passwo…

Remote | Authentication
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
1.8 LOW

A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary…

node.js | Path Traversal
Jun 18, 2026 Jun 22, 2026
Jun 18, 2026
Jun 22, 2026
Showing 20 of 7990 Results