Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
3.3 LOW
CVE-2026-13743 — Improper verification of cryptographic signature in CubeSpace CW0057 Reaction Wheel

CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. This could allow an attacker with physical acces…

| Authentication
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
7.0 HIGH
CVE-2026-8699 — Stored Cross-Site Scripting (XSS) in TP-Link Archer C5 Web Management Interface

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper ou…

archer_c5 | Cross-Site Scripting
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
8.2 HIGH
CVE-2026-55952 — TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension

The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the sess…

erlang\/otp otp | Remote | Denial of Service
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
8.7 HIGH
CVE-2026-55950 — DTLS listener crash via race condition in dtls_packet_demux causes denial of service for …

Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.…

erlang\/otp otp | Remote | Race Condition
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
6.3 MEDIUM
CVE-2026-54891 — Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application …

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject una…

erlang\/otp otp | Remote | Injection
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
6.3 MEDIUM
CVE-2026-54887 — DTLS server cookie bypass during startup window due to empty initial cookie secret

Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On D…

erlang\/otp otp | Remote | Cryptography
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
5.3 MEDIUM
CVE-2026-54886 — SSH SFTP server denial of service via extended channel data infinite loop

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive. The ha…

erlang\/otp otp | Remote | Denial of Service
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
2.3 LOW
CVE-2026-53422 — SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured ro…

Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root di…

erlang\/otp otp | Remote | Path Traversal
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
4.9 MEDIUM
CVE-2026-50282 — Craft CMS: Unauthorized Deletion of Destination Folders During Forced Moves

Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder mo…

craft_cms | Remote | Authorization
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
7.1 HIGH
CVE-2026-50281 — Craft CMS: Mass assignment via id in newAttributes during bulk duplicate overwrites exist…

Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicat…

craft_cms | Remote | Authorization
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
9.9 CRITICAL
CVE-2026-44935 — Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom…

Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one…

rancher | Remote | Authorization
Jul 02, 2026 Jul 03, 2026
Jul 02, 2026
Jul 03, 2026
8.7 HIGH
CVE-2024-58352 — Landray OA Unauthenticated HQL Injection via wechatLoginHelper.do

Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid POS…

Remote | Injection
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2024-14037 — Redsea Cloud eHR Unauthenticated File Upload RCE via PtFjk.mob

Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet endp…

Remote | Misconfiguration
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2022-50973 — Yonyou KSOA 9.0 Unauthenticated File Upload RCE via ImageUpload Servlet

Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by submittin…

Remote | Authentication
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2026-58455 — Dockwatch 0.6.567 Unauthenticated OS Command Injection via ajax/compose.php

Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authe…

Remote | Injection
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
8.4 HIGH
CVE-2026-44941 — libzypp path traversal via "keyhint" in repomd.xml

A relative path traversal in the "keyhint" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the t…

libzypp | Remote | Path Traversal
Jul 02, 2026 Jul 03, 2026
Jul 02, 2026
Jul 03, 2026
8.7 HIGH
CVE-2026-9272 — Possibility of unintended database operations when querying data related to detected anom…

In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send s…

Remote | Authorization
Jul 02, 2026 Jul 03, 2026
Jul 02, 2026
Jul 03, 2026
8.7 HIGH
CVE-2026-8079 — Unintended limited set of actions with elevated privileges may be performed during PDF ge…

In Progress Flowmon versions prior to 12.5.9 and 13.0.11, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in ope…

flowmon | Remote | Authorization
Jul 02, 2026 Jul 03, 2026
Jul 02, 2026
Jul 03, 2026
7.5 HIGH
CVE-2026-56842 — UniFi Network Application Incorrect Authorization Privilege Escalation

A malicious actor with access to the network and under certain conditions could exploit an Incorrect Authorization vulnerability found in UniFi Network Application to persist privileges within UniFi …

unifi_network_application | Remote | Authorization
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
8.8 HIGH
CVE-2026-56841 — UniFi Protect SQL Injection Privilege Escalation

A malicious actor with access to the network and low privileges could exploit an authenticated SQL Injection vulnerability found in UniFi Protect Application to escalate privileges on the host device.

unifi_protect | Remote | Injection
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Showing 20 of 8017 Results