Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.7 MEDIUM
CVE-2026-4522 — HYPR Passwordless: Missing Authentication for Critical Function

Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception. This issue affects HYPR Passwordless: before 11.1.1.

| Authentication
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-48946 — Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < …

The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload …

k2 | Remote | Misconfiguration
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
5.3 MEDIUM
CVE-2026-48945 — Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < …

The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (incl…

k2 | Remote | Misconfiguration
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
6.5 MEDIUM
CVE-2026-48944 — Joomla Extension - getk2.org - Exposure of sensitive files via attachment copy in K2 exte…

The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and the…

k2 | Remote | Path Traversal
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
6.5 MEDIUM
CVE-2026-48943 — Joomla Extension - getk2.org - Authenticated user property mass-assignment in K2 extensio…

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, …

k2 | Remote | Authentication
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
6.1 MEDIUM
CVE-2026-48942 — Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26

K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.

k2 | Remote | Cross-Site Scripting
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
6.5 MEDIUM
CVE-2026-48941 — Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla <…

The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`

k2 | Remote | Path Traversal
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
3.4 LOW
CVE-2026-48940 — Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26

A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped t…

k2 | Remote | Cross-Site Scripting
Jun 25, 2026 Jun 28, 2026
Jun 25, 2026
Jun 28, 2026
7.5 HIGH
CVE-2026-12844 — List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pair…

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a heap buffer sized to the longer in…

Remote | Memory Corruption
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-6432 — Improper bounds validation in EmberZNet SDK

Improper bounds validation in EmberZNet SDK versions 9.0.2 and earlier may result in crashes or dynamic memory leakage.

Remote | Memory Corruption
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
3.3 LOW
CVE-2026-57588 — SQL Injection in Nessus via Malicious Scan Result File Import

A SQL injection vulnerability in Nessus allows an attacker to craft a malicious scan result file that, when imported by a privileged user, injects malicious SQL into the scan results database, potent…

nessus | Injection
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-57587 — SQL Injection in Nessus via Reverse DNS Lookup

A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potential…

nessus | Remote | Injection
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.3 MEDIUM
CVE-2026-57536 — Insufficient validation of payment status in pretix-mollie

Our payment integration with Mollie did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a…

Remote | Authentication
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
2.1 LOW
CVE-2026-57535 — Adobe Reader SSRF

Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would d…

pretix | Remote | Server-Side Request Forgery
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
2.1 LOW
CVE-2026-57534 — Stored XSS in pretix-pages

Malicious HTML content could be injected into the content of a page in the pretix-pages plugin.

Remote | Cross-Site Scripting
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
2.1 LOW
CVE-2026-57533 — Pretix HTML Injection

Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing…

pretix | Remote | Cross-Site Scripting
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-57532 — Adobe Acrobat Reader PDF Ticket HTML Injection

Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject J…

pretix | Remote | Cross-Site Scripting
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-57437 — Nokogiri: Possible Use-After-Free when directly using `NokogirI::XML::XPathContext` beyon…

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XP…

nokogiri | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-57436 — Nokogiri: Possible Use-After-Free when setting `Document#root=` to an invalid node type

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing …

nokogiri | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-57435 — Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Att…

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacin…

nokogiri | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
Showing 20 of 7989 Results