Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.1 HIGH
CVE-2026-22555 — Gitea organization forks can expose organization secrets without create permission

Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets.

Remote | Authorization
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
0.0 NA
CVE-2026-22547 — Gitea repository creation accepts invalid field values

Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values.

| Misconfiguration
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
0.0 NA
CVE-2026-20909 — Gitea tracked-time list endpoint has insufficient permission checks

Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.

| Authorization
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
9.8 CRITICAL
CVE-2026-20896 — Gitea Docker image trusts spoofable reverse-proxy headers by default

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X…

Remote | Misconfiguration
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
7.1 HIGH
CVE-2026-20779 — Gitea TOTP single-use enforcement defect allows OTP replay

Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic …

Remote | Authentication
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
0.0 NA
CVE-2026-20706 — Gitea repository archive downloads bypass token scope checks

Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint.

| Authorization
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
5.3 MEDIUM
CVE-2026-14611 — DeepMyst Mysti Per-Project Auto-Memory MemoryManager.ts initProjectMemory exposure of res…

A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the function initProjectMemory of the file src/managers/MemoryManager.ts of the component Per-Project Auto-Memory…

mysti | Remote | Information Disclosure
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
5.3 MEDIUM
CVE-2026-14610 — Open Asset Import Library Assimp CSM File CSMLoader.cpp InternReadFile heap-based overflow

A flaw has been found in Open Asset Import Library Assimp up to 6.0.5. Impacted is the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM Fi…

| Memory Corruption
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
5.6 MEDIUM
CVE-2026-14609 — SourceCodester CET Automated Grading System with AI Predictive Analytics session fixiation

A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This issue affects some unknown processing. The manipulation results in session fixiation…

Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
5.6 MEDIUM
CVE-2026-14355 — ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD

In PHP versions 8.2.* before 8.2.32, 8.3.* before 8.3.32, 8.4.* before 8.4.23, 8.5.* before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. Th…

Remote | Memory Corruption
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
8.8 HIGH
CVE-2026-12481 — Deserialization of Untrusted Data in keras-team/keras

A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the `Lambda` layer. Specifically, the `_raise_for_lambda_deserial…

Remote | Injection
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
4.3 MEDIUM
CVE-2026-14608 — SourceCodester CET Automated Grading System with AI Predictive Analytics POST index.php v…

A security vulnerability has been detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=view_…

Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
5.5 MEDIUM
CVE-2026-14607 — RT-Thread lwp_syscall.c sys_getaddrinfo memory corruption

A weakness has been identified in RT-Thread up to 5.0.2. This affects the function sys_getaddrinfo of the file components/lwp/lwp_syscall.c. Executing a manipulation of the argument ai_addr can lead …

| Memory Corruption
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
7.8 HIGH
CVE-2026-14606 — RT-Thread SWM341 CAN SWM341.h CAN_Receive stack-based overflow

A security flaw has been discovered in RT-Thread up to 5.0.2. Affected by this issue is the function CAN_Receive in the library bsp/synwit/libraries/SWM341_CSL/CMSIS/DeviceSupport/SWM341.h of the com…

| Memory Corruption
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
7.8 HIGH
CVE-2026-14605 — RT-Thread ls1c CAN ls1c_can.h recvmsg stack-based overflow

A vulnerability was identified in RT-Thread up to 5.0.2. Affected by this vulnerability is the function recvmsg in the library bsp/loongson/ls1cdev/libraries/ls1c_can.h of the component ls1c CAN Hand…

| Memory Corruption
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
7.3 HIGH
CVE-2026-58379 — Gimp: gimp: heap buffer overflow in read_channel_data()

A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by …

enterprise_linux enterprise_linux | Memory Corruption
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
6.5 MEDIUM
CVE-2026-14604 — Open Asset Import Library Assimp PLY Model PlyLoader.cpp ExportToBlob double free

A vulnerability was determined in Open Asset Import Library Assimp up to 6.0.4. Affected is the function Assimp::Exporter::ExportToBlob of the file code/AssetLib/Ply/PlyLoader.cpp of the component PL…

Remote | Memory Corruption
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
5.3 MEDIUM
CVE-2026-14631 — webpack-dev-server vulnerable to denial of service via a malformed Host or Origin header

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade t…

| Denial of Service
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
4.7 MEDIUM
CVE-2026-14620 — webpack-dev-server vulnerable to cross-site request forgery via internal developer endpoi…

webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any G…

| Misconfiguration
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
4.3 MEDIUM
CVE-2026-14615 — Keycloak-services: keycloak: fgap v2 parent group children endpoint bypasses per-child vi…

A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups ba…

build_of_keycloak | Remote | Authorization
Jul 03, 2026 Jul 03, 2026
Jul 03, 2026
Jul 03, 2026
Showing 20 of 7999 Results