Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.1 HIGH
CVE-2025-71350 — picklescan - Undetected Remote Code Execution via torch.utils.collect_env.run

picklescan before 0.0.28 fails to detect malicious pickle files using torch.utils.collect_env.run function in reduce methods. Attackers can embed undetected code in pickle files that executes remote …

picklescan | Remote | Injection
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
8.1 HIGH
CVE-2025-71349 — picklescan - Arbitrary Code Execution via Undetected trace.Trace.run in Pickle Files

picklescan before 0.0.29 fails to detect the built-in trace.Trace.run function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious…

picklescan | Remote | Injection
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
5.3 MEDIUM
CVE-2026-58450 — Invoice Ninja 5.13.26 - Open Redirect in Client Portal Login via intended Parameter

Invoice Ninja through 5.13.26 contains an open redirect vulnerability in the client portal login that allows unauthenticated attackers to redirect authenticated victims to attacker-controlled externa…

invoice_ninja | Remote | Misconfiguration
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2026-58449 — txtai - Unauthenticated Remote Code Execution via Unsafe Reflection in API /reindex funct…

txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr on the cal…

txtai | Remote | Injection
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
7.1 HIGH
CVE-2026-58448 — yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-contr…

yudao-cloud yudao-cloud | Remote | Authorization
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
7.1 HIGH
CVE-2026-58447 — Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by…

invidious | Remote | Authorization
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
6.9 MEDIUM
CVE-2026-58446 — Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoi…

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PASSWORD), is reachable unauthenticated at /mcp because…

presenton | Remote | Authentication
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
7.5 HIGH
CVE-2026-57585 — MessagePack: Out-of-bounds read/crash on Unpacker reuse after caught error

MessagePack is the serializer implementation for Python msgpack.org. Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker reuse after a caught error, potentially leading to a DoS attack. …

Remote | Denial of Service
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
6.9 MEDIUM
CVE-2026-57204 — pypdf: Missing stream length values ignore defined limits

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.3, a maliciously crafted PDF can cause DoS. An attacker who uses this vulnerability can craft a PDF which leads to large memory …

pypdf | Remote | Denial of Service
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.8 HIGH
CVE-2026-52868 — OFFIS DCMTK Toolkit Path Traversal

An unauthenticated attacker can read worklist records from a directory outside the intended per-AE worklist storage area. In a multi-area deployment, this can cross departmental or clinic data separa…

dcmtk | Remote | Path Traversal
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
7.5 HIGH
CVE-2026-52196 — UTT nv518G Buffer Overflow

Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_416f28 component

Remote | Memory Corruption
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.7 HIGH
CVE-2026-50254 — OFFIS DCMTK Toolkit Missing Release of Memory after Effective Lifetime

An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is…

dcmtk | Remote | Memory Corruption
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2026-50003 — OFFIS DCMTK Toolkit Path Traversal

A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative (../) paths and absolute paths.

dcmtk | Remote | Path Traversal
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2026-37106 — DokuWiki Remote Code Execution via register Function

An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in inc/auth.php. NOTE: this is disputed by the Supplier because this is the i…

Remote | Authentication
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.7 HIGH
CVE-2026-35505 — OFFIS DCMTK Toolkit Missing Release of Memory after Effective Lifetime

An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops respon…

dcmtk | Remote | Denial of Service
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2026-11541 — IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by…

IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.

Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
6.3 MEDIUM
CVE-2026-10585 — Stored cross-site scripting vulnerability in GitHub Enterprise Server allowed arbitrary J…

A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a …

enterprise_server | Remote | Cross-Site Scripting
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
6.5 MEDIUM
CVE-2026-9132 — Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of pri…

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The C…

enterprise_server | Remote | Authorization
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
5.5 MEDIUM
CVE-2026-9106 — UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organ…

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could e…

enterprise_server | Remote | Authorization
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
8.7 HIGH
CVE-2026-44628 — OFFIS DCMTK Toolkit Type Confusion

An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a valid Called AE Title / storage directory, the expected lockfile, and at least one matching…

dcmtk | Remote | Denial of Service
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
Showing 20 of 7915 Results