Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.7 HIGH
CVE-2026-58169 — Vibe-Trading < 0.1.10 - Loopback Trust and Missing Host Validation Enable DNS-Rebinding A…

Vibe-Trading before 0.1.10's local API server trusts the TCP peer address to bypass the API_AUTH_KEY bearer-token check for loopback clients and performs no Host header validation, while binding to 0…

Remote | Authentication
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-58168 — DeepTutor < 1.4.10 - Insecure Default Grants Unrestricted MCP Tool Access to Non-Admin Us…

DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed_mcp_tools function returning None in…

Remote | Authorization
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
7.1 HIGH
CVE-2026-58167 — Nightingale < 9.0.0-beta.2 - Datasource Credential Disclosure to Low-Privilege Users

Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authe…

Remote | Information Disclosure
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
9.1 CRITICAL
CVE-2026-58166 — OpenBMB ChatDev - Unauthenticated Path Traversal in Upload Handler Allows Arbitrary File …

OpenBMB ChatDev through 2.2.0, fixed in commit 4fd4da6, contains a path traversal vulnerability that allows unauthenticated remote attackers to write or delete arbitrary files by supplying a maliciou…

Remote | Path Traversal
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
4.8 MEDIUM
CVE-2026-10652 — Out-of-bounds read in Zephyr DNS resolver TXT/SRV record parsing (unvalidated `rdlength`)

Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any at…

zephyr zephyr | Information Disclosure
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-58165 — OpenZiti - Privilege Escalation to Admin via Unauthorized Enrollment Creation

OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to cr…

Remote | Authorization
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
4.3 MEDIUM
CVE-2026-13455 — PostgreSQL Anonymizer: Unrestricted function can leak the secret salt

PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-for…

postgresql_anonymizer | Cryptography
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
5.3 MEDIUM
CVE-2026-44948 — Path Traversal in Rancher Fleet ImageScan GitRepo Path Handler

A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to trave…

rancher | Remote | Path Traversal
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
9.3 CRITICAL
CVE-2026-48315 — ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacke…

coldfusion | Remote | Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-48281 — ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitati…

coldfusion | Remote | Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-48277 — ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitati…

coldfusion | Remote | Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
8.6 HIGH
CVE-2026-48285 — ColdFusion | Server-Side Request Forgery (SSRF) (CWE-918)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vuln…

coldfusion | Remote | Server-Side Request Forgery
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
9.3 CRITICAL
CVE-2026-48313 — ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal…

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file syste…

coldfusion | Remote | Path Traversal
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-48307 — ColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a w…

coldfusion | Cross-Site Scripting
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2026-48314 — ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal…

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature…

coldfusion | Remote | Path Traversal
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-48276 — ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the cu…

coldfusion | Remote | Misconfiguration
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-48282 — ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal…

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execu…

coldfusion | Remote | Path Traversal
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-48283 — ColdFusion | Unrestricted Upload of File with Dangerous Type (CWE-434)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the cu…

coldfusion | Remote | Misconfiguration
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-48286 — Adobe Campaign Classic (ACC) | Incorrect Authorization (CWE-863)

Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current…

campaign_classic | Remote | Authorization
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
2.0 LOW
CVE-2026-4360 — Tarfile.extract() doesn't fully respect filter parameter

In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files …

cpython cpython | Remote | Misconfiguration
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
Showing 20 of 7463 Results