Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.0 HIGH
CVE-2026-46732 — Dell Display and Peripheral Manager Local Privilege Escalation via Race Condition

Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain a Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability. A low privi…

Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
5.3 MEDIUM
CVE-2026-42390 — ZONEMD validation can be bypassed

An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.

recursor | Remote | Misconfiguration
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-42389 — Reject more queries with invalid header values

This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.

recursor | Remote
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.9 MEDIUM
CVE-2026-42388 — Missing input validation for catalog zones

Incomplete validation of the SOA record present in a catalog zone might lead to a crash.

recursor | Remote | Denial of Service
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.9 MEDIUM
CVE-2026-42387 — Insufficient input validation in ZoneToCache

A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.

recursor | Remote | Denial of Service
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
9.8 CRITICAL
CVE-2026-41120 — Dell Wyse Management Suite: Acceptance of Extraneous Untrusted Data With Trusted Data lea…

Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability. A low privileged attacker with remote access could poten…

wyse_management_suite | Remote | Misconfiguration
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-40012 — Information about ECS zero scoped answers might leak to clients that use a specific ECS

ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;

recursor | Remote | Misconfiguration
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.4 HIGH
CVE-2026-2815 — Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable …

Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys

| Cryptography
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-27366 — WordPress MainWP Child plugin <= 6.1.1 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions.

mainwp_child | Remote | Authorization
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
2.7 LOW
CVE-2026-12755 — Devolutions Server PAM AD Discovery Server-Side Request Forgery

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side…

devolutions_server | Remote | Authentication
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
3.7 LOW
CVE-2026-42004 — EDNS options smuggling

An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend …

dnsdist | Remote | Misconfiguration
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-40211 — Denial of service via crafted DoH3 queries

An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on…

dnsdist | Remote | Denial of Service
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
4.8 MEDIUM
CVE-2026-40210 — Out-of-bounds read in SetMacAddrAction

An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.

dnsdist | Remote | Memory Corruption
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-40209 — Denial of service via IXFR queries

An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a…

dnsdist | Remote | Denial of Service
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
3.7 LOW
CVE-2026-40208 — Denial of service via DoH3 queries

An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.

dnsdist | Remote | Denial of Service
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
3.7 LOW
CVE-2026-40011 — Prometheus denial of service via crafted DNS queries

An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The pr…

dnsdist | Remote | Denial of Service
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-33612 — ZoneToCache can poison the cache

A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.

recursor | Remote | Misconfiguration
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
4.3 MEDIUM
CVE-2026-42005 — Insufficient input validation of internal web server

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

authoritative | Remote | Denial of Service
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
2.0 LOW
CVE-2026-56130 — Apache Shiro: Remember-me cookie isn't checked for expiry on the server

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed…

shiro | Remote | Authentication
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.2 HIGH
CVE-2026-56091 — Apache Shiro: Authentication bypass in Guice-Web integration

When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://www.cve.or…

shiro | Remote | Authentication
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
Showing 20 of 8012 Results