Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.9 CRITICAL
CVE-2026-13772 — IBM WebSphere eXtreme Scale's OQL is affected by remote code execution

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at thr…

websphere_extreme_scale | Remote | Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-13773 — IBM WebSphere eXtreme Scale is affected by server side request forgery when ORB is used a…

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 Approximately 50 generated CORBA stub classes in WebSphere eXtreme Scale's ogclient.jar call ORB.string_to_object() on an attacker-controlled IOR s…

websphere_extreme_scale | Remote | Server-Side Request Forgery
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
5.5 MEDIUM
CVE-2026-3602 — IBM App Connect Enterprise and IBM Integration Bus for z/OS toolkit is vulnerable to an s…

IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker coul…

Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
7.2 HIGH
CVE-2026-10513 — Webmention <= 5.8.0 - Unauthenticated Stored Cross-Site Scripting via MF2 'photo'/'url' A…

The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficie…

Remote | Cross-Site Scripting
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2026-7663 — Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transpor…

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Stream…

langflow_oss | Remote | Authorization
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
9.8 CRITICAL
CVE-2026-7803 — Flow Validation Bypass via Empty Component Type Field

IBM Langflow OSS 1.0.0 through 1.10.0 could allow arbitrary code execution due to improper validation of flow nodes with missing or empty component type fields.

langflow_oss | Remote | Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
9.8 CRITICAL
CVE-2026-7871 — Insecure Deserialization in Redis Cache Backend

IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.

langflow_oss | Remote | Misconfiguration
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
9.9 CRITICAL
CVE-2026-7873 — Code Injection Vulnerability in Code Validation Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to execute arbitrary OS commands and read sensitive files including credentials, enabling complete system compromise and lateral m…

langflow_oss | Remote | Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
9.1 CRITICAL
CVE-2026-7874 — Weak Cryptographic Key Derivation Exposed All Stored Credentials

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

langflow_oss | Remote | Cryptography
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2026-9002 — IBM WebSphere eXtremes Scale is affected by uncontrolled resource consumption when XDF is…

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply neste…

websphere_extreme_scale | Denial of Service
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-9836 — IBM DataStage Flow Designer application is affected by an information disclosure vulnerab…

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability.

infosphere_information_server | Remote | Information Disclosure
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
9.8 CRITICAL
CVE-2026-58138 — Orkes Conductor 3.21.21 < 3.30.2 Unauthenticated RCE via GraalVM Script Evaluators

Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow defin…

Remote | Injection
Jun 30, 2026 Jun 30, 2026
Jun 30, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2026-9263 — Out-of-bounds read in Bluetooth Controller ISOAL framed RX reassembly leaks adjacent memo…

The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification …

zephyr zephyr | Memory Corruption
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
8.6 HIGH
CVE-2026-58377 — JeecgBoot 3.9.2 - Missing Authorization on OpenAPI Credential Management Endpoints Expose…

JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials…

jeecgboot | Remote | Authorization
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
8.1 HIGH
CVE-2026-58372 — SeaweedFS < 4.34 - Cross-Bucket Object Deletion via DeleteObjects Request-Body Keys

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arb…

seaweedfs | Remote | Path Traversal
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
3.1 LOW
CVE-2026-58371 — SeaweedFS < 4.30 - Cross-Origin Information Disclosure via Unvalidated JSONP callback Par…

SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper (weed/server/common.go), with no cal…

seaweedfs | Remote | Information Disclosure
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
9.2 CRITICAL
CVE-2026-58370 — Woodpecker < 3.15.0 - GitLab Approval Gate Bypass via Spoofable Commit Author Name

Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is populated from the git commit author name (commit.author…

woodpecker | Remote | Authorization
Jun 30, 2026 Jul 02, 2026
Jun 30, 2026
Jul 02, 2026
6.9 MEDIUM
CVE-2026-58369 — Woodpecker < 3.15.0 - Unauthenticated NULL Pointer Dereference in /api/orgs/lookup Enable…

Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeI…

woodpecker | Remote | Authentication
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-58174 — Hermes WebUI < 0.51.521 - Cross-Profile Authorization Bypass via Unset Session Profile on…

Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import han…

hermes_web_ui | Remote | Authorization
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-58173 — Vibe-Trading < 0.1.10 - Path Traversal via Persistent Memory Type

Vibe-Trading before 0.1.10 contains a path traversal vulnerability that allows attackers to write files outside the intended memory root directory by supplying a malicious memory_type value containin…

Remote | Path Traversal
Jun 30, 2026 Jul 01, 2026
Jun 30, 2026
Jul 01, 2026
Showing 20 of 7989 Results