Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.5 HIGH
CVE-2026-56663 — AutoGPT: SSRF-to-RCE Chain in `SendWebRequestBlock` via IP validation bypass and internal…

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.52, an authenticated user can bypass the SSRF / private-IP prot…

autogpt_platform | Remote | Server-Side Request Forgery
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-55686 — Podman: WORKDIR symlink traversal vulnerability

Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership…

podman | Remote
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-55677 — Echo: Encoded slash (%2F) bypasses route-level protection and exposes static files

Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path (preserving %2F as-is)…

echo | Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
9.9 CRITICAL
CVE-2026-54636 — Dokku: OS Command Injection via app.json managed Cron

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special she…

dokku | Remote | Injection
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
6.0 MEDIUM
CVE-2026-48529 — GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL clien…

GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton in…

Remote | Authentication
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
9.0 CRITICAL
CVE-2026-45408 — Dokku: OS Command Injection via App Name in Git Pre-Receive Hook

Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted ap…

dokku | Remote | Injection
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.5 MEDIUM
CVE-2026-45407 — Dokku: Git Credentials in .netrc Stored World-Readable Due to Premature touch

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the net…

dokku | Misconfiguration
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
9.0 CRITICAL
CVE-2026-45406 — Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filen…

dokku | Remote | Injection
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
9.0 CRITICAL
CVE-2026-45405 — Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preve…

dokku | Remote | Path Traversal
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.0 MEDIUM
CVE-2026-28385 — SSRF via image import from URL allows internal network probing by authenticated users

In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to i…

lxd | Remote | Server-Side Request Forgery
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
4.9 MEDIUM
CVE-2026-13434 — Virt-controller-rhel9: kubevirt: kubevirt: multus default-network annotation injection vi…

A flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim int…

openshift_virtualization | Remote | Injection
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-11779 — PayloadCMS 3.84.1 - Authenticated account lockout bypass through default unlock access

An Improper Authorization vulnerability exists in PayloadCMS version 3.84.1 due to insufficient access control on the account unlock operation.

payloadcms | Remote | Authorization
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2025-32423 — AutoGPT: There is a DoS vulnerability in ExtractTextInformationBlock

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in ExtractTextInformationBlock…

autogpt_platform | Remote | Denial of Service
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
5.3 MEDIUM
CVE-2025-32394 — AutoGPT: There is a DoS vulnerability in AITextSummarizerBlock

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in AITextSummarizerBlock. Mali…

autogpt_platform | Remote | Denial of Service
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
7.2 HIGH
CVE-2026-9640 — LXD Snapshot Import Privilege Escalation Vulnerability

A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration…

lxd | Remote | Authorization
Jun 26, 2026 Jul 02, 2026
Jun 26, 2026
Jul 02, 2026
6.5 MEDIUM
CVE-2026-9639 — Authenticated Denial of Service via Malicious Backup Tarball in LXD

Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of servic…

linux_kernel lxd | Remote | Memory Corruption
Jun 26, 2026 Jul 02, 2026
Jun 26, 2026
Jul 02, 2026
7.5 HIGH
CVE-2026-5757 — There exists an unauthenticated remote information disclosure vulnerability in Ollama's m…

Unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine allows an attacker to read and exfiltrate the server's heap memory, potentially leading to sensitive …

ollama | Remote | Information Disclosure
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.1 HIGH
CVE-2026-47214 — Docling: Unsafe URI and Path Handling in HTML Backend

Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This…

docling | Remote | Path Traversal
Jun 26, 2026 Jul 02, 2026
Jun 26, 2026
Jul 02, 2026
7.8 HIGH
CVE-2026-45195 — GPU DDK - rgxfw_set_mips_fault_address(&psInit->sFaultPhysAddr) is untrusted

Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory read or write outside the permitted range of memory for the host kernel. A…

ddk | Memory Corruption
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.1 HIGH
CVE-2026-44018 — Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend

Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0 until 2.91.0, the METS-GBS backend's XML parsing and the inp…

docling | XML External Entity
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
Showing 20 of 7972 Results