Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.1 MEDIUM
CVE-2026-56450 — AIL Framework - Missing Rate Limiting Enables Brute-Force Attacks Against Two-Factor Auth…

AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the passwo…

Remote | Authentication
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
8.3 HIGH
CVE-2026-56448 — Authenticated Path Traversal in AIL Framework Investigation Downloads Allows Arbitrary Fi…

A path traversal vulnerability exists in AIL Framework before the release containing commit 0041456af25da0cdea1c1c4624e46baff2731d8f. An authenticated AIL user can supply crafted object identifiers t…

Remote | Path Traversal
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
9.3 CRITICAL
CVE-2026-56447 — MISP remote code execution via arbitrary rdkafka configuration path

MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rd…

misp misp | Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.7 HIGH
CVE-2026-56446 — Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path in MISP

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated…

misp misp | Remote | Path Traversal
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
9.3 CRITICAL
CVE-2026-56425 — MISP AAD authentication plugin - Improper OAuth State Handling, Missing Session Rotation,…

The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees pro…

misp misp | Remote | Authentication
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.8 HIGH
CVE-2026-56424 — Broken access control in MISP core allows cross-organization unauthorized modification or…

MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affe…

misp misp | Remote | Authorization
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
9.4 CRITICAL
CVE-2026-56423 — MISP Core: Broken access control allows instance-wide unauthorized deletion of event repo…

MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level perm…

misp misp | Remote | Authorization
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.3 HIGH
CVE-2026-54100 — Windows-machine-config-operator: windows-machine-config-operator: ssh host key not verifi…

A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server h…

openshift_container_platform | Authentication
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-54099 — Windows-machine-config-operator: windows-machine-config-operator: wicd csr extra-organiza…

A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organizat…

Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
7.7 HIGH
CVE-2026-42129 — Path Traversal in Loki Datasource leads to Internal Information Disclosure

The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki en…

loki_datasource | Remote | Path Traversal
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
9.6 CRITICAL
CVE-2026-28381 — Local File Read/Write to Potential Privilege Escalation via Snowflake GET/PUT

The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connecte…

snowflake | Remote | Path Traversal
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
2.0 LOW
CVE-2026-12888 — HTML injection in the Canarytoken Google Chat notification

An HTML injection vulnerability exists in the Google Chat webhook notification  sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert l…

Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.8 HIGH
CVE-2026-12602 — Incorrect permissions in ArubaSign by Aruba

Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriate permissions during the software’s default installation, …

| Misconfiguration
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
5.4 MEDIUM
CVE-2026-10601 — Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpo…

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) ca…

grafana | Remote | Path Traversal
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-10561 — Unauthenticated Remote Code Execution in Langflow OSS PythonREPLComponent via Builtins In…

IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute ar…

langflow langflow_oss | Remote | Authentication
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2025-66389 — GitHub Copilot Unauthorized Filesystem Access via Fetch Webpage

GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there i…

github_copilot | Remote | Misconfiguration
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
5.4 MEDIUM
CVE-2025-33128 — IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vul…

IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to …

engineering_workflow_management | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
6.5 MEDIUM
CVE-2025-2669 — Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Clou…

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3 could allow a privileged user to perform operations and obtain sensitive information outside of …

Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2024-54178 — Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Clou…

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8,5.0,5.1,5.2,5.3 could allow an authenticated user to cause a denial of service when creating new databases due to im…

Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
9.4 CRITICAL
CVE-2026-56422 — MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_i…

misp misp | Remote | Authorization
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
Showing 20 of 7972 Results