Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.2 MEDIUM
CVE-2026-49859 — Deno: `fetch()` API sandbox bypass via missing DNS resolution check

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresse…

deno | Misconfiguration
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
7.4 HIGH
CVE-2026-49440 — Deno: Miller-Rabin Primality Test Allows Zero Rounds

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrime(candidate[, options][, callback]) and crypto.checkPrimeSync(candidate[, options]) ran no Miller-Rabin…

deno | Remote | Cryptography
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
6.5 MEDIUM
CVE-2026-49411 — Deno Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then di…

deno | Authorization
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
5.5 MEDIUM
CVE-2026-49406 — Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allo…

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.12, when Deno was run in BYONM mode (nodeModulesDir: "manual"), the module resolver did not validate that a package's resolved …

deno | Path Traversal
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
8.1 HIGH
CVE-2026-49402 — Deno: Command Injection via spawnSync & spawn on Windows

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn …

deno windows | Remote | Injection
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
8.4 HIGH
CVE-2026-49401 — Deno Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path su…

macos deno | Misconfiguration
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
5.4 MEDIUM
CVE-2026-45692 — Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In th…

caddy | Remote | Authorization
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
8.1 HIGH
CVE-2026-45135 — Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files

Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/…

caddy | Remote | Misconfiguration
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
9.1 CRITICAL
CVE-2026-44726 — Deno: TLS retry copies stale upgrade hook, risking plaintext traffic

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext …

deno | Remote | Cryptography
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
4.1 MEDIUM
CVE-2026-0864 — Configuration Injection via Carriage Return (\r) in write() method

When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and …

python cpython cpython | Injection
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
7.1 HIGH
CVE-2025-71382 — MuPDF < 1.27.0-rc1 Stack Exhaustion DoS via EPUB CSS Rendering

MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted …

mupdf | Remote | Denial of Service
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
7.5 HIGH
CVE-2025-61029 — OpenLink Virtuoso-Opensource Denial of Service

An issue in the sqlo_untry component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Remote | Denial of Service
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
7.5 HIGH
CVE-2025-61024 — OpenLink Virtuoso Denial of Service

An issue in the sqlo_try_in_loop component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Remote | Denial of Service
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
5.5 MEDIUM
CVE-2020-9713 — Acrobat Reader | Out-of-bounds Read (CWE-125)

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could…

Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
5.5 MEDIUM
CVE-2020-9711 — Acrobat Reader | Out-of-bounds Read (CWE-125)

Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memor…

Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
7.8 HIGH
CVE-2020-9695 — Acrobat Reader | Out-of-bounds Write (CWE-787)

Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution i…

Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-56968 — GNU SASL NTLM Client Memory Disclosure

GNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory disclosure via a crafted server.

debian_linux gnu_sasl sasl | Remote | Memory Corruption
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
5.7 MEDIUM
CVE-2026-56117 — dhcpcd Heap Use-After-Free via Control Socket Handling

dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-after-free vulnerability in the control socket handling within src/control.c that allows local unprivileged attackers to trigger me…

dhcpcd | Memory Corruption
Jun 23, 2026 Jun 28, 2026
Jun 23, 2026
Jun 28, 2026
7.1 HIGH
CVE-2026-56116 — dhcpcd Memory Leak DoS via IPv6 Router Advertisement Handling

dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to c…

dhcpcd | Denial of Service
Jun 23, 2026 Jul 01, 2026
Jun 23, 2026
Jul 01, 2026
8.8 HIGH
CVE-2026-56115 — Bootimus 0.1.70 Broken Access Control via JWTMiddleware Authorization Bypass

Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the J…

dhcpcd bootimus | Remote | Memory Corruption
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
Showing 20 of 7972 Results