Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.9 MEDIUM
CVE-2024-27928 — Vantage6: 2FA can be circumvented with hacked email access

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email …

vantage6 | Remote | Authentication
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
2.1 LOW
CVE-2024-24769 — Vantage6: No limit on emails sent for password/MFA reset

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emai…

vantage6 | Remote | Denial of Service
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-8050 — CVE-2026-8050

In SignalRGB versions prior to 1.3.7.0, seven of the thirteen IOCTL handlers dereference the SystemBuffer pointer without first verifying that it is non-NULL. Sending an IOCTL with an empty input buf…

Remote | Memory Corruption
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
5.3 MEDIUM
CVE-2026-8049 — CVE-2026-8049

In SignalRGB versions prior to 1.3.7.0, the \\.\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN. This results in overly permissive d…

| Misconfiguration
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
6.1 MEDIUM
CVE-2026-54386 — marimo < 0.23.9 XSS via file Query Parameter in assets.py

marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping …

marimo | Remote | Cross-Site Scripting
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-50200 — Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Manage…

Remote | Information Disclosure
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
7.5 HIGH
CVE-2026-50196 — Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCente…

Remote | Misconfiguration
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
8.2 HIGH
CVE-2026-50194 — Steeltoe vulnerable to management-port isolation bypass via spoofed Host header

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 …

Remote | Authorization
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
7.1 HIGH
CVE-2026-48997 — e107: Command Injection via shell expansion in ImageMagick resize destination path

e107 is a content management system (CMS). Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resize_image(), the source path is esca…

e107 | Remote | Injection
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
5.5 MEDIUM
CVE-2026-48991 — XianYuLauncher: Legacy Microsoft account OAuth sign-in flow lacks PKCE and state validati…

XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack condition…

| Authentication
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
5.3 MEDIUM
CVE-2026-48990 — joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during des…

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=fals…

joserfc | Remote | Denial of Service
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
8.9 HIGH
CVE-2026-48989 — Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS

Windows-MCP is an open-source project that integrates AI agents with Windows. In versions prior to 0.7.5, certain HTTP modes exposed the MCP control plane without authentication while enabling wildca…

Remote | Authentication
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
6.3 MEDIUM
CVE-2026-48820 — CakePHP: View::element() is missing a path containment check

CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() …

cakephp | Remote | Path Traversal
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
8.4 HIGH
CVE-2026-12530 — Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK instal…

Improper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute ar…

bedrock-agentcore | Remote | Injection
Jun 17, 2026 Jun 22, 2026
Jun 17, 2026
Jun 22, 2026
7.1 HIGH
CVE-2026-49133 — Typemill < 2.24.0 Path Traversal via ControllerApiImage::getPagemedia()

Typemill before 2.24.0 contains a path traversal vulnerability that allows authenticated attackers with Author-level privileges to read arbitrary files outside the content directory by supplying trav…

typemill | Remote | Path Traversal
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
5.3 MEDIUM
CVE-2026-48988 — markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations

markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. …

markdown-it | Remote | Denial of Service
Jun 17, 2026 Jun 24, 2026
Jun 17, 2026
Jun 24, 2026
7.5 HIGH
CVE-2026-48979 — PHP Standard Library: HTTP/2 server-side missing content-length validation enables reques…

PHP Standard Library (PSL) is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not valida…

Remote | Misconfiguration
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
5.8 MEDIUM
CVE-2026-48821 — Shaarli: DOM-based Cross-Site Scripting (XSS) in Thumbnail Synchronizer

Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting (XSS) vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the…

shaarli | Cross-Site Scripting
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
9.3 CRITICAL
CVE-2026-55202 — Tinyproxy - Stathost Detection Bypass via Host Header Manipulation

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a mat…

tinyproxy | Remote | Misconfiguration
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
7.4 HIGH
CVE-2026-55201 — Evil-WinRM - Path Traversal in download_dir() Function

Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the download_dir() function that allows a rogue or compromised remote Windows server to write files outside…

Remote | Path Traversal
Jun 17, 2026 Jun 23, 2026
Jun 17, 2026
Jun 23, 2026
Showing 20 of 7990 Results