Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.8 HIGH
CVE-2025-60464 — GPAC MP4Box Use-After-Free

A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafte…

gpac | Memory Corruption
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-57700 — WordPress OMGF Pro plugin <= 5.2.6 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through 5.2.6.

Remote | Misconfiguration
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
7.3 HIGH
CVE-2026-56790 — CANBoat - Off-by-One Global Buffer Overflow in searchForPgn()

CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn() function in analyzer/pgn.c that allows remote attackers to crash the application. At…

| Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.1 HIGH
CVE-2026-56789 — RTKLIB 2.4.3 - Heap Buffer Overflow and Stack Read via Oversized RINEX Epoch Satellite Co…

RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count va…

rtklib | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.1 HIGH
CVE-2026-56788 — RTKLIB 2.4.3 - Out-of-bounds Read via Negative Array Index in getcodepri

RTKLIB through 2.4.3 contains an out-of-bounds read vulnerability in getcodepri function when processing unrecognized RINEX observation codes, allowing attackers to trigger denial of service. Crafted…

rtklib | Denial of Service
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-56787 — RTKLIB 2.4.3 - Off-by-One Out-of-Bounds Read in decode_ssr3 via RTCM3 SSR Message

RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via craft…

rtklib | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
9.8 CRITICAL
CVE-2026-56786 — RTKLIB 2.4.3 - Out-of-bounds Write in decode_type1033 via Crafted RTCM3 Message

RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fi…

rtklib | Remote | Memory Corruption
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
6.4 MEDIUM
CVE-2026-56779 — MaxKB < 2.10.0 - Server-Side Request Forgery via downloadCallbackUrl and download_url Par…

MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidat…

maxkb | Remote | Server-Side Request Forgery
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
5.4 MEDIUM
CVE-2026-56774 — Kanboard - Cross-User Deletion of Persistent Login Sessions via Unvalidated Session ID

Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authentica…

kanboard | Remote | Authentication
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-56772 — NewsBlur < 14.5.0 - Insecure Direct Object Reference in Social Interactions Endpoint

NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/inter…

Remote | Authorization
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.5 HIGH
CVE-2026-56771 — NewsBlur < 14.5.0 - Server-Side Request Forgery via add_url Endpoint

NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by f…

Remote | Server-Side Request Forgery
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.7 HIGH
CVE-2026-56770 — libais 0.15 - Out-of-bounds Vector Access in VdmStream::AddLine via Invalid Sequential Me…

libais through 0.15 VdmStream::AddLine uses an unchecked sentinel value as a vector index when processing AIS sentences with empty or out-of-range sequential message IDs. Remote attackers can crash s…

Remote | Memory Corruption
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.5 HIGH
CVE-2026-56769 — Huly Platform - Server-Side Request Forgery via /import Endpoint

Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arb…

Remote | Server-Side Request Forgery
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-56768 — Seahub < 13.0.23 - Authentication Bypass in ShareLinkZipTaskView GET Method

Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link tok…

Remote | Authentication
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-56767 — Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth …

maxun | Remote | Authorization
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-56766 — Hydra - Stack Buffer Overflow in NTLM Authentication Handler

Hydra through 9.7, fixed in commit 9cc84c2, contains a stack buffer overflow in NTLM authentication across SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, and HTTP-Proxy-Urlenum modules when processing mal…

Remote | Memory Corruption
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.2 HIGH
CVE-2026-55667 — File Browser: Out-of-scope file deletion by a Create-only scoped user via symlink-followi…

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holdin…

filebrowser | Remote | Path Traversal
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
10.0 CRITICAL
CVE-2026-54917 — SeaweedFS: Path traversal in the S3 and Iceberg REST gateways allows cross-bucket access

SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers wit…

seaweedfs | Remote | Path Traversal
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
5.8 MEDIUM
CVE-2026-54250 — K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression

K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functi…

k3s | Path Traversal
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.2 HIGH
CVE-2026-54097 — File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in D…

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebr…

filebrowser | Remote | Authorization
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
Showing 20 of 7988 Results