Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-53284 — btrfs: only release the dirty pages io tree after successful writes

In the Linux kernel, the following vulnerability has been resolved: btrfs: only release the dirty pages io tree after successful writes [WARNING] With extra warning on dirty extent buffers at umoun…

linux_kernel | Remote | Denial of Service
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
0.0 NA
CVE-2026-53283 — iommu/amd: Bounds-check devid in __rlookup_amd_iommu()

In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Bounds-check devid in __rlookup_amd_iommu() iommu_device_register() walks every device on the PCI bus via bus_for_each…

linux_kernel | Memory Corruption
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
0.0 NA
CVE-2026-53282 — x86/kexec: Push kjump return address even for non-kjump kexec

In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Push kjump return address even for non-kjump kexec The version of purgatory code shipped by kexec-tools attempts to lo…

linux_kernel | Memory Corruption
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-53281 — iommu/vt-d: Avoid NULL pointer dereference or refcount corruption

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_…

linux_kernel | Memory Corruption
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
0.0 NA
CVE-2026-53280 — iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done() Local sashiko review pointed it out that group->domain co…

linux_kernel | Memory Corruption
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
0.0 NA
CVE-2026-53279 — drm/gma500/oaktrail_lvds: fix hang on init failure

In the Linux kernel, the following vulnerability has been resolved: drm/gma500/oaktrail_lvds: fix hang on init failure The LVDS init code looks up an I2C adapter using i2c_get_adapter() and tries t…

linux_kernel | Misconfiguration
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
0.0 NA
CVE-2026-53278 — arm_mpam: Check whether the config array is allocated before destroying it

In the Linux kernel, the following vulnerability has been resolved: arm_mpam: Check whether the config array is allocated before destroying it __destroy_component_cfg() is called to free the config…

linux_kernel | Misconfiguration
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
9.9 CRITICAL
CVE-2026-52785 — OpenProject: SQL injection in timestamps functionality

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to …

openproject | Remote | Injection
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
8.8 HIGH
CVE-2026-52784 — OpenProject: CSRF on TARGET through /users/:id via POST parameter "user[admin]"

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This vulnerability is fix…

openproject | Remote | Cross-Site Request Forgery
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-52783 — OpenProject: Information Disclosure (cleartext storage of data) on localhost through memc…

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Ra…

openproject | Remote | Information Disclosure
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
9.9 CRITICAL
CVE-2026-52782 — OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH par…

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages…

openproject | Remote | Authorization
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
6.4 MEDIUM
CVE-2026-52781 — OpenProject: Stored XSS on openproject.example.com through /api/v3/projects/{project}/wor…

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants <macro> elements unrestricted data-* attributes via :data wildcard. An attacke…

openproject | Remote | Cross-Site Scripting
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
9.6 CRITICAL
CVE-2026-52780 — OpenProject: Cache store poisoning leads to Remote Code Execution (RCE)

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, cache store poisoning leads to Remote Code Execution (RCE). This vulnerability is fixed in 17.3.3 and 17…

openproject | Misconfiguration
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
5.4 MEDIUM
CVE-2026-52779 — OpenProject: Cross-project authorization bypass allows deleting public Calendar and Team …

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a…

openproject | Remote | Authorization
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
8.6 HIGH
CVE-2026-49991 — RustFS Snowball Auto-Extract: Path Traversal allows cross-bucket object injection

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the …

rustfs | Remote | Path Traversal
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
4.3 MEDIUM
CVE-2026-49355 — OpenProject: Private work package data disclosure through single meeting agenda item API

OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked w…

openproject | Remote | Information Disclosure
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.5 HIGH
CVE-2026-47193 — OpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field vi…

openproject | Remote | Information Disclosure
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
9.9 CRITICAL
CVE-2026-46386 — OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `…

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key.…

openproject | Remote | Cryptography
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
6.5 MEDIUM
CVE-2026-44736 — OpenProject: Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work P…

OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations — and the subject (title) of…

openproject | Remote | Authorization
Jun 26, 2026 Jun 27, 2026
Jun 26, 2026
Jun 27, 2026
6.5 MEDIUM
CVE-2026-44735 — OpenProject: Shares API Information Disclosure

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user wit…

openproject | Remote | Authorization
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
Showing 20 of 7990 Results