Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-31928 — Daktronics Controller Firmware Use of Hard-coded Credentials

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using the…

Jun 26, 2026 Jul 06, 2026
Jun 26, 2026
Jul 06, 2026
9.8 CRITICAL
CVE-2026-28701 — Daktronics Controller Firmware Path Traversal

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.

Jun 26, 2026 Jul 06, 2026
Jun 26, 2026
Jul 06, 2026
8.7 HIGH
CVE-2026-55069 — Kestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force Attack

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. …

kestra | Remote | Authentication
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-53577 — Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains …

kestra | Remote | Authorization
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
10.0 CRITICAL
CVE-2026-53576 — Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /co…

kestra | Remote | Authentication
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
5.4 MEDIUM
CVE-2026-50767 — Koha Cross-Site Scripting

A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administr…

koha | Remote | Cross-Site Scripting
Jun 26, 2026 Jul 05, 2026
Jun 26, 2026
Jul 05, 2026
5.4 MEDIUM
CVE-2026-50766 — Koha Stored Cross-Site Scripting

A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edit_items permis…

koha | Remote | Cross-Site Scripting
Jun 26, 2026 Jul 05, 2026
Jun 26, 2026
Jul 05, 2026
6.1 MEDIUM
CVE-2026-50765 — Koha Cross-Site Scripting

A stored cross-site scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker …

koha | Remote | Cross-Site Scripting
Jun 26, 2026 Jul 05, 2026
Jun 26, 2026
Jul 05, 2026
7.7 HIGH
CVE-2026-49984 — Kestra: Path traversal in `LocalStorage` allows any authenticated user to read arbitrary …

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows…

kestra | Remote | Path Traversal
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
10.0 CRITICAL
CVE-2026-49869 — Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `Authenticatio…

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public confi…

kestra | Remote | Authentication
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
7.7 HIGH
CVE-2026-45807 — Kestra: Path traversal via URL-encoded "%2E%2E" in execution and namespace file endpoints…

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.par…

kestra | Remote | Path Traversal
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
4.6 MEDIUM
CVE-2026-38571 — Tenda N300 F3 UART Cleartext Credential Storage and Memory Corruption

Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a p…

| Authentication
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
5.5 MEDIUM
CVE-2026-36908 — Axiomatic Systems Bento4 Stack Overflow Denial of Service

A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

| Memory Corruption
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
5.5 MEDIUM
CVE-2026-36907 — Bento4 Stack Overflow Denial of Service

A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

| Memory Corruption
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.5 HIGH
CVE-2026-36478 — Technitium DNS Server Denial of Service

An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components

Remote | Denial of Service
Jun 26, 2026 Jul 05, 2026
Jun 26, 2026
Jul 05, 2026
8.5 HIGH
CVE-2026-54353 — Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation

Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow vali…

budibase | Remote | Server-Side Request Forgery
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
9.6 CRITICAL
CVE-2026-54352 — Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload

Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with extract-zip…

budibase | Remote | Path Traversal
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
9.6 CRITICAL
CVE-2026-54351 — Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution …

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution paramete…

budibase | Remote | Authentication
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
10.0 CRITICAL
CVE-2026-54350 — Budibase: Anonymous NoSQL operator injection via published-app query templates

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB…

budibase | Remote | Injection
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-52885 — Notepad++ TOCTOU: HMAC Checks Disk, Executes from Memory

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the…

notepad\+\+ | Misconfiguration
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
Showing 20 of 7451 Results