Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.4 MEDIUM
CVE-2026-56774 — Kanboard - Cross-User Deletion of Persistent Login Sessions via Unvalidated Session ID

Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authentica…

kanboard | Remote | Authentication
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-56772 — NewsBlur < 14.5.0 - Insecure Direct Object Reference in Social Interactions Endpoint

NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/inter…

Remote | Authorization
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.5 HIGH
CVE-2026-56771 — NewsBlur < 14.5.0 - Server-Side Request Forgery via add_url Endpoint

NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by f…

Remote | Server-Side Request Forgery
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.7 HIGH
CVE-2026-56770 — libais 0.15 - Out-of-bounds Vector Access in VdmStream::AddLine via Invalid Sequential Me…

libais through 0.15 VdmStream::AddLine uses an unchecked sentinel value as a vector index when processing AIS sentences with empty or out-of-range sequential message IDs. Remote attackers can crash s…

Remote | Memory Corruption
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.5 HIGH
CVE-2026-56769 — Huly Platform - Server-Side Request Forgery via /import Endpoint

Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arb…

Remote | Server-Side Request Forgery
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-56768 — Seahub < 13.0.23 - Authentication Bypass in ShareLinkZipTaskView GET Method

Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link tok…

Remote | Authentication
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-56767 — Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth …

maxun | Remote | Authorization
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-56766 — Hydra - Stack Buffer Overflow in NTLM Authentication Handler

Hydra through 9.7, fixed in commit 9cc84c2, contains a stack buffer overflow in NTLM authentication across SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, and HTTP-Proxy-Urlenum modules when processing mal…

Remote | Memory Corruption
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
8.2 HIGH
CVE-2026-55667 — File Browser: Out-of-scope file deletion by a Create-only scoped user via symlink-followi…

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holdin…

filebrowser | Remote | Path Traversal
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
10.0 CRITICAL
CVE-2026-54917 — SeaweedFS: Path traversal in the S3 and Iceberg REST gateways allows cross-bucket access

SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers wit…

seaweedfs | Remote | Path Traversal
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
5.8 MEDIUM
CVE-2026-54250 — K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression

K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functi…

k3s | Path Traversal
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.2 HIGH
CVE-2026-54097 — File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in D…

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebr…

filebrowser | Remote | Authorization
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.4 HIGH
CVE-2026-54096 — File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-exist…

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.7, `POST /api/share/<path>` accepts an authentic…

filebrowser | Misconfiguration
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-54094 — File Browser: Symlink following lets scoped users read, overwrite, and share files outsid…

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.14, it does not stop the HTTP file handlers from…

filebrowser | Remote | Path Traversal
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
6.8 MEDIUM
CVE-2026-54093 — File Browser: Path traversal in download-as-zip/tar via Windows-style backslash separator…

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, filebrowser builds the download-as-zip / down…

filebrowser | Path Traversal
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
6.5 MEDIUM
CVE-2026-54092 — File Browser: DoS Vulnerability on Public Login API

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, unchecked passwords maximums allow for an arb…

filebrowser | Remote | Denial of Service
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54091 — File Browser: Incorrect access control in public directory shares via rule path rebasing

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase t…

filebrowser | Remote | Path Traversal
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
8.7 HIGH
CVE-2026-54090 — File Browser: Command Allowlist Bypass via Shell Metacharacter Injection

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. …

filebrowser | Remote | Injection
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
9.1 CRITICAL
CVE-2026-54089 — File Browser: Authentication Bypass via Proxy Auth Header Forgery

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with …

filebrowser | Remote | Authentication
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
9.3 CRITICAL
CVE-2026-54088 — File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentic…

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Brows…

filebrowser | Remote | Injection
Jun 25, 2026 Jun 25, 2026
Jun 25, 2026
Jun 25, 2026
Showing 20 of 7989 Results