Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.8 HIGH
CVE-2026-50741 — Nuxeo XML-RPC Bypass for CVE-2026-34916

Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed either by sending a disallowed but otherwise valid plugin ident…

revive_adserver adserver | Remote | Authentication
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
6.1 MEDIUM
CVE-2026-50740 — Revive Adserver Reflected Cross-Site Scripting

A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame …

revive_adserver adserver | Remote | Cross-Site Scripting
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
4.3 MEDIUM
CVE-2026-50739 — Revive Adserver Tracker-Campaign Linking Authorization Bypass

A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the `tracker-campaigns.php` script in …

revive_adserver adserver | Remote | Authorization
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
3.3 LOW
CVE-2026-48936 — Node.js: Insufficient Permissions Check Leading to Unauthorized Socket Server Creation

A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line…

node.js | Misconfiguration
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
3.3 LOW
CVE-2026-48935 — Node.js Permission API File Metadata Modification Vulnerability

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release lin…

node.js | Misconfiguration
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
4.3 MEDIUM
CVE-2026-48934 — Node.js TLS Host Verification Bypass

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node…

node.js | Remote | Misconfiguration
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.5 HIGH
CVE-2026-48933 — Node.js WebCrypto Denial of Service

A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, *…

node.js | Remote | Denial of Service
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
9.8 CRITICAL
CVE-2026-48930 — Node.js TLS Hostname Handling Vulnerability

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supp…

node.js | Remote | Misconfiguration
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
5.4 MEDIUM
CVE-2026-48928 — Node.js Hostname Mismatch Trust Policy Bypass

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, a…

node.js | Remote | Misconfiguration
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-48619 — Node.js HTTP/2 Out of Memory Vulnerability

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported rel…

node.js | Remote | Denial of Service
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.7 HIGH
CVE-2026-48618 — Node.js TLS Hostname Normalization Bypass

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization misma…

node.js | Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-48615 — Node.js Proxy Credentials Exposure via Tunnel Error

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through…

node.js | Remote | Information Disclosure
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
6.5 MEDIUM
CVE-2026-13226 — Groundhogg <= 4.5.4 - Authenticated (Custom+) SQL Injection via 'after' Parameter

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to in…

groundhogg | Remote | Injection
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
9.2 CRITICAL
CVE-2026-9222 — Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for a…

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, …

Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
8.7 HIGH
CVE-2026-9221 — Setracker2 Children's Smartwatch Ecosystem Use of a Broken or Risky Cryptographic Algorit…

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the bac…

Remote | Cryptography
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
8.7 HIGH
CVE-2026-9220 — Setracker2 Children's Smartwatch Ecosystem Use of hard-coded cryptographic key

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allo…

Remote | Cryptography
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
8.3 HIGH
CVE-2026-9219 — Setracker2 Children's Smartwatch Ecosystem Generation of Predictable Numbers or Identifie…

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assig…

Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
6.9 MEDIUM
CVE-2026-43920 — FOSSBilling: Unauthenticated update patcher endpoint allows remote maintenance execution

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, w…

fossbilling | Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
3.8 LOW
CVE-2026-13322 — Kubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-serial readline in virt-handler …

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is …

openshift_virtualization | Denial of Service
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
6.4 MEDIUM
CVE-2026-13318 — Virt-api-rhel9: kubevirt: kubevirt: ssrf in virt-api port-forward via unvalidated guest-a…

A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP…

openshift_virtualization | Remote | Server-Side Request Forgery
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
Showing 20 of 7989 Results