Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-13226 — Groundhogg <= 4.5.4 - Authenticated (Custom+) SQL Injection via 'after' Parameter

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to in…

groundhogg | Remote | Injection
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
9.2 CRITICAL
CVE-2026-9222 — Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for a…

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, …

Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
8.7 HIGH
CVE-2026-9221 — Setracker2 Children's Smartwatch Ecosystem Use of a Broken or Risky Cryptographic Algorit…

The Setracker2 Android Companion App (com.tgelec.setracker) versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the bac…

Remote | Cryptography
Jun 26, 2026 Jun 30, 2026
Jun 26, 2026
Jun 30, 2026
8.7 HIGH
CVE-2026-9220 — Setracker2 Children's Smartwatch Ecosystem Use of hard-coded cryptographic key

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allo…

Remote | Cryptography
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
8.3 HIGH
CVE-2026-9219 — Setracker2 Children's Smartwatch Ecosystem Generation of Predictable Numbers or Identifie…

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assig…

Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
6.9 MEDIUM
CVE-2026-43920 — FOSSBilling: Unauthenticated update patcher endpoint allows remote maintenance execution

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, w…

fossbilling | Remote | Authentication
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
3.8 LOW
CVE-2026-13322 — Kubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-serial readline in virt-handler …

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is …

openshift_virtualization | Denial of Service
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
6.4 MEDIUM
CVE-2026-13318 — Virt-api-rhel9: kubevirt: kubevirt: ssrf in virt-api port-forward via unvalidated guest-a…

A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance (VMI), virt-api reads the target IP…

openshift_virtualization | Remote | Server-Side Request Forgery
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
4.2 MEDIUM
CVE-2026-13218 — Kubevirt: kubevirt: symlink following in writetocachedfile allows host file overwrite fro…

A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A …

openshift_virtualization | Path Traversal
Jun 26, 2026 Jun 26, 2026
Jun 26, 2026
Jun 26, 2026
6.9 MEDIUM
CVE-2026-13083 — Pen-drive: pen-drive: stored xss via unescaped cluster data in html report

A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can i…

Remote | Cross-Site Scripting
Jun 26, 2026 Jul 01, 2026
Jun 26, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-12993 — Apicurio/apicurio-registry: apicurio-registry: xml entity-expansion denial of service via…

A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An at…

Remote | XML External Entity
Jun 26, 2026 Jun 29, 2026
Jun 26, 2026
Jun 29, 2026
7.1 HIGH
CVE-2026-40941 — Cacti: Package Import Signature Validation Bypass Allows Self-Signed Packages

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue ha…

cacti | Remote | Misconfiguration
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
6.5 MEDIUM
CVE-2026-40084 — Cacti: Arbitrary File Read via Path Traversal in Report `format_file` Parameter

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. …

cacti | Remote | Path Traversal
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
7.2 HIGH
CVE-2026-40083 — Cacti: SQL Injection in managers.php

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php,…

cacti | Remote | Injection
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
5.4 MEDIUM
CVE-2026-40082 — Cacti: Session Fixation via missing session_regenerate_id() after login

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is…

cacti | Remote | Authentication
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
6.1 MEDIUM
CVE-2026-40080 — Cacti: Open Redirect via HTTP_REFERER substring check in auth_login_redirect

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($refer…

cacti | Remote | Misconfiguration
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
7.5 HIGH
CVE-2026-8720 — HMAC-BLAKE2 final discards message when key length exceeds block size

wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the …

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-7532 — iPAddress name constraints not enforced when WOLFSSL_IP_ALT_NAME is undefined

iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced in that configuration, allowing a certificate to bypass an issuing CA's IP addr…

wolfssl | Remote | Misconfiguration
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
7.5 HIGH
CVE-2026-7511 — PKCS7_verify signer confusion allows forged signatures to be accepted

PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted.

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-6331 — HMAC zero-length tag forgery in EVP_DigestVerifyFinal

HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the supplied signatur…

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
Showing 20 of 7988 Results