Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.6 CRITICAL
CVE-2026-53662 — immich: One-click account takeover via XSS in login page continue redirect

immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows a…

immich | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
4.2 MEDIUM
CVE-2026-52846 — Caddy: stripHTML template function bypass

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, …

caddy | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
8.1 HIGH
CVE-2026-52845 — Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the…

caddy | Remote | Authentication
Jun 23, 2026 Jun 30, 2026
Jun 23, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-52844 — Caddy: Windows `file_server` path authorization bypass via encoded backslash

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the s…

windows caddy | Remote | Path Traversal
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
5.4 MEDIUM
CVE-2026-50221 — OpenStack Swift: Server-Side Request Forgery via Internal Header Injection

In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwardi…

swift | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
5.2 MEDIUM
CVE-2026-49983 — Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with o…

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist w…

deno | Misconfiguration
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
5.2 MEDIUM
CVE-2026-49860 — Deno: WebSocket API sandbox bypass via missing post-DNS check

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check …

deno | Misconfiguration
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
5.2 MEDIUM
CVE-2026-49859 — Deno: `fetch()` API sandbox bypass via missing DNS resolution check

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresse…

deno | Misconfiguration
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
7.4 HIGH
CVE-2026-49440 — Deno: Miller-Rabin Primality Test Allows Zero Rounds

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrime(candidate[, options][, callback]) and crypto.checkPrimeSync(candidate[, options]) ran no Miller-Rabin…

deno | Remote | Cryptography
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
6.5 MEDIUM
CVE-2026-49411 — Deno Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then di…

deno | Authorization
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
5.5 MEDIUM
CVE-2026-49406 — Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allo…

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.12, when Deno was run in BYONM mode (nodeModulesDir: "manual"), the module resolver did not validate that a package's resolved …

deno | Path Traversal
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
8.1 HIGH
CVE-2026-49402 — Deno: Command Injection via spawnSync & spawn on Windows

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn …

deno windows | Remote | Injection
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
8.4 HIGH
CVE-2026-49401 — Deno Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path su…

macos deno | Misconfiguration
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
5.4 MEDIUM
CVE-2026-45692 — Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In th…

caddy | Remote | Authorization
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
8.1 HIGH
CVE-2026-45135 — Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files

Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/…

caddy | Remote | Misconfiguration
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
9.1 CRITICAL
CVE-2026-44726 — Deno: TLS retry copies stale upgrade hook, risking plaintext traffic

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext …

deno | Remote | Cryptography
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
4.1 MEDIUM
CVE-2026-0864 — Configuration Injection via Carriage Return (\r) in write() method

When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and …

python cpython cpython | Injection
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
7.1 HIGH
CVE-2025-71382 — MuPDF < 1.27.0-rc1 Stack Exhaustion DoS via EPUB CSS Rendering

MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted …

mupdf | Remote | Denial of Service
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
7.5 HIGH
CVE-2025-61029 — OpenLink Virtuoso-Opensource Denial of Service

An issue in the sqlo_untry component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Remote | Denial of Service
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
7.5 HIGH
CVE-2025-61024 — OpenLink Virtuoso Denial of Service

An issue in the sqlo_try_in_loop component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Remote | Denial of Service
Jun 23, 2026 Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Showing 20 of 7941 Results