Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-13763 — HTTP/2 Stream Parser Confusion Body-Inspection Bypass in AWS Application Load Balancer wi…

Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 reques…

application_load_balancer | Remote | Misconfiguration
Jun 29, 2026 Jul 01, 2026
Jun 29, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2026-13762 — HTTP/2 Stream Parser Confusion Body-Inspection Bypass in Amazon CloudFront with AWS WAF

Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that frag…

cloudfront | Remote | Misconfiguration
Jun 29, 2026 Jul 01, 2026
Jun 29, 2026
Jul 01, 2026
6.5 MEDIUM
CVE-2026-13593 — CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire docume…

CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away. The minify function has a memory leak when processing a document containing only charact…

Remote | Memory Corruption
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-58000 — luci-proto-openvpn - Command Injection via cl_meta Parameter in generateKey

luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a shell command …

luci | Remote | Injection
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
8.8 HIGH
CVE-2026-57999 — luci-app-tailscale-community - Command Injection via tailscale.do_login RPC

luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability e…

luci | Remote | Injection
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
6.9 MEDIUM
CVE-2026-53428 — Unbounded memory allocation in highlight_lines range expansion in mdex

Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation. comrak_nif::lumis_ada…

mdex mdex_native | Denial of Service
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
2.3 LOW
CVE-2026-53427 — Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown. …

mdex mdex_native | Remote | Cross-Site Scripting
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
6.2 MEDIUM
CVE-2026-13757 — P11-kit: stack exhaustion via unbounded recursion in rpc attribute parsing

A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no r…

Jun 29, 2026 Jul 01, 2026
Jun 29, 2026
Jul 01, 2026
8.3 HIGH
CVE-2026-57960 — Hi.Events 1.9.0 - Unauthenticated Attendee PII Exposure via Check-in List short_id

Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. …

hi.events | Remote | Authentication
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
8.2 HIGH
CVE-2026-57959 — Hi.Events 1.9.0 - Promo Code Max-Usage Bypass via Asynchronous Job Race Condition

Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem…

hi.events | Remote | Race Condition
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
6.1 MEDIUM
CVE-2026-57958 — Mixpost 2.6.0 - Reflected XSS via OAuth Callback Error Parameter

Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malici…

Remote | Cross-Site Scripting
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
4.7 MEDIUM
CVE-2026-57957 — Papermark 0.22.0 - CORS Misconfiguration in Viewer Upload Endpoint

Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by e…

papermark | Remote | Misconfiguration
Jun 29, 2026 Jul 01, 2026
Jun 29, 2026
Jul 01, 2026
6.4 MEDIUM
CVE-2026-57956 — SigNoz 0.130.1 - Cross-Organization Insecure Direct Object Reference in Alert Rules

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule sto…

Remote | Authorization
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
8.5 HIGH
CVE-2026-57955 — SigNoz 0.130.1 - SQL Injection in Alert History Endpoints via Rule ID Parameter

SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path paramet…

Remote | Injection
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
5.3 MEDIUM
CVE-2026-57954 — Elide 7.1.17 - Permission Bypass in Sort Expression Validation

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers ca…

elide | Remote | Authorization
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
5.4 MEDIUM
CVE-2026-57953 — Mythic < 3.4.0.60 - Unauthorized Automation Workflow Modification via eventing_import_aut…

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automati…

mythic | Remote | Authorization
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2026-57952 — Mythic < 3.4.0.60 - Unauthorized C2 Profile Configuration Access via Unverified Payload U…

Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sa…

mythic | Remote | Authorization
Jun 29, 2026 Jun 30, 2026
Jun 29, 2026
Jun 30, 2026
7.1 HIGH
CVE-2026-57951 — Mythic < 3.4.0.60 - Broken Permission Filter in payload_build_step Table

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated …

mythic | Remote | Authorization
Jun 29, 2026 Jul 01, 2026
Jun 29, 2026
Jul 01, 2026
8.6 HIGH
CVE-2026-57950 — ruoyi-vue-pro - Incorrect Permission Namespace in ErpSaleOrderController

ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorize…

Remote | Authorization
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
7.1 HIGH
CVE-2026-57949 — ruoyi-vue-pro - Missing Authorization in CRM Follow-up Record GET Endpoint

ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated u…

Remote | Authorization
Jun 29, 2026 Jun 29, 2026
Jun 29, 2026
Jun 29, 2026
Showing 20 of 7990 Results