Latest CVE Feed
Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which all…
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by se…
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The …
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated att…
An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file.
A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (…
Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions.
Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions.
Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.
Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.
Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.
Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.
Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.
Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.
Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions.
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly…
In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack