Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.3 CRITICAL
CVE-2026-52843 — Lightpanda: fetch() and XMLHttpRequest attach session cookies to cross-origin requests re…

Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch() and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credent…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.3 CRITICAL
CVE-2026-52842 — Lightpanda:URL parser misidentifies page origin for URLs containing @ in the path - Same-…

Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page o…

Remote | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
5.4 MEDIUM
CVE-2026-49997 — SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted

SurrealDB is a scalable, distributed, collaborative, document-graph database for the realtime web. Prior to 3.1.0, Document::purge_edges in surrealdb/core/src/doc/delete.rs automatically removed grap…

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.7 HIGH
CVE-2026-48799 — Postiz: Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook

Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscriptio…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.3 MEDIUM
CVE-2026-47703 — AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle

AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.75, AdGuard Home's client-triggered DoQ forwarding path to a udp:// upstream reduced backend UDP DNS state by pro…

adguardhome | Remote | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-45804 — Diffusers: TOCTOU Trust Remote Code Bypass

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, Diffusers' DiffusionPipeline.from_pretrained flow can bypass the trust_remote_code guard because download() validates mode…

diffusers | Remote | Supply Chain
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-45793 — Composer: Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validates GitHub OAuth tokens with the regex ^[.A-Za-z0-9_]+$ and i…

composer | Remote | Information Disclosure
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-20187 — Cisco RoomOS Security Hardening Release - Exceptional Conditions Handling Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

Remote | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-20158 — Cisco RoomOS Security Hardening Release - Resource Lifetime Management Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

Remote | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-20157 — Cisco RoomOS Security Hardening Release - Missing Encryption Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

| Cryptography
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.1 HIGH
CVE-2026-20156 — Cisco RoomOS Security Hardening Release - Buffer Management Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

Remote | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-20153 — Cisco RoomOS Security Hardening Release - Input Validation Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

Remote | Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.8 HIGH
CVE-2026-20150 — Cisco RoomOS Security Hardening Release - Access Control Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
5.5 MEDIUM
CVE-2026-20146 — Cisco Identity Services Engine Path Traversal Vulnerability

A vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to perform path traversal attacks on the under…

identity_services_engine_software | Remote | Path Traversal
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
4.8 MEDIUM
CVE-2026-1563 — Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scrip…

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.

Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
4.6 MEDIUM
CVE-2026-1562 — Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scriptin…

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.

Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.5 MEDIUM
CVE-2025-32781 — Apollo: Apollo Portal release endpoint allows cross-application configuration disclosure …

Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.0, Apollo Portal does not verify application and namespace permissions …

apollo | Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
5.5 MEDIUM
CVE-2026-9007 — Reflected XSS in HCL Notes

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in HCL Notes from HCL Software allows reflected Cross-Site Scripting (XSS).  Successful exploitat…

Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.8 MEDIUM
CVE-2026-62843 — File Browser: Archive builder turns backslash filenames into path traversal (zip-slip)

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses st…

Remote | Path Traversal
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.1 HIGH
CVE-2026-62685 — File Browser: Colliding username normalization gives two users the same home directory

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from use…

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
Showing 20 of 8287 Results