Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-50135 — Hugo: Symlink confinement bypass in resources.Get

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointin…

Remote | Path Traversal
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
5.5 MEDIUM
CVE-2026-48267 — DNG SDK | NULL Pointer Dereference (CWE-476)

DNG SDK versions 1.7.1 2536 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to…

| Denial of Service
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
9.2 CRITICAL
CVE-2026-42341 — FOSSBilling has an unauthenticated payment bypass via IPN callback forgery

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When…

Remote | Authentication
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
7.7 HIGH
CVE-2026-42331 — FOSSBilling missing authorization in guest Invoice API endpoints

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-relat…

Remote | Authorization
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
9.9 CRITICAL
CVE-2026-34038 — Coolify authenticated remote command injection leading to RCE and secret exfiltration

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application dep…

coolify | Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.9 MEDIUM
CVE-2026-33734 — FOSSBilling has improper SQL neutralization in `Massmailer` recipient filters

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a SQL injection vulnerability in the `Massmailer` module filter functionality. An authentica…

Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
7.8 HIGH
CVE-2026-25271 — Time-of-check Time-of-use (TOCTOU) Race Condition in DSP Service

Memory Corruption when processing asynchronous input parameters due to improper handling of modified values between check and use.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.8 HIGH
CVE-2026-25268 — Stack-based Buffer Overflow in WLAN Host

Memory Corruption when processing invalid HT40 channel layouts during dynamic channel switching operations.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
5.3 MEDIUM
CVE-2026-21384 — Out-of-bounds Write in Camera Driver

Memory Corruption when updating prepared commands with invalid port indices based on user space input exceeds supported read client limits.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
7.1 HIGH
CVE-2026-21383 — Reusing a Nonce, Key Pair in Encryption in HLOS

Cryptographic Issue when using a static initialization vector for AES-GCM key wrapping, which requires a unique value for each call to ensure security.

| Cryptography
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
7.8 HIGH
CVE-2026-21379 — Buffer Over-read in Windows Compute

Memory Corruption when allocating memory with sizes that exceed the maximum allowed value.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
5.3 MEDIUM
CVE-2026-21370 — Out-of-bounds Write in Camera Driver

Memory Corruption when validating input batch size and buffer plane count exceeds maximum allowed values.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
5.3 MEDIUM
CVE-2026-21369 — Out-of-bounds Write in Camera Driver

Memory Corruption when handling flash commands due to outdated LED count values being used after userspace modification.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
5.3 MEDIUM
CVE-2026-21368 — Out-of-bounds Write in Camera Driver

Memory Corruption when parsing jpeg commands due to unaccounted extra writes to the buffer during validation checks.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
8.6 HIGH
CVE-2026-14471 — Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gate…

Improper Neutralization of Special Elements in the metrics-service retention policy management component in Amazon mcp-gateway-registry before 1.0.13 might allow an authenticated remote user to execu…

Remote | Injection
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
7.7 HIGH
CVE-2026-14468 — Path traversal allows arbitrary file read in Terraform Enterprise container

HashiCorp Terraform Enterprise contained an issue in its version control system (VCS) ingestion of registry modules that did not correctly enforce the intended boundary on packaged module content. Th…

terraform_enterprise | Path Traversal
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.6 MEDIUM
CVE-2025-59617 — Use After Free in Computer Vision

Memory Corruption when processing multiple IOCTL calls with the same buffer file descriptor input.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.6 MEDIUM
CVE-2025-59616 — Use After Free in Computer Vision

Memory Corruption when processing multiple IOCTL calls with the same buffer file descriptor input due to accessing already freed memory.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.6 MEDIUM
CVE-2025-59615 — Use After Free in Computer Vision

Memory Corruption when invoking device input/output control operations for mapping and unmapping persistent memory buffers due to improper synchronization.

| Memory Corruption
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
6.1 MEDIUM
CVE-2026-59710 — showdown - Stored XSS via Unescaped Table Header ID Attribute Injection

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can…

Remote | Cross-Site Scripting
Jul 06, 2026 Jul 06, 2026
Jul 06, 2026
Jul 06, 2026
Showing 20 of 7523 Results