Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-16195 — Sipeed PicoClaw Group Message wecom.go dispatchIncoming authorization

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This issue affects the function dispatchIncoming of the file pkg/channels/wecom/wecom.go of the component Group Message Handler. Th…

picoclaw | Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
8.8 HIGH
CVE-2026-10130 — QueryWeaver Authentication Bypass via Email Signup Token Issuance for Existing Accounts

QueryWeaver contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain valid session tokens for existing accounts by submitting a signup request with a known vict…

Remote | Authentication
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16194 — zhayujie CowAgent web_fetch.py WebFetch.execute server-side request forgery

A vulnerability was determined in zhayujie CowAgent up to 2.1.1. This affects the function WebFetch.execute of the file agent/tools/web_fetch/web_fetch.py. Executing a manipulation of the argument ur…

cowagent | Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
4.0 MEDIUM
CVE-2026-16156 — SourceCodester Class and Exam Timetabling System forexam.php cross site scripting

A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown part of the file /forexam.php. The manipulation of the argument day results in cro…

class_and_exam_timetabling_system | Remote | Cross-Site Scripting
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.2 HIGH
CVE-2026-57857 — Flow Payment Plugin for WordPress Reflected Cross-Site Scripting via error_message Parame…

The Flow Payment plugin for WordPress (flow.cl) version 3.0.8 is vulnerable to reflected cross-site scripting on the WooCommerce checkout page. When the plugin handles an order cancellation, the erro…

Remote | Cross-Site Scripting
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
4.0 MEDIUM
CVE-2026-16155 — SourceCodester Class and Exam Timetabling System schoolyr.php cross site scripting

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /schoolyr.php. The manipulation of the argumen…

class_and_exam_timetabling_system | Remote | Cross-Site Scripting
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16154 — SourceCodester Class and Exam Timetabling System edit_room1.php sql injection

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/1.php. Affected by this vulnerability is an unknown functionality of the file /edit_room1.php. Executing a manip…

class_and_exam_timetabling_system | Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16152 — SourceCodester Class and Exam Timetabling System edit_rooma.php sql injection

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /edit_rooma.php. Performing a manipulation of the argument ID results in…

class_and_exam_timetabling_system | Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
8.7 HIGH
CVE-2026-12228 — Stored XSS in Direct Messages via Prompt Sharing in parisneo/lollms

A stored cross-site scripting (XSS) vulnerability exists in the `POST /api/prompts/share` endpoint of parisneo/lollms (latest version). The endpoint stores attacker-controlled `prompt_content` into `…

Remote | Cross-Site Scripting
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.8 MEDIUM
CVE-2026-57848 — Stoat for Android Internal File Disclosure via Exported ShareTargetActivity URI Validation

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component (reachable to any process on the device via the android.intent.action.SEND intent) and accepts the file to share as a…

| Information Disclosure
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.7 HIGH
CVE-2026-53994 — ProFTPD mod_sftp Heap Buffer Overflow via Unsigned Integer Underflow and Size Truncation

ProFTPD mod_sftp contains a heap-based buffer overflow reachable by an authenticated SFTP user. The fxp_packet_read() function accepts the attacker-supplied 32-bit big-endian SFTP packet length witho…

Remote | Memory Corruption
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16151 — CartoDB carto-api-client filters.ts addFilter prototype pollution

A vulnerability has been found in CartoDB carto-api-client 0.5.29. This impacts the function addFilter of the file src/filters.ts. Such manipulation of the argument column leads to improperly control…

Remote | Misconfiguration
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16150 — RobinHerbots Inputmask Internal Deep Merge Helper extend.js extendAliases prototype pollu…

A vulnerability was found in RobinHerbots Inputmask up to 5.0.9. Affected by this issue is the function extendDefaults/extendDefinitions/extendAliases in the library lib/dependencyLibs/extend.js of t…

Remote | Misconfiguration
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
5.1 MEDIUM
CVE-2026-16133 — LiuMengxuan04 MiniCode mcp.ts child_process.spawn command injection

A flaw has been found in LiuMengxuan04 MiniCode 0.1.0. Affected by this vulnerability is the function child_process.spawn of the file mcp.ts. Executing a manipulation can lead to command injection. T…

Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16131 — itsourcecode Hospital Management System prescriptionrecord.php sql injection

A weakness has been identified in itsourcecode Hospital Management System 1.0. This affects an unknown function of the file /prescriptionrecord.php. This manipulation of the argument delid causes sql…

hospital_management_system | Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
4.4 MEDIUM
CVE-2026-16130 — nearai ironclaw write_file path_utils.rs validate_path link following

A vulnerability was identified in nearai ironclaw up to 0.29.1. The affected element is the function validate_path of the file src/tools/builtin/path_utils.rs of the component write_file. The manipul…

| Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
5.3 MEDIUM
CVE-2026-16129 — princezuda SafestClaw Built-in Web shell.py ShellAction._validate_command incomplete blac…

A vulnerability has been found in princezuda SafestClaw up to 4.2.4. This vulnerability affects the function ShellAction._validate_command of the file src/safestclaw/actions/shell.py of the component…

| Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16128 — zevorn rt-claw http_request swarm.c receiver_thread server-side request forgery

A security flaw has been discovered in zevorn rt-claw up to 0.2.0. This impacts the function receiver_thread of the file claw/services/swarm/swarm.c of the component http_request. Performing a manipu…

Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16127 — zevorn rt-claw http_request tool_net.c claw_net_post server-side request forgery

A vulnerability was identified in zevorn rt-claw up to 0.2.0. This affects the function claw_net_get/claw_net_post of the file claw/tools/tool_net.c of the component http_request. Such manipulation o…

Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16126 — zevorn rt-claw Swarm RPC Receiver swarm.c handle_rpc_request authorization

A vulnerability was determined in zevorn rt-claw up to 0.2.0. The impacted element is the function handle_rpc_request of the file claw/services/swarm/swarm.c of the component Swarm RPC Receiver. This…

Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
Showing 20 of 7789 Results