Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-49485 — HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.9 and 6.9.4.2, all implementations of FHIRPathEngine accept arbitrary FHIRPath ex…

hl7_fhir_core | Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
5.3 MEDIUM
CVE-2026-48049 — @hapi/inert: Static-file confinement bypass via sibling-prefix path

@hapi/inert provides static file and directory handlers for hapi.js. From 4.0.0 to 7.1.0, @hapi/inert serves static files from a directory configured with path in the directory or file handlers or re…

Remote | Path Traversal
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.5 MEDIUM
CVE-2026-48022 — @hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirec…

@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the orig…

Remote | Information Disclosure
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.3 MEDIUM
CVE-2026-44979 — @hapi/wreck : Sensitive `Proxy-Authorization` header leaked across cross-hostname redirec…

@hapi/wreck is an HTTP client utility. Prior to 18.1.1, when @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped, and the standard crede…

Remote | Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.6 CRITICAL
CVE-2026-55518 — Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relatio…

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to 3.32.1 and 4.0.0.beta.51, Avo's association attach workflow checks attach_<association>? in the UI and GET /resources/:resou…

avo | Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.7 HIGH
CVE-2026-54498 — view_component: around_render HTML-Safety Bypass

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base#around_render can return HTML-unsafe str…

view_component | Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.8 MEDIUM
CVE-2026-54497 — view_component: Reused Component Instances Retain Stale Render Context

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base instances retain render-scoped objects a…

view_component | Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.3 MEDIUM
CVE-2026-54490 — websocket-driver: Resource limit bypass via message compression

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, if this library is used with the permessage-deflate extension, a WebSocket server or client can be made to accept …

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.2 CRITICAL
CVE-2026-54466 — websocket-driver: Message corruption via abuse of protocol length headers

websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, the frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily l…

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
3.5 LOW
CVE-2026-54244 — Statamic: Incorrect authorization lets view-only users submit Live Preview content reserv…

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.74.0 and 6.20.3, the Live Preview endpoint for existing entries and terms in src/Http/Controllers/CP/PreviewControlle…

statamic | Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.1 MEDIUM
CVE-2026-54243 — Statamic: CSV formula injection in form submission exports

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, form submission values in src/Forms/Exporters/CsvExporter.php were not neutralized for spreadsheet …

statamic | Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.9 MEDIUM
CVE-2026-54242 — Statamic: Server-Side Request Forgery via Glide (DNS rebinding)

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, the Glide image proxy's URL validation in src/Imaging/RemoteUrlValidator.php and src/Imaging/Guzzle…

statamic | Remote | Server-Side Request Forgery
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.7 MEDIUM
CVE-2026-54163 — secure_headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…

secure_headers manages application of security headers with many safe defaults. Prior to 7.3.0, secure_headers builds the Content-Security-Policy value by stitching directives with ; separators, and …

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
10.0 CRITICAL
CVE-2026-54159 — ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE

PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0 until 4.0.4, the ps_facetedsearch module rebuilds selected search filters from the request URL, and the value …

faceted_search_module | Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.9 HIGH
CVE-2026-53727 — css_parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`

css_parser is a Ruby CSS parser. From 2.2.0 until 3.0.0, CssParser::Parser#read_remote_file in lib/css_parser/parser.rb, and therefore load_uri! and the @import-following branch of add_block!, issued…

Remote | Server-Side Request Forgery
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2026-52584 — Libjxl Buffer Overflow Vulnerability

Buffer Overflow vulnerability in libjxl v.0.11.2 and before allows a local attacker to obtain sensitive information via the DecodeImageAPNG function

| Memory Corruption
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2026-52348 — Cool-Admin-Java SQL Injection Vulnerability

cool-admin-java 8.0.0 has a SQL injection vulnerability in the order() method of CrudOption.java.

| Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2026-52203 — MCMS Information Disclosure

An issue in MCMS v.6.1.1 allows a remote attacker to obtain sensitive information via the source parameter.

| Information Disclosure
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-50274 — dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS

Datadog dd-trace-go is a Go client library for Datadog application performance monitoring, profiling, and security monitoring. Prior to 2.8.1, Datadog tracing libraries that implement W3C baggage pro…

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-50272 — dd-trace: Improper parsing of W3C baggage headers may lead to DoS

dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/text_map.js parsed inco…

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
Showing 20 of 7828 Results