Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.0 CRITICAL
CVE-2024-58366 — SurrealDB before 1.1.1 Format String via Scripting Functions

SurrealDB before 1.1.1 contains a format string vulnerability in the rquickjs Exception::throw_type function when scripting is enabled. Attackers with scripting privileges can supply format string se…

Remote | Information Disclosure
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2024-58365 — SurrealDB before 1.2.0 Denial of Service via Nonexistent Function

SurrealDB versions before 1.2.0 contain an uncaught exception vulnerability in the query executor when processing calls to nonexistent built-in functions. Authorized clients can craft pre-parsed quer…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2024-58364 — SurrealDB before 1.2.1 Denial of Service via Parsing Error

SurrealDB versions before 1.2.1 contain an uncaught exception handling vulnerability in span rendering when parsing queries with errors on line terminator characters. Authorized clients can submit ma…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.3 MEDIUM
CVE-2024-58363 — SurrealDB before 1.5.4 Authentication Bypass via Database Switch

SurrealDB before 1.5.4 fails to properly validate authentication when a scope user switches databases using the USE clause or use method. Attackers with an authenticated session can impersonate an un…

Remote | Authentication
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
8.8 HIGH
CVE-2024-58362 — SurrealDB before 1.5.5 Query Injection via RPC API

SurrealDB before 1.5.5 (and 2.0.0-beta before 2.0.0-beta.3) accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values. W…

Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2024-58361 — SurrealDB before 2.0.4 Denial of Service via Parser Exception

SurrealDB versions before 2.0.4 contain an uncaught exception handling vulnerability in the parser error rendering code when processing empty strings. Authorized clients can execute malformed queries…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2024-58359 — SurrealDB before 2.1.0 Denial of Service via rand() Sorting

SurrealDB versions before 2.1.0 contain a denial of service vulnerability in the sorting mechanism when using ORDER BY rand() clause. Authorized clients can execute queries with ORDER BY rand() to tr…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.9 MEDIUM
CVE-2024-58358 — SurrealDB before 2.1.0 Denial of Service via Nonexistent Role

SurrealDB versions before 2.1.0 contain a denial of service vulnerability in role conversion that allows privileged owner users to define users with nonexistent roles. Attackers can trigger an uncaug…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2024-58357 — SurrealDB before 2.1.0 Denial of Service via rand::time()

SurrealDB versions before 2.1.0 contain an uncaught exception vulnerability in the rand::time() function that panics when unwrap is called on a None result from timestamp_opt. Authorized clients can …

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
2.3 LOW
CVE-2024-58356 — SurrealDB before 2.1.4 Permission Bypass via DEFINE TABLE OVERWRITE

SurrealDB before 2.1.4 silently fails to overwrite table definitions when the DEFINE TABLE ... OVERWRITE clause is used on tables defined with TYPE RELATION. Because table definitions include the PER…

Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
8.8 HIGH
CVE-2023-54366 — SurrealDB before 1.0.1 Insecure Default Table Permissions

SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. Attackers with database a…

Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
10.0 CRITICAL
CVE-2026-16117 — @fastify/http-proxy vulnerable to prefix escape via URL-encoded characters

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but r…

| Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
0.0 NA
CVE-2026-16119 — nextlevelbuilder GoClaw WebSocket Approval Endpoint exec_approval.go RequestApproval auth…

A vulnerability was found in nextlevelbuilder GoClaw up to 3.13.2. This affects the function RequestApproval of the file internal/tools/exec_approval.go of the component WebSocket Approval Endpoint. …

goclaw | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
9.0 HIGH
CVE-2026-16097 — Shibby Tomato Scheduler Name sub_42537C stack-based overflow

A vulnerability was found in Shibby Tomato 1.28. This vulnerability affects the function sub_42537C of the component Scheduler Name Handler. The manipulation of the argument a1 results in stack-based…

tomato | Remote | Memory Corruption
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
9.0 HIGH
CVE-2026-16096 — Shibby Tomato webmon_recent_domains sub_40BB50 stack-based overflow

A vulnerability has been found in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. This affects the function sub_40BB50 of the file /proc/webmon_recent_domains. The manipulation leads to stack-based buffe…

tomato | Remote | Memory Corruption
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
9.0 HIGH
CVE-2026-16095 — Shibby Tomato rc setup_conntrack out-of-bounds write

A flaw has been found in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. Affected by this issue is the function setup_conntrack of the file /sbin/rc. Executing a manipulation of the argument ct_tcp_timeo…

tomato | Remote | Memory Corruption
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
5.8 MEDIUM
CVE-2026-16088 — halo-dev halo Files Backup Endpoint MigrationEndpoint.java download path traversal

A vulnerability was detected in halo-dev halo up to 2.24.2. Affected by this vulnerability is the function Download of the file MigrationEndpoint.java of the component Files Backup Endpoint. Performi…

Remote | Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
5.3 MEDIUM
CVE-2026-16085 — Sipeed PicoClaw context.go NewContextBuilder inclusion of functionality from untrusted co…

A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. Affected is the function NewContextBuilder of the file pkg/agent/context.go. Such manipulation leads to inclusion of functio…

picoclaw | Misconfiguration
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
8.8 HIGH
CVE-2026-47871 — VMware Avi Load Balancer Directory Traversal Vulnerability

VMware Avi Load Balancer contains a directory traversal vulnerability. Flaws in file path validation allow malicious, authenticated network users to perform directory traversal attacks. Affected ver…

Remote | Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2026-47870 — VMware Avi Load Balancer Privilege Escalation Vulnerability

VMware Avi Load Balancer contains a privilege escalation vulnerability. A malicious authenticated user with network access may be able to execute remote code. Affected versions: 32.1.1 (fixed in 32.…

Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
Showing 20 of 7861 Results