Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.4 HIGH
CVE-2026-58459 — gpsd gpsprof Command Injection via gnuplot plot title subtype field

gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell c…

| Injection
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-59220 — Open WebUI: ReDoS in skill-mention regexes causes whole-instance DoS on default config

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL_MENTION_RE and strip_re regular expressions in backend/open_webui/utils/middl…

| Denial of Service
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-59226 — Open WebUI: Scheduled automations continue after pending-user deactivation and stored mod…

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still…

| Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-15191 — mettle sendportal Campaign Creation Endpoint CampaignStoreRequest.php authorization

A flaw has been found in mettle sendportal up to 3.0.1. This vulnerability affects unknown code of the file vendor/mettle/sendportal-core/src/Http/Requests/CampaignStoreRequest.php of the component C…

sendportal | Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-59227 — Open WebUI: POST /api/v1/images/edit bypasses the global image-edit switch and the per-us…

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the glob…

| Authorization
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-59218 — Open WebUI: Account enumeration via observable login timing discrepancy

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verifica…

| Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-59214 — Open WebUI: Stored web worker XSS via Pyodide

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored cha…

| Server-Side Request Forgery
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-15190 — SourceCodester Simple and Nice Shopping Cart Script login.php sql injection

A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This affects an unknown part of the file /login.php. Performing a manipulation of the argument Username result…

Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.3 HIGH
CVE-2026-53987 — GLPI 11 < 2.14.4 Tag Plugin Stored Cross-Site Scripting in Kanban Badge Rendering

The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the Kanban badge markup via PluginTagTag::preKanbanContent() without output escaping, result…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
0.0 NA
CVE-2026-59209 — n8n: Shared Credential Header Leak via HTTP Request Pagination Expression

n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated member with use-only editor access to a shared workflow could read credential-populated he…

| Information Disclosure
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.7 HIGH
CVE-2026-60109 — Zeek < 8.0.9 Null Pointer Dereference DoS via Kerberos KRB_ERROR Parsing

Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that allows unauthenticated remote attackers to crash the sensor by sending a crafted KRB_ERROR m…

Remote | Memory Corruption
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.7 HIGH
CVE-2026-60108 — Zeek < 8.0.9 Uncontrolled Memory Consumption DoS via FTP Analyzer

Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP cont…

Remote | Memory Corruption
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
5.4 MEDIUM
CVE-2026-5005 — Stored XSS in Twiser's OKRs & Goals

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals allows Stored XSS…

Remote | Cross-Site Scripting
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
9.2 CRITICAL
CVE-2026-56292 — Joomla Extension - acymailing.com - SQL Injection in AcyMailing extension < 10.11.1

A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting this flaw can lead to unauthorized database access and data leakage.

Remote | Injection
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.6 HIGH
CVE-2026-54801 — CPCI85 and SICORE Authentication Bypass Vulnerability

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application contains insufficient va…

Remote | Authentication
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.3 MEDIUM
CVE-2026-54800 — Siemens SICORE and CPCI85 OPC UA Insecure Default Configuration

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application ships with a default con…

Remote | Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
8.4 HIGH
CVE-2026-54799 — Siemens CPCI85 and SICORE Improper Signature Verification Vulnerability

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application contains a vulnerability…

| Misconfiguration
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
7.1 HIGH
CVE-2026-54798 — CPCI85 and SICORE Base System Denial of Service Vulnerability

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application includes a debugging int…

Remote | Denial of Service
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.9 MEDIUM
CVE-2026-60095 — Vinchin Backup & Recovery 9.0.0.86562 Stack Buffer Overflow via ModuleHandShake

Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attacke…

Remote | Memory Corruption
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
6.9 MEDIUM
CVE-2026-60094 — Vinchin Backup & Recovery 9.0.0.86562 Heap Buffer Overflow via agentlink_server

Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malfo…

Remote | Memory Corruption
Jul 09, 2026 Jul 09, 2026
Jul 09, 2026
Jul 09, 2026
Showing 20 of 7695 Results