Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.0 HIGH
CVE-2026-45162 — Pimcore: Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restric…

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, multiple Pimcore locations call PHP's unserialize() on data from database columns and filesystem fi…

Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.0 MEDIUM
CVE-2026-16073 — AstrBotDevs AstrBot T2I Feature base.py NetworkRenderStrategy.render cross site scripting

A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function Star.text_to_image/NetworkRenderStrategy.render of the file astrbot/core/star/ba…

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
5.5 MEDIUM
CVE-2026-7771 — IBM® Db2® is vulnerable to a trap when compiling specially crafted statements containing …

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a trap when compiling a specially crafted statements containing subqueries could lead to a denial of service.

db2 | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-7872 — Path Traversal Vulnerability in File Component Leading to Arbitrary File Read and Authent…

IBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated attacker to read arbitrary files including the JWT signing key and forge authentication tokens for any user.

langflow_oss | Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2026-49852 — joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of C…

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Prior to 1.6.8, joserfc.jwt.decode accepts attacker-forged HMAC-signed toke…

| Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2026-63030 — WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Rem…

WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the author__not_in WP_Query SQL Injection (CVE-2026-60137), cou…

| Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2026-60137 — WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query

WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the author__not_in parameter of WP_Query, which could allow SQL Injection when a plugin or theme pa…

| Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.8 HIGH
CVE-2026-8056 — Parameter Injection Vulnerability in API Graph Execution Engine

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to override component parameters at runtime via the API. A critical security flaw exists in the parameter filtering mechanism within t…

langflow_oss | Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2026-45704 — Pimcore: CustomReports Share Bypass

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report de…

| Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.9 CRITICAL
CVE-2026-8476 — Disk Cache Deserialization Remote Code Execution Vulnerability

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the disk-based caching mechanism. The AsyncDiskCache class uses Python's unsafe pickle.loads() function…

langflow_oss | Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.9 CRITICAL
CVE-2026-8481 — Remote Code Execution via Code Validation Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python …

langflow_oss | Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2026-44739 — Pimcore: SQL Injection in Custom Reports Column Configuration

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportC…

| Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2026-45260 — Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without an aut…

| Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.8 CRITICAL
CVE-2026-8505 — Authentication Bypass in Webhook Endpoints Allowed Unauthorized Flow Execution

IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses…

langflow_oss | Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.8 MEDIUM
CVE-2026-12283 — SQL injection in Amazon Athena Synapse connector

Amazon Athena is a serverless, interactive query service that lets you analyze data directly in Amazon S3 using standard SQL. Athena Query Federation is a feature that allows you to connect to data s…

Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.9 CRITICAL
CVE-2026-8635 — Arbitrary Code Execution in Python Interpreter Component

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges to superuser by directly manipulating the database, execute arbitrary system commands, and achieve full system …

langflow_oss | Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.9 CRITICAL
CVE-2026-8859 — Path Traversal in APIRequest Component via Content-Disposition Header

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to write arbitrary files to unintended locations due to improper input validation in the APIRequest component. A path traversal …

langflow_oss | Remote | Path Traversal
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
5.3 MEDIUM
CVE-2026-8861 — Security vulnerabilities have been found in IBM Verify Identity Access and IBM Security V…

IBM Security Verify could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.  This information could be used in further attack…

Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.8 HIGH
CVE-2026-9762 — IBM® Data Server driver for JDBC and SQLJ is vulnerable to remote code execution when jdb…

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution when jdbc url is under user control.

db2 | Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.8 CRITICAL
CVE-2026-9202 — Unauthenticated User Registration Could Lead to Remote Code Execution

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEW_USER_IS_ACTIVE=true (documented deployment option), newly c…

langflow_oss | Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
Showing 20 of 7825 Results