Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-49352 — 9Router: Hardcoded Default fallback JWT Secret Allows Authentication Bypass

9Router is an AI router & token saver. From 0.2.21 until 0.4.44, 9Router used the hardcoded fallback JWT secret 9router-default-secret-change-me in src/app/api/auth/login/route.js, src/middleware.js,…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
10.0 CRITICAL
CVE-2026-46339 — 9Router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes

9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/* and /api/mcp/*, allowing unauthenticated registration of customPlug…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
3.1 LOW
CVE-2026-15921 — nvm path traversal via a malicious mirror's LTS codename writes outside the alias directo…

Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5, `nvm ls-remote` (and other commands that refresh remote LTS a…

Remote | Path Traversal
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-38753 — BusyBox awk_sub Use-After-Free Vulnerability

A use-after-free in the awk_sub() function (editors/awk.c) of Busybox v1.38.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AWK script.

| Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
5.3 MEDIUM
CVE-2026-33684 — AVideo's Privilege AVideo: Escalation via Unguarded Permission Parameters in signUp API A…

WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPT…

avideo | Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.7 HIGH
CVE-2026-33445 — Memory management vulnerability in Secure Access servers

CVE-2026-33445 is a memory management vulnerability in Secure Access servers prior to 14.55. Attackers with an intimate knowledge of and total control over the tunnel protocol can create a persistent…

secure_access | Remote | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.9 MEDIUM
CVE-2026-33444 — Memory management vulnerability in Secure Access servers

CVE-2026-33444 is a memory management vulnerability in Secure Access servers prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persisten…

Remote | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-55652 — Wekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unau…

Wekan is open source kanban built with Meteor. Prior to 9.46, header-login with HEADER_LOGIN_TRUSTED_IPS uses getRequestIp() in server/lib/headerLoginAuth.js to trust the client-supplied X-Forwarded-…

| Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-55234 — Wekan: Broken access control: any authenticated user can move their Cards/Lists/Swimlanes…

Wekan is open source kanban built with Meteor. Prior to 9.37, Wekan DDP update allow rules in server/permissions/cards.js, server/permissions/lists.js, and server/permissions/swimlanes.js authorize a…

| Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-50183 — WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Sect…

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a stored Cross-Site Scripting vulnerability in the YouTubeAPI plugin. The plugin renders the snippet.title field returned…

avideo | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-53447 — Wekan: `cloneBoard` Meteor method has no authorization check — any user can clone (read) …

Wekan is open source kanban built with Meteor. Prior to 9.35, the Wekan cloneBoard Meteor method in models/import.js uses caller-supplied sourceBoardId to build a board export through models/exporter…

| Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-52893 — Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser …

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan Accounts.onCreateUser hook in server/models/users.js merges OIDC logins into existing accounts when the OIDC email or username …

| Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-53444 — Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc_server.js, server/models/org.js, and server/models/team.js are globally cal…

| Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-53445 — Wekan: Authorization bypass in copyBoard DDP method allows any user to copy private boards

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.u…

| Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-53446 — Wekan: Server-Side Request Forgery (SSRF) via webhook integration URLs

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan webhook integration URLs in models/integrations.js are stored from user input and later fetched by server/notifications/outgoing.js…

| Server-Side Request Forgery
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-52892 — Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalati…

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication…

| Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-52891 — Wekan: Shell Injection via Avatar Upload

Wekan is open source kanban built with Meteor. Prior to 9.07, Wekan avatar upload functionality embeds user-supplied filenames into paths later passed to child_process.exec() for MIME-type detection.…

| Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-52890 — Wekan: Arbitrary file read and server DoS via attachment versions.original.path

Wekan is open source kanban built with Meteor. Prior to 9.31, Wekan allows a logged-in board member to insert an attachment document through the /attachments/insert DDP method with attacker-controlle…

| Path Traversal
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-50182 — AVideo Has Unauthenticated Reflected XSS via $_GET['search'] in YouTubeAPI Gallery Pagina…

WWBN AVideo is an open source video platform. Versions prior to 29.0 contain an unauthenticated Reflected XSS vulnerability through AVideo YouTubeAPI Gallery Pagination. The $_GET['search'] query par…

avideo | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-55576 — MaaAssistantArknights: PR-title expression injection in release-preparation.yml

MaaAssistantArknights is a one-click tool for daily Arknights tasks. In the current dev-v2 workflow, .github/workflows/release-preparation.yml inlined attacker-controlled github.event.pull_request.ti…

| Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
Showing 20 of 8265 Results