Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.7 HIGH
CVE-2026-53994 — ProFTPD mod_sftp Heap Buffer Overflow via Unsigned Integer Underflow and Size Truncation

ProFTPD mod_sftp contains a heap-based buffer overflow reachable by an authenticated SFTP user. The fxp_packet_read() function accepts the attacker-supplied 32-bit big-endian SFTP packet length witho…

Remote | Memory Corruption
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16151 — CartoDB carto-api-client filters.ts addFilter prototype pollution

A vulnerability has been found in CartoDB carto-api-client 0.5.29. This impacts the function addFilter of the file src/filters.ts. Such manipulation of the argument column leads to improperly control…

Remote | Misconfiguration
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16150 — RobinHerbots Inputmask Internal Deep Merge Helper extend.js extendAliases prototype pollu…

A vulnerability was found in RobinHerbots Inputmask up to 5.0.9. Affected by this issue is the function extendDefaults/extendDefinitions/extendAliases in the library lib/dependencyLibs/extend.js of t…

Remote | Misconfiguration
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
5.1 MEDIUM
CVE-2026-16133 — LiuMengxuan04 MiniCode mcp.ts child_process.spawn command injection

A flaw has been found in LiuMengxuan04 MiniCode 0.1.0. Affected by this vulnerability is the function child_process.spawn of the file mcp.ts. Executing a manipulation can lead to command injection. T…

Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16131 — itsourcecode Hospital Management System prescriptionrecord.php sql injection

A weakness has been identified in itsourcecode Hospital Management System 1.0. This affects an unknown function of the file /prescriptionrecord.php. This manipulation of the argument delid causes sql…

hospital_management_system | Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
4.4 MEDIUM
CVE-2026-16130 — nearai ironclaw write_file path_utils.rs validate_path link following

A vulnerability was identified in nearai ironclaw up to 0.29.1. The affected element is the function validate_path of the file src/tools/builtin/path_utils.rs of the component write_file. The manipul…

| Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
5.3 MEDIUM
CVE-2026-16129 — princezuda SafestClaw Built-in Web shell.py ShellAction._validate_command incomplete blac…

A vulnerability has been found in princezuda SafestClaw up to 4.2.4. This vulnerability affects the function ShellAction._validate_command of the file src/safestclaw/actions/shell.py of the component…

| Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16128 — zevorn rt-claw http_request swarm.c receiver_thread server-side request forgery

A security flaw has been discovered in zevorn rt-claw up to 0.2.0. This impacts the function receiver_thread of the file claw/services/swarm/swarm.c of the component http_request. Performing a manipu…

Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16127 — zevorn rt-claw http_request tool_net.c claw_net_post server-side request forgery

A vulnerability was identified in zevorn rt-claw up to 0.2.0. This affects the function claw_net_get/claw_net_post of the file claw/tools/tool_net.c of the component http_request. Such manipulation o…

Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16126 — zevorn rt-claw Swarm RPC Receiver swarm.c handle_rpc_request authorization

A vulnerability was determined in zevorn rt-claw up to 0.2.0. The impacted element is the function handle_rpc_request of the file claw/services/swarm/swarm.c of the component Swarm RPC Receiver. This…

Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.5 HIGH
CVE-2026-16125 — zevorn rt-claw http_request net.c claw_net_post server-side request forgery

A vulnerability was found in zevorn rt-claw up to 0.2.0. The affected element is the function claw_net_get/claw_net_post of the file claw/services/tools/net.c of the component http_request. The manip…

Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16124 — nextlevelbuilder GoClaw web_fetch web_shared.go isPrivateIP server-side request forgery

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/web_shared.go of the component w…

goclaw | Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16123 — nextlevelbuilder GoClaw Invoke Endpoint tools_invoke.go ToolsInvokeHandler.ServeHTTP auth…

A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvokeHandler.ServeHTTP of the file internal/http/tools_invoke.go of the component …

goclaw | Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
4.7 MEDIUM
CVE-2026-16122 — nextlevelbuilder GoClaw exec_approval.go matchesAllowlist authorization

A security flaw has been discovered in nextlevelbuilder GoClaw up to 3.13.2. Affected by this vulnerability is the function extractBin/RequestApproval/matchesAllowlist of the file internal/tools/exec…

goclaw | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16121 — nextlevelbuilder GoClaw exec_approval.go isSafeBin improper authorization

A vulnerability was identified in nextlevelbuilder GoClaw up to 3.13.2. Affected is the function isSafeBin of the file internal/tools/exec_approval.go. The manipulation leads to improper authorizatio…

goclaw | Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
9.2 CRITICAL
CVE-2026-9323 — Insecure PRNG and Information Exposure in urwid Web Display Backend

The urwid web display backend (urwid/display/web.py) generates web session identifiers (urwid_id) in Screen.start() by concatenating two random.randrange(10**9) calls that use Python's Mersenne Twist…

Remote | Cryptography
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16120 — nextlevelbuilder GoClaw exec_approval.go extractBin name resolution

A vulnerability was determined in nextlevelbuilder GoClaw up to 3.13.3-beta.3. This impacts the function matchesAllowlist/extractBin of the file internal/tools/exec_approval.go. Executing a manipulat…

goclaw | Remote | Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16119 — nextlevelbuilder GoClaw WebSocket Approval Endpoint exec_approval.go RequestApproval auth…

A vulnerability was found in nextlevelbuilder GoClaw up to 3.13.2. This affects the function RequestApproval of the file internal/tools/exec_approval.go of the component WebSocket Approval Endpoint. …

goclaw | Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
10.0 CRITICAL
CVE-2026-16117 — @fastify/http-proxy vulnerable to prefix escape via URL-encoded characters

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but r…

Remote | Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
8.8 HIGH
CVE-2026-11826 — OpenPLC_v3 Heap-Based Buffer Overflow in Modbus Master getData()

OpenPLC_v3 contains a heap-based buffer overflow in the getData() function in webserver/core/modbus_master.cpp. getData() reads characters between two delimiters into a caller-supplied buffer with no…

openplc | Remote | Memory Corruption
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
Showing 20 of 7776 Results