Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.1 MEDIUM
CVE-2026-58315 — SEIKO EPSON Web Config Cross-Site Request Forgery Vulnerability

Cross-site request forgery vulnerability exists in SEIKO EPSON Web Config. If a user views a malicious page while logged into Web Config, unintended operations may be performed.

| Cross-Site Request Forgery
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.1 HIGH
CVE-2026-57871 — MicroRealEstate Path Traversal Vulnerability

Relative path traversal vulnerability in MicroRealEstate file upload functionality allows attackers to potentially overwrite system files. This issue affects MicroRealEstate: through 1.0.0-alpha3.

Remote | Path Traversal
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-57870 — MicroRealEstate Template API Broken Object-Level Access Control

Broken object-level access control on the Template API in MicroRealEstate allows attackers to retrieve document templates used by other organizations without authorization. This issue affects MicroR…

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.1 HIGH
CVE-2026-57869 — MicroRealEstate Broken Object-Level Access Control and Insecure ID Generation

Broken object-level access controls and the use of a deterministic pattern during random ID generation in MicroRealEstate allows attackers to access documents uploaded by landlords or tenants without…

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.1 HIGH
CVE-2026-57868 — MicroRealEstate Broken Object-Level Access Control

MicroRealEstate is affected by broken object-level access controls in PDF generator functionality. This issue affects MicroRealEstate: through 1.0.0-alpha3.

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-57867 — MicroRealEstate Authentication Bypass Vulnerability

MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwo…

Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.0 CRITICAL
CVE-2026-4375 — DoLeads Integrator <= 1.2.2 & wp2epub <= 0.65 - Unauthenticated RCE

The DoLeads Integrator WordPress plugin through 0.65, wp2epub WordPress plugin through 0.65 have been seen to be used to achieve RCE, once they are added adding to a blog, for example using a vulnera…

Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.8 CRITICAL
CVE-2026-14345 — WPFunnels <= 3.12.7 - Unauthenticated Remote Code Execution via 'postData' Parameter

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postD…

Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.8 CRITICAL
CVE-2026-12375 — Uncanny Automator Pro 7.3.0.5 - Backdoor via Compromised Vendor Update Server

The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution infrastructu…

Remote | Supply Chain
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.7 HIGH
CVE-2026-12277 — Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Deletion via Saved …

The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbi…

Remote | Path Traversal
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
0.0 NA
CVE-2026-10834 — WP Travel Engine < 6.8.1 - Subscriber+ Arbitrary Media File Move via user_profile_image

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-le…

| Path Traversal
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.3 LOW
CVE-2026-42201 — Coolify: OS Command Injection via Database Credential Fields in Docker Compose Service Co…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields (redis_password, keydb_password, dragonfly_pass…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34158 — Coolify: Command injection via single-quote breakout in Docker Compose custom commands

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quot…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
2.7 LOW
CVE-2026-27844 — Gallagher Command Centre Controller Uncaught Exception Denial of Service

Uncaught Exception (CWE-248) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to trigger a Controller restart by sending specific re…

controller_7000 | Remote | Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
2.7 LOW
CVE-2026-27790 — Gallagher Command Centre T20 Readers Uncaught Exception Denial of Service

Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version …

Remote | Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-26053 — Command Centre Server Incorrect Privilege Assignment

An Incorrect Privilege Assignment (CWE-266) vulnerability in the Command Centre Server allows an authenticated operator with limited privileges to perform some operations that they would not normally…

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-42200 — Coolify: PostgreSQL Init Script Path Traversal Leads to Arbitrary File Write and Root RCE

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Ac…

coolify | Remote | Path Traversal
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.1 LOW
CVE-2026-42172 — Coolify: Sanctum API Tokens Have No Expiration — Leaked Tokens Grant Permanent Access

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain acces…

coolify | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
4.9 MEDIUM
CVE-2026-42147 — Coolify: SSRF via S3 Storage Endpoint in testConnection()

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection()…

coolify | Remote | Server-Side Request Forgery
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.1 LOW
CVE-2026-42145 — Coolify: File Upload Without Type or Size Validation in Database Backup Restore

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint (app/Http/Controllers/UploadController.php) for d…

coolify | Remote | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
Showing 20 of 7599 Results