Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-50813 — SQLite Session Extension Information Disclosure

An issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive information via the Session Extension changeset concat/changegroup merge path

| Information Disclosure
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.5 MEDIUM
CVE-2026-50812 — SQLite Session Extension NULL Pointer Dereference

A NULL pointer dereference in the SQLite Session Extension in SQLite 3.53.1 and SQLite trunk builds before check-in e807d4e3798efd53 allows an attacker who can supply a malformed changeset blob to ca…

| Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.9 MEDIUM
CVE-2026-14362 — Denial of service via crafted push/pull gossip message in memberlist

HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memor…

| Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.8 HIGH
CVE-2026-60102 — Horde VFS < 3.0.1 OS Command Injection via Horde_Vfs_Smb Driver

Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substituti…

Remote | Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.3 MEDIUM
CVE-2026-59930 — Mistune toc / TableOfContents directive: heading IDs use predictable `toc_N` numbering wi…

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the he…

Remote | Information Disclosure
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.1 MEDIUM
CVE-2026-59929 — Mistune renderers/html.safe_url: HARMFUL_PROTOCOLS list misses legacy and chained schemes…

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allo…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-59928 — Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link def…

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistun…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.3 MEDIUM
CVE-2026-59927 — Mistune directives/include: mutual `.. include::` recursion crashes the renderer with `Re…

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, a…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.3 MEDIUM
CVE-2026-59926 — Mistune: XSS via unescaped class option in Admonition directive

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into t…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-59925 — inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.9 MEDIUM
CVE-2026-59924 — Mistune: Arbitrary File Read via Include directive path traversal

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the i…

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.1 MEDIUM
CVE-2026-59923 — Mistune: XSS via percent-encoded javascript URI bypass in safe_url()

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or im…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-59922 — Mistune plugins/formatting: quadratic-time parsing on long runs of `~~x~~`, `==x==`, and …

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugi…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.8 MEDIUM
CVE-2026-59897 — Hono: API Gateway v1 adapter can drop a distinct repeated request header value during de-…

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value becau…

Remote | Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.5 MEDIUM
CVE-2026-59896 — hono/jsx does not isolate context per request, leading to cross-request data disclosure

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, all…

Remote | Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.1 MEDIUM
CVE-2026-59895 — Hono: Server-Side XSS via JSX Escaping Bypass in cx() Utility

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as alrea…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-59892 — OpenTelemetry JavaScript: Denial of service in `JaegerPropagator` via unhandled exception…

OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx-* HTTP header values with decodeURICompone…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.1 MEDIUM
CVE-2026-59890 — setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NF…

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude…

| Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-59887 — linkify-it: Quadratic-complexity DoS via the `mailto:` validator scan-loop on attacker te…

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the …

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.7 MEDIUM
CVE-2026-59883 — Guzzle: Cookie Disclosure and Injection via IP-Address Domains

Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::mat…

Remote | Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
Showing 20 of 7736 Results