Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-57074 — XML::Bare versions through 0.53 for Perl have an unbounded character lookahead

XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such…

| Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-57073 — HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead

HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators suc…

| Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
4.3 MEDIUM
CVE-2026-55548 — Yamcs: Insecure Direct Object Reference (IDOR) in PacketsApi allows unprivileged users to…

Yamcs is a mission control framework. Prior to 5.12.8 and 5.13.2, the PacketsApi.exportPackets endpoint in yamcs-core/src/main/java/org/yamcs/http/api/PacketsApi.java failed to enforce object-level R…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.3 MEDIUM
CVE-2026-55407 — Buffa: Memory Exhaustion Denial of Service in decode_unknown_field via Unbounded Allocati…

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decode_unknown_field function in buffa's protobuf decoder allocated heap memory in…

Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.9 MEDIUM
CVE-2026-55406 — Buffa: Use-After-Free in OwnedView via Unsound 'static Lifetime Promotion in Deref

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.7.0, a soundness bug in the OwnedView<V> type allowed safe Rust code to trigger a use-after…

| Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.5 MEDIUM
CVE-2026-50012 — Squid: Memory corruption in cache_digest reply handling

Squid is a caching proxy for the Web. Prior to 7.6, due to an improper input validation bug in cache digest reply handling (peerDigestSwapInMask in src/peer_digest.cc), Squid is vulnerable to a heap-…

squid | Remote | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.3 MEDIUM
CVE-2026-47751 — Claude Code Action: Malicious MCP Server Configuration in PRs Enables Remote Code Executi…

Claude Code Action is a general-purpose GitHub action that runs Claude Code on GitHub pull requests and issues. Prior to 1.0.74, because the action checked out attacker-controlled pull request head b…

Remote | Supply Chain
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.5 MEDIUM
CVE-2026-47729 — Squid: Memory disclosure in FTP gateway

Squid is a caching proxy for the Web. Prior to 7.6, due to an improper validation of syntactic correctness of input in the FTP gateway (src/clients/FtpGateway.cc), Squid is vulnerable to an out-of-bo…

squid | Remote | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.1 CRITICAL
CVE-2026-46621 — Yamcs: Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection

Yamcs is a mission control framework. Prior to 5.12.7, the Yamcs script evaluation engine for Python algorithms dynamically compiled and evaluated user-controlled algorithm text using Jython through …

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.8 CRITICAL
CVE-2026-46562 — Yamcs: Remote Code Execution via Mission Database algorithm override

Yamcs is a mission control framework. Prior to 5.12.7, the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text in yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorit…

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.3 MEDIUM
CVE-2026-45795 — Janssen Project: JWE Request Object Signature Verification Bypass in jans-auth-server

The Janssen Project is an open-source identity and access management (IAM) platform. Prior to 2.0.0, jans-auth-server accepts unsigned JWE request objects because JwtAuthorizationRequest skips inner …

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.5 MEDIUM
CVE-2026-45612 — rz-libdemangle: Out of bound read in rust demangler

rz-libdemangle is a Rizin library for demangling symbols. Prior to 6bf56d3, the Rust demangler in src/rust/rust_v0.c can perform an out-of-bounds read when the demangler structure is not yet initiali…

| Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.3 HIGH
CVE-2026-45576 — zrok copy writes attacker-controlled WebDAV paths outside the destination root

zrok is software for sharing web services, files, and network resources. From 0.4.23 until 2.0.3, `zrok2 copy` stores attacker-controlled WebDAV or zrok drive paths such as /../outside.txt in the sou…

zrok | Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.9 CRITICAL
CVE-2026-45568 — zrok Python ProxyShare can be used as an SSRF proxy through absolute URL paths

zrok is software for sharing web services, files, and network resources. Prior to 2.0.3, zrok's Python SDK ProxyShare Flask proxy route accepts an absolute URL in the request path and passes it to ur…

zrok | Remote | Server-Side Request Forgery
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.5 HIGH
CVE-2026-45367 — HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.7, the FHIRPathEngine implementation passes user-controlled regular expressions f…

hl7_fhir_core | Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.2 HIGH
CVE-2026-45325 — Gestor de Oferta: Prototype pollution in @tmlmobilidade/utils setValueAtPath

Gestor de Oferta is a web application for managing mobility service offerings. Prior to 20260509.0340.15, @tmlmobilidade/utils has a prototype pollution vulnerability in setValueAtPath() in packages/…

Remote | Misconfiguration
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.1 CRITICAL
CVE-2026-44632 — Yamcs: Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorith…

Yamcs is a mission control framework. Prior to 5.12.7, a server-side code injection vulnerability existed in the Yamcs algorithm evaluation engine org.yamcs.algorithms.JavaExprAlgorithmExecutionFacto…

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.5 MEDIUM
CVE-2026-44596 — Yamcs: No Rate Limiting on Authentication Endpoint

Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java, lacked any…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
4.3 MEDIUM
CVE-2026-44595 — Yamcs: Unauthorized user enumeration via IAM API endpoints

Yamcs is a mission control framework. Prior to 5.12.7, the IAM API endpoints listUsers, getUser, listGroups, and getGroup in yamcs-core did not enforce the required SystemPrivilege.ControlAccess chec…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
0.0 NA
CVE-2026-3031 — Image::EPEG versions through 0.15 for Perl embeds an unsupported version of the Epeg libr…

Image::EPEG versions through 0.15 for Perl embeds an unsupported version of the Epeg library. Image::EPEG includes Epeg 0.9.0 that was last updated in 2004. Epeg is a fast JPEG thumbnail library th…

| Supply Chain
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
Showing 20 of 8239 Results