Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.7 HIGH
CVE-2026-59860 — Kiota: XML Doc-Comment Newline Breakout Code Injection

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.3, Kiota is affected by a code-generation injection vulnerability in the C# XML documentation-comment sink (the description, extern…

kiota | Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.7 HIGH
CVE-2026-59859 — Kiota: Code Generation Literal Injection in the PHP Generator

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP do…

kiota | Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.9 MEDIUM
CVE-2026-59237 — IDOR in Prospero Flow CRM Order API allows cross-tenant read and modification of orders

Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify…

prospero_flow_crm | Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.3 HIGH
CVE-2026-14254 — Improper Restriction of Excessive Authentication Attempts in Delphix Continuous Data

A race condition in the account lockout mechanism in Delphix Continous Data allowed the lockout threshold to be bypassed through concurrent authentication requests. Parallel login attempts were proce…

Remote | Race Condition
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.8 HIGH
CVE-2026-5674 — Pipewire: pipewire: sandbox escape and arbitrary code execution via malicious library loa…

A flaw was found in PipeWire, a multimedia server. This vulnerability allows an attacker to escape sandboxed applications, such as Flatpak, by exploiting PipeWire's PulseAudio compatibility layer. An…

Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.3 MEDIUM
CVE-2026-56456 — HCL DFXAnalytics is affected by an Internal File Path Disclosure vulnerability.

HCL DFXAnalytics is affected by an Internal File Path Disclosure vulnerability. The application dashboard inadvertently leaks sensitive information regarding its internal file structure and directory…

Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.3 MEDIUM
CVE-2026-56455 — HCL DFXAnalytics is affected by a Buffer Overflow vulnerability that can lead to a Denial…

HCL DFXAnalytics is affected by a Buffer Overflow vulnerability that can lead to a Denial of Service (DoS). The application fails to properly validate input sizes, allowing an attacker to pass an exc…

Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.9 MEDIUM
CVE-2026-56454 — HCL DFXAnalytics is affected by a Deprecated Protocol vulnerability due to the use of TLS…

HCL DFXAnalytics is affected by a Deprecated Protocol vulnerability due to the use of TLS 1.0 and TLS 1.1. These legacy protocols contain numerous cryptographic design flaws that expose data to inter…

Remote | Cryptography
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.5 MEDIUM
CVE-2026-56453 — HCL DFXAnalytics is affected by an Account Takeover via Response Manipulation vulnerabili…

HCL DFXAnalytics is affected by an Account Takeover via Response Manipulation vulnerability. A remote attacker can intercept and alter the contents of the server's HTTP responses before they reach th…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
3.1 LOW
CVE-2026-35145 — HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerabi…

HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability. The application fails to implement the HTTP Strict Transport Security (HSTS) policy within its responses…

Remote | Misconfiguration
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
3.0 LOW
CVE-2026-35143 — HCL DFXAnalytics is affected by a Missing SameSite Attribute vulnerability.

HCL DFXAnalytics is affected by a Missing SameSite Attribute vulnerability. The application fails to set the "SameSite" attribute on session cookies generated during authentication, which could allow…

Remote | Cross-Site Request Forgery
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
2.6 LOW
CVE-2026-35142 — HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability.

HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability. The application includes internal IP address details within its generated server responses, which could allow a remote…

Remote | Information Disclosure
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
2.6 LOW
CVE-2026-35141 — HCL DFXAnalytics is affected by a Login Replay Attack vulnerability

HCL DFXAnalytics is affected by a Login Replay Attack vulnerability. The application allows a remote attacker to intercept, delay, or fraudulently retransmit valid authentication data to achieve unau…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
3.0 LOW
CVE-2026-35140 — HCL DFXAnalytics is affected by a Missing Secure Attribute in Encrypted Session (SSL) Coo…

HCL DFXAnalytics is affected by a Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability. The application fails to set the "secure" attribute on session cookies generated during aut…

Remote | Cryptography
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.5 MEDIUM
CVE-2026-9494 — ubuntu-pro-client Information Disclosure via Cleartext Bearer Token Exposure in Process C…

An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper u…

| Information Disclosure
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.2 CRITICAL
CVE-2026-63306 — stoatchat before 0.13.5 Unauthenticated SSRF via proxy and embed endpoints

stoatchat before 0.13.5 contains an unauthenticated server-side request forgery vulnerability in the /proxy and /embed endpoints that accept arbitrary URLs without DNS resolution filtering or private…

Remote | Server-Side Request Forgery
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.2 CRITICAL
CVE-2026-63305 — AVideo through 29.0 OS Command Injection via ffmpeg.json.php

AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are concatenated into a shell command without escaping. Att…

avideo | Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.2 CRITICAL
CVE-2026-63304 — AVideo through 29.0 OS Command Injection via listFFmpegProcesses

AVideo through 29.0 contains an OS command injection vulnerability in plugin/API/standAlone/functions.php where the listFFmpegProcesses() function interpolates unsanitized keyword parameters inside s…

avideo | Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.0 MEDIUM
CVE-2026-12391 — ubuntu-pro-client Local Privilege Escalation and Information Disclosure via Symlink Arbit…

An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes pred…

| Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.0 CRITICAL
CVE-2026-11386 — ubuntu-pro-client Input Validation Vulnerability Leading to Arbitrary APT Directive Injec…

An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu…

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
Showing 20 of 8268 Results