Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-15322 — Multiple Vulnerabilities in IBM Engineering AI hub.

IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to obtain sensitive information due to the exposure of session tokens in URLs.

Remote | Information Disclosure
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.3 MEDIUM
CVE-2026-15093 — Multiple Vulnerabilities in IBM Engineering AI hub.

IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to redirect users to malicious websites due to improper validation of user-supplied URLs.

Remote | Server-Side Request Forgery
Jul 17, 2026 Jul 18, 2026
Jul 17, 2026
Jul 18, 2026
9.3 CRITICAL
CVE-2026-15091 — Multiple Vulnerabilities in IBM Engineering AI hub.

IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to execute arbitrary scripts due to improper neutralization of input during web page generation.

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
5.4 MEDIUM
CVE-2026-15069 — Multiple Vulnerabilities in IBM Engineering AI hub.

IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to execute arbitrary script code due to improper neutralization of input during web page generation.

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
5.3 MEDIUM
CVE-2026-14979 — IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to XML Entity Expans…

IBM Engineering Lifecycle Management 7.0.3 ( Interim Fix 001 through ) Interim Fix 021, 7.1.0 ( Interim Fix 001 through ) Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 DOORS could allow a remo…

engineering_lifecycle_management | Remote | XML External Entity
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
3.9 LOW
CVE-2026-14971 — This PowerVM Novalink update is being released to address

IBM PowerVM Novalink 2.2.02.2.12.2.1.1, and 2.3.02.3.0.12.3.12.3.2 IBM NovaLink APIs misconfiguration may increase attack surface and enable unintended or unauthorized operations under non-default co…

| Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.3 MEDIUM
CVE-2026-14501 — Use of Potentially Dangerous Functionthat in IBM Db2 Genius Hub

IBM Db2 Genius Hub 1.1, 1.1.1, 1.1.2 and IBM Agentics 1.0 could allow an attacker to execute arbitrary code or obtain sensitive information due to the use of dangerous functions without sufficient re…

Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.8 HIGH
CVE-2026-14499 — Langflow is affected by remote code execution, denial of service, path traversal, and exp…

IBM Langflow OSS 1.0.0 through 1.10.1 Langflow could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input…

langflow_oss | Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.1 HIGH
CVE-2026-13473 — IBM Storage Protect Client is vulnerable to Heap-Based Buffer Overflow

IBM Storage Protect Client 8.1.0.0 through 8.1.27.0, 8.1.27.1, and 8.2.0.0 through 8.2.1.0 IBM Storage Protect is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A rem…

storage_protect_client | Remote | Memory Corruption
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.1 HIGH
CVE-2026-13448 — Langflow is affected by remote code execution, denial of service, path traversal, and exp…

IBM Langflow OSS 1.0.0 through 1.10.1 Lanflow OSS contains an unauthenticated remote code execution vulnerability in the public flow build endpoint ( /api/v1/build_public_tmp/{flow_id}/flow ). The vu…

langflow_oss | Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.8 MEDIUM
CVE-2026-12283 — SQL injection in Amazon Athena Synapse connector

Amazon Athena is a serverless, interactive query service that lets you analyze data directly in Amazon S3 using standard SQL. Athena Query Federation is a feature that allows you to connect to data s…

Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2025-51678 — PicoRV32 PCPI Instruction Memory Address Mismatch Vulnerability

An issue was discovered in RISC-V PicoRV32 commit 87c89a. A mismatch in the PCPI INSN and memory address can lead to unexpected behavior.

| Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
0.0 NA
CVE-2025-51677 — OpenRISC OR1200 RTL and Netlist Logic Mismatch

An issue was discovered in openRISC OR1200 commit 83ac6b. An output mismatch between the RTL and the netlist of the or1200 cpu output port can lead to unexpected behavior.

| Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-9171 — Vulnerabilities in IBM WebSphere Application affects IBM PowerVM Novalink.

IBM PowerVM Novalink are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory res…

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.9 CRITICAL
CVE-2026-9135 — Policies Component Dynamic CodeInput Fields Bypass Custom Component Validation

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard inte…

langflow_oss | Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.8 CRITICAL
CVE-2026-9103 — Unauthenticated Superuser Token Issuance via Auto-Login Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/auto_login endpoint. The endpoint issues long-lived…

langflow_oss | Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.8 HIGH
CVE-2026-58195 — Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-…

Agentic-Flow is an AI agent orchestration platform. Prior to 2.0.14, agentic-flow MCP server tools in src/mcp/standalone-stdio.ts, src/mcp/fastmcp/servers/claude-flow-sdk.ts, src/mcp/fastmcp/servers/…

Remote | Injection
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.2 HIGH
CVE-2026-53712 — SCRAM: Silent channel-binding authentication downgrade via unsupported certificate algori…

SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to 3.3, a flaw in com.on…

Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-52746 — JSONata: Malicious inputs to "$toMillis" function can cause resource exhaustion

JSONata is a JSON query and transformation language. Prior to 2.2.0, malicious non-matching inputs to the $toMillis function can cause superlinear backtracking in the ISO-8601 validation regex, leadi…

jsonata | Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
2.0 LOW
CVE-2026-50185 — RustCrypto Cmov/CmovEq on aarch64 can produce wrong results if high-bits of registers are…

RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. From 0.1.1 until 0.5.4, …

| Memory Corruption
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
Showing 20 of 7832 Results