Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.6 HIGH
CVE-2026-53444 — Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc_server.js, server/models/org.js, and server/models/team.js are globally cal…

Remote | Authentication
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
9.2 CRITICAL
CVE-2026-52893 — Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser …

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan Accounts.onCreateUser hook in server/models/users.js merges OIDC logins into existing accounts when the OIDC email or username …

Remote | Authentication
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
6.5 MEDIUM
CVE-2026-52892 — Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalati…

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication…

Remote | Authentication
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
9.9 CRITICAL
CVE-2026-52891 — Wekan: Shell Injection via Avatar Upload

Wekan is open source kanban built with Meteor. Prior to 9.07, Wekan avatar upload functionality embeds user-supplied filenames into paths later passed to child_process.exec() for MIME-type detection.…

Remote | Injection
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
7.1 HIGH
CVE-2026-52890 — Wekan: Arbitrary file read and server DoS via attachment versions.original.path

Wekan is open source kanban built with Meteor. Prior to 9.31, Wekan allows a logged-in board member to insert an attachment document through the /attachments/insert DDP method with attacker-controlle…

Remote | Path Traversal
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
4.7 MEDIUM
CVE-2026-50183 — WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Sect…

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a stored Cross-Site Scripting vulnerability in the YouTubeAPI plugin. The plugin renders the snippet.title field returned…

avideo | Remote | Cross-Site Scripting
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
6.1 MEDIUM
CVE-2026-50182 — AVideo Has Unauthenticated Reflected XSS via $_GET['search'] in YouTubeAPI Gallery Pagina…

WWBN AVideo is an open source video platform. Versions prior to 29.0 contain an unauthenticated Reflected XSS vulnerability through AVideo YouTubeAPI Gallery Pagination. The $_GET['search'] query par…

avideo | Remote | Cross-Site Scripting
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
7.7 HIGH
CVE-2026-49279 — WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler …

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a Stored XSS vulnerability through the autoEvalCodeOnHTML parameter in the MessageSQLite WebSocket Handler. The MessageSQ…

avideo | Remote | Cross-Site Scripting
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
8.6 HIGH
CVE-2026-48795 — Incomplete fix for CVE-2026-25754 in @adonisjs/bodyparser

AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user…

core | Remote | Misconfiguration
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
7.7 HIGH
CVE-2026-45313 — Sandboxie-Plus: Sandboxie APC Injection Sandbox Escape

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. Prior to 1.17.6, GuiServer::WndHookRegisterSlave in Sandboxie/core/svc/GuiServer.cpp stores attacker-supplied hthread an…

sandboxie | Memory Corruption
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
0.0 NA
CVE-2026-38974 — Dulwich Missing SSH Host Key Verification

Dulwich through 1.1.0 was found to be missing SSH host key verification in contrib/paramiko_vendor.py.

| Misconfiguration
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
0.0 NA
CVE-2026-38755 — BusyBox evalcommand Heap Buffer Overflow

A heap overflow in the evalcommand() function (shell/ash.c) of Busybox v1.38.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.

| Memory Corruption
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
0.0 NA
CVE-2026-38754 — Busybox Heap Buffer Overflow

A heap overflow in the ifsbreakup() function (shell/ash.c) of Busybox v1.38.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.

| Memory Corruption
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
0.0 NA
CVE-2026-38752 — BusyBox AWK Stack Overflow

A stack overflow in the evaluate() function (editors/awk.c) of BusyBox commit 371fe9 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AWK script.

| Memory Corruption
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
0.0 NA
CVE-2026-36590 — NanoMQ Denial of Service Vulnerability

An issue in EMQ NanoMQ v.0.24.9 allows a remote attacker to cause a denial of service via the nni_qos_db_set function in broker_tcp.c component

| Denial of Service
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
9.8 CRITICAL
CVE-2026-30623 — LiteLLM Remote Code Execution

LiteLLM 1.18.10 contains a remote code execution vulnerability in its MCP server creation functionality. The application allows users to add MCP servers via a JSON configuration specifying arbitrary …

Remote | Injection
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
9.8 CRITICAL
CVE-2026-30618 — Fay Remote Code Execution Vulnerability

xszyou Fay 4.3.1 contains a remote code execution vulnerability in its MCP STDIO server management and command execution handling. A remote attacker can access the publicly exposed MCP management int…

Remote | Injection
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
0.0 NA
CVE-2026-26719 — XXL-JOB Cross-Site Scripting Vulnerability

Cross Site Scripting vulnerability in xxl-job-admin v.3.0.0 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request containing a malicious script

| Cross-Site Scripting
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
0.0 NA
CVE-2026-26718 — XXL-JOB Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the xxl-job-admin web application v.3.0.0 that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affe…

| Cross-Site Request Forgery
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
3.1 LOW
CVE-2026-15921 — nvm path traversal via a malicious mirror's LTS codename writes outside the alias directo…

Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5, `nvm ls-remote` (and other commands that refresh remote LTS a…

Remote | Path Traversal
Jul 15, 2026 Jul 16, 2026
Jul 15, 2026
Jul 16, 2026
Showing 20 of 8249 Results