Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-62309 — CoreDNS: proxyproto plugin panics on PPv2 datagram with non-UDP transport — single 28-byt…

CoreDNS is a DNS server written in Go. Prior to 1.14.4, a single 28-byte UDP datagram can crash the CoreDNS process when the proxyproto plugin is enabled because plugin/pkg/proxyproto/proxyproto.go P…

Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.3 MEDIUM
CVE-2026-62299 — CoreDNS: rewrite-plugin EDNS0 response-revert nil-pointer panic (remote DoS) when a downs…

CoreDNS is a DNS server written in Go. Prior to 1.14.5, the CoreDNS rewrite plugin supports edns0 rewrite rules with an optional revert flag, and two response rules, edns0SetResponseRule and edns0Rep…

Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.3 HIGH
CVE-2026-62290 — cert-manager: Direct ACME Challenge resources can bypass Issuer DNS01 solver policy and u…

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. From 1.18.0 until 1.19…

| Misconfiguration
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.4 MEDIUM
CVE-2026-61718 — bunkerweb: Read-only Web UI users can delete job cache files due to missing authorization…

bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL pref…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.3 HIGH
CVE-2026-61389 — AutomationDirect Productivity Suite Out-of-bounds Write

An out-of-bounds write vulnerability in the Productivity Suite allows a local attacker to trigger kernel memory corruption via a crafted IOCTL request, potentially resulting in privilege escalation…

productivity_suite | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.9 MEDIUM
CVE-2026-60140 — AutomationDirect Productivity Suite Out-of-bounds Read

An out-of-bounds read vulnerability in the Productivity Suite allows a local attacker to trigger kernel memory corruption by sending a crafted IOCTL request. This can lead to exposing sensitive inf…

productivity_suite | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.3 HIGH
CVE-2026-60063 — AutomationDirect Productivity Suite Out-of-bounds Write

An out-of-bounds write vulnerability in the Productivity Suite allows a local attacker to trigger kernel memory corruption via a crafted IOCTL request, potentially resulting in privilege escalation…

productivity_suite | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.7 HIGH
CVE-2026-55629 — Whistle: Path traversal

Whistle is an HTTP, HTTP2, HTTPS, and WebSocket debugging proxy. Prior to 2.10.3, lib/service/service.js handles GET /cgi-bin/temp/get by reading req.query.filename, joining it to TEMP_FILES_PATH onl…

Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.1 MEDIUM
CVE-2026-54728 — bunkerweb: Improper Input Validation and Improper Neutralization of Special Elements in O…

bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). Prior to BunkerWeb 1.6.12 and BunkerWeb PRO 0.57, authenticated Host header handling in the BunkerWeb UI and API improp…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.2 HIGH
CVE-2026-49998 — Centrifugo: Dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentica…

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.1, Centrifugo dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another al…

centrifugo | Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.2 HIGH
CVE-2026-44982 — CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests

CrowdSec offers crowdsourced protection against malicious IPs. From 1.5.0 until 1.7.8, pkg/appsec/request.go NewParsedRequestFromRequest allocated a request body buffer from max(r.ContentLength, 0), …

Remote | Misconfiguration
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.2 HIGH
CVE-2026-44981 — CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression

CrowdSec offers crowdsourced protection against malicious IPs. From 1.7.0 until 1.7.8, the LAPI router used gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/control…

Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.8 MEDIUM
CVE-2026-15449 — TOCTOU double copyin in illumos dld ioctl handling causes kernel heap corruption

A time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in …

illumos-gate smartos | Race Condition
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.1 CRITICAL
CVE-2026-15422 — SCTP needs to better-check INIT ACK chunk parameters

The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classific…

illumos-gate smartos | Remote | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.2 HIGH
CVE-2026-15352 — NASA Core Flight System (cFS) Health & Safety (HS) Application NULL Pointer Dereference

A vulnerability exists in the Health & Safety (HS) application of NASA's Core Flight System (cFS). The flaw allows the application to crash via segmentation fault when processing a routine Housekeepi…

Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.9 HIGH
CVE-2026-54526 — Argo Workflows: Incomplete fix for CVE-2026-31892: ArtifactGC.PodSpecPatch bypass of Stri…

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 3.7.15 and 4.0.6, the allow-list fix for CVE-2026-31892 is incomplete because…

Remote | Misconfiguration
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.3 MEDIUM
CVE-2026-53536 — Activepieces: Cross-tenant file download via missing JWT audience check on step-files sig…

Activepieces is an open source AI workflow automation platform. Prior to 0.83.0, the /v1/step-files/signed download endpoint verified the supplied JWT against the shared signing secret but did not ch…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.9 MEDIUM
CVE-2026-53535 — Activepieces: Arbitrary file write in git-sync via path traversal and symlinks

Activepieces is an open source AI workflow automation platform. Prior to 0.82.0, the git-sync feature clones a user-configured Git repository into a temporary directory on the server and then writes …

Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
4.3 MEDIUM
CVE-2026-47089 — Cyrus IMAP Information Disclosure Vulnerability

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. LISTRIGHTS os not limited to users with admin access. An authenticated user could call IMAP LISTRIGHTS against any mailbox they co…

cyrus_imap | Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
3.1 LOW
CVE-2026-47088 — Cyrus IMAP Heap Memory Exposure

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is heap exposure in nested MIME comment parsing. An authenticated IMAP user could craft an email message containing an RFC 8…

cyrus_imap | Remote | Information Disclosure
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
Showing 20 of 8332 Results