Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.1 HIGH
CVE-2024-34268 — EQ-3 Eqiva CC-RT-BLE Bluetooth Authentication Bypass

EQ-3 Eqiva CC-RT-BLE Bluetooth Smart Radiator Thermostat Firmware up to the latest version 1.46 was discovered to allow unsecured bluetooth connections. This vulnerability allows attackers to gain fu…

| Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
3.5 LOW
CVE-2024-32389 — Kerlink Wirnet iStation Buffer Overflow Vulnerability

Buffer Overflow vulnerability in Kerlink Kerlink Wirnet iStation 868 KerOS v.4.3.3_20200803132042 allows a remote attacker to obtain sensitive information via the update URLs component.

| Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.7 MEDIUM
CVE-2024-32387 — Kerlink Wirnet iStation SNMP Information Disclosure

An issue in Kerlink Kerlink Wirnet iStation 868 KerOS v.4.3.3_20200803132042 allows a remote attacker to obtain sensitive information via the community string component.

| Information Disclosure
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.3 HIGH
CVE-2024-32386 — Kerlink Wirnet iStation Directory Traversal Vulnerability

Directory traversal vulnerability in Kerlink Kerlink Wirnet iStation 868 KerOS v.4.3.3_20200803132042 allows a remote attacker to obtain sensitive information via the SNMP update mechanism.

| Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
4.3 MEDIUM
CVE-2024-32385 — Kerlink Wirnet iStation Information Disclosure Vulnerability

An issue in Kerlink Kerlink Wirnet iStation 868 KerOS v.4.3.3_20200803132042 allows a remote attacker to obtain sensitive information via a boardID and revisionID components

| Information Disclosure
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.1 HIGH
CVE-2026-63397 — remorses/genql code injection

remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is inj…

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.3 CRITICAL
CVE-2026-63089 — WireGuard Easy Weak Token Generation Information Disclosure via OTL Route

WireGuard Easy through 15.3.0, fixed in commit 66b292b, contains a cryptographically weak one-time link token generation vulnerability that allows unauthenticated network attackers to recover WireGua…

Remote | Cryptography
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
3.7 LOW
CVE-2026-62994 — CoreDNS `k8s_external` headless AXFR can emit an empty transfer batch that panics the `tr…

CoreDNS is a DNS server written in Go. From 1.9.4 until 1.14.5, a network DNS client allowed to request AXFR for a CoreDNS zone can trigger a panic when CoreDNS is configured with k8s_external headle…

Remote | Denial of Service
Jul 16, 2026 Jul 17, 2026
Jul 16, 2026
Jul 17, 2026
8.7 HIGH
CVE-2026-62963 — Centrifugo: Decompression bomb DoS via permessage-deflate in unidirectional WebSocket tra…

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uni_websocket.compression enabled enforced uni_websocket.message_s…

centrifugo | Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.5 HIGH
CVE-2026-62309 — CoreDNS: proxyproto plugin panics on PPv2 datagram with non-UDP transport — single 28-byt…

CoreDNS is a DNS server written in Go. Prior to 1.14.4, a single 28-byte UDP datagram can crash the CoreDNS process when the proxyproto plugin is enabled because plugin/pkg/proxyproto/proxyproto.go P…

Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.3 MEDIUM
CVE-2026-62299 — CoreDNS: rewrite-plugin EDNS0 response-revert nil-pointer panic (remote DoS) when a downs…

CoreDNS is a DNS server written in Go. Prior to 1.14.5, the CoreDNS rewrite plugin supports edns0 rewrite rules with an optional revert flag, and two response rules, edns0SetResponseRule and edns0Rep…

Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.3 HIGH
CVE-2026-62290 — cert-manager: Direct ACME Challenge resources can bypass Issuer DNS01 solver policy and u…

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. From 1.18.0 until 1.19…

| Misconfiguration
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.4 MEDIUM
CVE-2026-61718 — bunkerweb: Read-only Web UI users can delete job cache files due to missing authorization…

bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL pref…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.3 HIGH
CVE-2026-61389 — AutomationDirect Productivity Suite Out-of-bounds Write

An out-of-bounds write vulnerability in the Productivity Suite allows a local attacker to trigger kernel memory corruption via a crafted IOCTL request, potentially resulting in privilege escalation…

productivity_suite | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.9 MEDIUM
CVE-2026-60140 — AutomationDirect Productivity Suite Out-of-bounds Read

An out-of-bounds read vulnerability in the Productivity Suite allows a local attacker to trigger kernel memory corruption by sending a crafted IOCTL request. This can lead to exposing sensitive inf…

productivity_suite | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.3 HIGH
CVE-2026-60063 — AutomationDirect Productivity Suite Out-of-bounds Write

An out-of-bounds write vulnerability in the Productivity Suite allows a local attacker to trigger kernel memory corruption via a crafted IOCTL request, potentially resulting in privilege escalation…

productivity_suite | Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.7 HIGH
CVE-2026-55629 — Whistle: Path traversal

Whistle is an HTTP, HTTP2, HTTPS, and WebSocket debugging proxy. Prior to 2.10.3, lib/service/service.js handles GET /cgi-bin/temp/get by reading req.query.filename, joining it to TEMP_FILES_PATH onl…

Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.1 MEDIUM
CVE-2026-54728 — bunkerweb: Improper Input Validation and Improper Neutralization of Special Elements in O…

bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). Prior to BunkerWeb 1.6.12 and BunkerWeb PRO 0.57, authenticated Host header handling in the BunkerWeb UI and API improp…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.2 HIGH
CVE-2026-49998 — Centrifugo: Dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentica…

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.1, Centrifugo dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another al…

centrifugo | Remote | Authentication
Jul 16, 2026 Jul 17, 2026
Jul 16, 2026
Jul 17, 2026
7.2 HIGH
CVE-2026-44982 — CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests

CrowdSec offers crowdsourced protection against malicious IPs. From 1.5.0 until 1.7.8, pkg/appsec/request.go NewParsedRequestFromRequest allocated a request body buffer from max(r.ContentLength, 0), …

Remote | Misconfiguration
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
Showing 20 of 7833 Results