Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.3 HIGH
CVE-2026-10673 — Out-of-bounds write in ADIN2111/ADIN1110 OA SPI Ethernet RX frame reassembly

The Zephyr ADIN2111/ADIN1110 10BASE-T1S/T1L Ethernet driver (drivers/ethernet/eth_adin2111.c) reassembles received Ethernet frames in OPEN Alliance (OA) SPI mode by copying device-supplied 64-byte da…

zephyr zephyr | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.0 CRITICAL
CVE-2026-62378 — RustFS Console: Critical Stored XSS in Preview Modal leading to Administrative Account Ta…

RustFS Console is a web management console for the RustFS distributed file system. From 0.1.7 until 0.1.10, the RustFS Console components/object/preview-modal.tsx and components/object/pdf-viewer.tsx…

Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-59955 — Apollo ConfigService access key authentication bypass via raw config file appId parsing

Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to raw configurat…

apollo | Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-59954 — Apollo ConfigService access key authentication bypass via appId parsing and non-canonical…

Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to configuration …

apollo | Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.3 CRITICAL
CVE-2026-52843 — Lightpanda: fetch() and XMLHttpRequest attach session cookies to cross-origin requests re…

Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch() and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credent…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.3 CRITICAL
CVE-2026-52842 — Lightpanda:URL parser misidentifies page origin for URLs containing @ in the path - Same-…

Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page o…

Remote | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
5.4 MEDIUM
CVE-2026-49997 — SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted

SurrealDB is a scalable, distributed, collaborative, document-graph database for the realtime web. Prior to 3.1.0, Document::purge_edges in surrealdb/core/src/doc/delete.rs automatically removed grap…

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.7 HIGH
CVE-2026-48799 — Postiz: Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook

Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscriptio…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.3 MEDIUM
CVE-2026-47703 — AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle

AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.75, AdGuard Home's client-triggered DoQ forwarding path to a udp:// upstream reduced backend UDP DNS state by pro…

adguardhome | Remote | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-45804 — Diffusers: TOCTOU Trust Remote Code Bypass

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, Diffusers' DiffusionPipeline.from_pretrained flow can bypass the trust_remote_code guard because download() validates mode…

diffusers | Remote | Supply Chain
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-45793 — Composer: Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validates GitHub OAuth tokens with the regex ^[.A-Za-z0-9_]+$ and i…

composer | Remote | Information Disclosure
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-20187 — Cisco RoomOS Security Hardening Release - Exceptional Conditions Handling Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

Remote | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-20158 — Cisco RoomOS Security Hardening Release - Resource Lifetime Management Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

Remote | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-20157 — Cisco RoomOS Security Hardening Release - Missing Encryption Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

| Cryptography
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.1 HIGH
CVE-2026-20156 — Cisco RoomOS Security Hardening Release - Buffer Management Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

Remote | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-20153 — Cisco RoomOS Security Hardening Release - Input Validation Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

Remote | Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.8 HIGH
CVE-2026-20150 — Cisco RoomOS Security Hardening Release - Access Control Vulnerabilities

As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a so…

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
5.5 MEDIUM
CVE-2026-20146 — Cisco Identity Services Engine Path Traversal Vulnerability

A vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to perform path traversal attacks on the under…

identity_services_engine_software | Remote | Path Traversal
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
4.8 MEDIUM
CVE-2026-1563 — Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scrip…

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.

Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
4.6 MEDIUM
CVE-2026-1562 — Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scriptin…

Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.

Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
Showing 20 of 8263 Results