Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-59711 — showdown - Cross-Site Scripting via Unescaped Metadata Title in completeHTMLDocument

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped…

Remote | Cross-Site Scripting
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
8.6 HIGH
CVE-2026-57573 — Crawl4AI unauthenticated SSRF in Docker streaming crawl endpoint

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server applied its SSRF destination check on the non-streaming /crawl path but not on the streaming pat…

crawl4ai | Remote | Server-Side Request Forgery
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
10.0 CRITICAL
CVE-2026-57572 — Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.ex…

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server accepted request-supplied browser_config.extra_args, which flowed into Chromium's launch argumen…

crawl4ai | Remote | Misconfiguration
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
9.6 CRITICAL
CVE-2026-57571 — Crawl4AI arbitrary file write via download filename path traversal

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined…

crawl4ai | Remote | Path Traversal
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
7.5 HIGH
CVE-2026-55727 — Genetec Security Center Authentication Bypass Vulnerability

A flaw in the authentication mechanism for video stream requests in Genetec Security Center 5.14.0.0 prior to build 5.14.178.18 may allow an unauthenticated attacker to access live video streams.

security_center | Authentication
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
8.7 HIGH
CVE-2026-55574 — vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outline…

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structured_outputs.regex API parameter passes a user-supplied regular expression string dire…

vllm vllm | Remote | Denial of Service
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
7.1 HIGH
CVE-2026-55514 — vLLM denial of service via prompt embeds on M-RoPE models

vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an…

vllm vllm | Remote | Denial of Service
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
6.3 MEDIUM
CVE-2026-54765 — Traefik: Gateway HTTPRoute backendRef filters can leak backend context across routes shar…

Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend…

Remote | Misconfiguration
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
6.9 MEDIUM
CVE-2026-54764 — ForwardAuth middleware leaks X-Forwarded-Port spoofing via untrusted X-Forwarded-Proto wh…

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's ForwardAuth middleware, even when configured with trustForwardHeader: false, derives the X-Forwar…

Remote | Misconfiguration
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
7.8 HIGH
CVE-2026-54763 — Traefik: headerField underscore-variant identity spoofing in BasicAuth / DigestAuth / For…

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers…

Remote | Authentication
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
7.5 HIGH
CVE-2026-54234 — vLLM: Remote DoS in vLLM via Invalid Recovered Token Reinjection

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to …

vllm vllm | Remote | Denial of Service
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
6.9 MEDIUM
CVE-2026-50135 — Hugo: Symlink confinement bypass in resources.Get

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointin…

hugo | Remote | Path Traversal
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
5.5 MEDIUM
CVE-2026-48267 — DNG SDK | NULL Pointer Dereference (CWE-476)

DNG SDK versions 1.7.1 2536 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to…

| Denial of Service
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
9.2 CRITICAL
CVE-2026-42341 — FOSSBilling has an unauthenticated payment bypass via IPN callback forgery

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When…

Remote | Authentication
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
7.7 HIGH
CVE-2026-42331 — FOSSBilling missing authorization in guest Invoice API endpoints

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-relat…

Remote | Authorization
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
9.9 CRITICAL
CVE-2026-34038 — Coolify authenticated remote command injection leading to RCE and secret exfiltration

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application dep…

coolify | Remote | Injection
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
6.9 MEDIUM
CVE-2026-33734 — FOSSBilling has improper SQL neutralization in `Massmailer` recipient filters

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a SQL injection vulnerability in the `Massmailer` module filter functionality. An authentica…

Remote | Injection
Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
7.8 HIGH
CVE-2026-25271 — Time-of-check Time-of-use (TOCTOU) Race Condition in DSP Service

Memory Corruption when processing asynchronous input parameters due to improper handling of modified values between check and use.

Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-25268 — Stack-based Buffer Overflow in WLAN Host

Memory Corruption when processing invalid HT40 channel layouts during dynamic channel switching operations.

Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-21384 — Out-of-bounds Write in Camera Driver

Memory Corruption when updating prepared commands with invalid port indices based on user space input exceeds supported read client limits.

Jul 06, 2026 Jul 07, 2026
Jul 06, 2026
Jul 07, 2026
Showing 20 of 7630 Results