Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.3 MEDIUM
CVE-2026-15105 — davenardella snap7 ReadVar Request s7_server.cpp PerformFunctionRead deserialization

A flaw has been found in davenardella snap7 up to 1.4.3. This affects the function TS7Worker::PerformFunctionRead of the file src/core/s7_server.cpp of the component ReadVar Request Handler. This man…

| Information Disclosure
Jul 08, 2026 Jul 09, 2026
Jul 08, 2026
Jul 09, 2026
6.0 MEDIUM
CVE-2026-5923 — Poly Voice – Potential Unauthorized Modification of WebUI using CSRF Attack

Malicious use of a stolen cookie might allow modifications to the contents of the IP phone’s webpage.

Remote | Cross-Site Request Forgery
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.9 MEDIUM
CVE-2026-5922 — Poly Voice – Potential Unauthorized Modification of WebUI using XSS Attack

The IP phone might use malicious input stored in configuration parameters and render it as content for the WebUI’s webpage.

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.8 HIGH
CVE-2026-55878 — Symfony: Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Cr…

Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a c…

| Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.1 MEDIUM
CVE-2026-55877 — Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconif…

Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux_icon() Twig function is marked is_safe=['html'] and Icon::toHtml() inlines SVG source v…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.5 HIGH
CVE-2026-55849 — @cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized `--workspace` Argument

@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitiza…

| Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.3 HIGH
CVE-2026-55830 — RestrictedPython guard hooks can be shadowed via positional-only arguments

RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Prior to 8.3, check_function_argument_names() rejec…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.7 HIGH
CVE-2026-55471 — HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform(...) overloads instantiat…

Remote | XML External Entity
Jul 08, 2026 Jul 09, 2026
Jul 08, 2026
Jul 09, 2026
7.5 HIGH
CVE-2026-55470 — HAPI FHIR: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHI…

Remote | Denial of Service
Jul 08, 2026 Jul 09, 2026
Jul 08, 2026
Jul 09, 2026
6.5 MEDIUM
CVE-2026-54777 — CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF NetNamedPipe transport accepts attachment to a pre-existing named pipe …

| Race Condition
Jul 08, 2026 Jul 09, 2026
Jul 08, 2026
Jul 09, 2026
0.0 NA
CVE-2026-52200 — Generic OEM 4G LTE Router Remote Code Execution

An issue in Generic OEM UZ801_v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the /ajax web management API endpoint in MifiService.apk

| Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
0.0 NA
CVE-2026-51535 — OpENer Resource Exhaustion Vulnerability

In OpENer 2.3.0 (commit 76b95cf), a resource exhaustion (Denial of Service) vulnerability exists in its network processing loop.

| Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.9 MEDIUM
CVE-2026-48492 — Snipe-IT's selectlist visibility is too permissive

Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, the GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - reg…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.2 HIGH
CVE-2026-44161 — Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as…

Remote | Server-Side Request Forgery
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-44160 — Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's in_http and in_forward plugins support gzip-compress…

Remote | Denial of Service
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-44025 — Fluentd: Exposure of Sensitive Information via Monitor Agent API

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's Monitor Agent plugin in_monitor_agent exposes intern…

Remote | Information Disclosure
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.8 CRITICAL
CVE-2026-44024 — Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the $…

Remote | Path Traversal
Jul 08, 2026 Jul 09, 2026
Jul 08, 2026
Jul 09, 2026
0.0 NA
CVE-2026-39179 — SOGo SQL Injection Vulnerability

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the newPassword parameter in the password change functionality.

| Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
0.0 NA
CVE-2026-39178 — SOGo SQL Injection Vulnerability

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the search parameter of the allContactSearch endpoint.

| Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
0.0 NA
CVE-2026-35552 — CAXperts UPVWebServices and UDiTH Portal Improper Authorization Vulnerability

In CAXperts UPVWebServices 2.4.2212.603 through 2.7.6 and UDiTH Portal 2026.0.0 through 2026.2.0, an authenticated remote user can invoke an administrative API endpoint intended for privileged users.…

| Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
Showing 20 of 7673 Results