Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
3.3 LOW
CVE-2026-13743 — Improper verification of cryptographic signature in CubeSpace CW0057 Reaction Wheel

CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. This could allow an attacker with physical acces…

| Authentication
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
0.0 NA
CVE-2026-7311 — TinyPNG <= 3.6.13 - Authenticated (Author+) Arbitrary File Deletion via 'convert.path' in…

The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_converted_image_size function in …

| Path Traversal
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
8.7 HIGH
CVE-2026-58465 — Eclipse Wakaama CoAP Block1 Handler Unbounded Memory Allocation DoS

Eclipse Wakaama before snapshot/2026-05-26 contains an unbounded memory allocation vulnerability in the CoAP Block1 handler within coap/block.c that allows unauthenticated remote attackers to exhaust…

Remote | Denial of Service
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
8.7 HIGH
CVE-2024-58352 — Landray OA Unauthenticated HQL Injection via wechatLoginHelper.do

Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid POS…

Remote | Injection
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2022-50973 — Yonyou KSOA 9.0 Unauthenticated File Upload RCE via ImageUpload Servlet

Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by submittin…

Remote | Authentication
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2024-14037 — Redsea Cloud eHR Unauthenticated File Upload RCE via PtFjk.mob

Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet endp…

Remote | Misconfiguration
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
7.0 HIGH
CVE-2026-8699 — Stored Cross-Site Scripting (XSS) in TP-Link Archer C5 Web Management Interface

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper ou…

archer_c5 | Cross-Site Scripting
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
0.0 NA
CVE-2026-50282 — Craft CMS: Unauthorized Deletion of Destination Folders During Forced Moves

Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder mo…

| Authorization
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
6.3 MEDIUM
CVE-2026-54891 — Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application …

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject una…

otp | Remote | Injection
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
8.7 HIGH
CVE-2026-55950 — DTLS listener crash via race condition in dtls_packet_demux causes denial of service for …

Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.…

otp | Remote | Race Condition
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
5.3 MEDIUM
CVE-2026-54886 — SSH SFTP server denial of service via extended channel data infinite loop

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive. The ha…

otp | Remote | Denial of Service
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
8.2 HIGH
CVE-2026-55952 — TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension

The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the sess…

otp | Remote | Denial of Service
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
6.3 MEDIUM
CVE-2026-54887 — DTLS server cookie bypass during startup window due to empty initial cookie secret

Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On D…

otp | Remote | Cryptography
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
2.3 LOW
CVE-2026-53422 — SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured ro…

Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root di…

otp | Remote | Path Traversal
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
0.0 NA
CVE-2026-50281 — Craft CMS: Mass assignment via id in newAttributes during bulk duplicate overwrites exist…

Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicat…

| Authorization
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
9.9 CRITICAL
CVE-2026-44935 — Rancher Fleet vulnerable to cross namespace secret disclosure via unvalidated `valuesFrom…

Missing validation of "valuesFrom" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one…

rancher | Remote | Authorization
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
8.4 HIGH
CVE-2026-44941 — libzypp path traversal via "keyhint" in repomd.xml

A relative path traversal in the "keyhint" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the t…

Remote | Path Traversal
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
0.0 NA
CVE-2026-53358 — Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() l2cap_chan_close() removes the channel from conn->chan_l, …

| Race Condition
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
0.0 NA
CVE-2026-53357 — Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() bt_accept_dequeue() unlinks a not-yet-accepted child from t…

| Memory Corruption
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
9.8 CRITICAL
CVE-2026-58455 — Dockwatch 0.6.567 Unauthenticated OS Command Injection via ajax/compose.php

Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authe…

Remote | Injection
Jul 02, 2026 Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Showing 20 of 8012 Results