Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-16123 — nextlevelbuilder GoClaw Invoke Endpoint tools_invoke.go ToolsInvokeHandler.ServeHTTP auth…

A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvokeHandler.ServeHTTP of the file internal/http/tools_invoke.go of the component …

goclaw | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
0.0 NA
CVE-2026-16122 — nextlevelbuilder GoClaw exec_approval.go matchesAllowlist authorization

A security flaw has been discovered in nextlevelbuilder GoClaw up to 3.13.2. Affected by this vulnerability is the function extractBin/RequestApproval/matchesAllowlist of the file internal/tools/exec…

goclaw | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
9.2 CRITICAL
CVE-2026-9323 — Insecure PRNG and Information Exposure in urwid Web Display Backend

The urwid web display backend (urwid/display/web.py) generates web session identifiers (urwid_id) in Screen.start() by concatenating two random.randrange(10**9) calls that use Python's Mersenne Twist…

Remote | Cryptography
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16120 — nextlevelbuilder GoClaw exec_approval.go extractBin name resolution

A vulnerability was determined in nextlevelbuilder GoClaw up to 3.13.3-beta.3. This impacts the function matchesAllowlist/extractBin of the file internal/tools/exec_approval.go. Executing a manipulat…

goclaw | Remote | Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.5 MEDIUM
CVE-2026-16119 — nextlevelbuilder GoClaw WebSocket Approval Endpoint exec_approval.go RequestApproval auth…

A vulnerability was found in nextlevelbuilder GoClaw up to 3.13.2. This affects the function RequestApproval of the file internal/tools/exec_approval.go of the component WebSocket Approval Endpoint. …

goclaw | Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
10.0 CRITICAL
CVE-2026-16117 — @fastify/http-proxy vulnerable to prefix escape via URL-encoded characters

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but r…

| Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
8.8 HIGH
CVE-2026-11826 — OpenPLC_v3 Heap-Based Buffer Overflow in Modbus Master getData()

OpenPLC_v3 contains a heap-based buffer overflow in the getData() function in webserver/core/modbus_master.cpp. getData() reads characters between two delimiters into a caller-supplied buffer with no…

openplc | Remote | Memory Corruption
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
5.8 MEDIUM
CVE-2025-71398 — SurrealDB before 2.2.2 SSRF via HTTP Redirect Bypass

SurrealDB before 2.2.2 fails to validate HTTP redirects in http functions, allowing authenticated users to bypass deny-net restrictions by redirecting to blocked IP addresses. Attackers can host a pu…

Remote | Server-Side Request Forgery
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2025-71397 — SurrealDB before 2.2.2 CPU Exhaustion via nested FOR loops

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 allows authenticated users with OWNER or EDITOR permissions (at the root, namespace, or database level) to define custom database fu…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
2.3 LOW
CVE-2025-71396 — SurrealDB before 2.2.2 Denial of Service via JavaScript Scripting

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 does not enforce a default execution-time limit on embedded JavaScript scripting functions when the scripting capability is explicit…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2025-71395 — SurrealDB before 2.2.2 Memory Exhaustion via string::replace

SurrealDB versions before 2.2.2 contain a memory exhaustion vulnerability in the string::replace function that fails to restrict resulting string length when using regex patterns. An authenticated at…

Remote | Memory Corruption
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
2.3 LOW
CVE-2025-71394 — SurrealDB before 2.2.2 Local File Read via DEFINE ANALYZER

SurrealDB versions before 2.2.2 contain a local file read vulnerability in the DEFINE ANALYZER statement that allows authenticated users to read arbitrary files on the file system. Attackers with roo…

Remote | Path Traversal
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
6.0 MEDIUM
CVE-2025-71393 — SurrealDB before 2.2.2 Memory Exhaustion via Nested Functions

SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass …

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
9.4 CRITICAL
CVE-2025-71392 — SurrealDB before 2.2.2 SurrealQL Injection via export

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR…

Remote | Injection
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2025-71391 — SurrealDB before 2.2.2 Denial of Service via /sql endpoint

SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
5.8 MEDIUM
CVE-2025-71390 — SurrealDB before 2.3.6 deny-net Bypass via DNS Resolution

SurrealDB before 2.2.6, 2.3.6, and 2.1.8 (and 3.0.0-alpha.7 and earlier) fails to validate DNS-resolved hostnames against --deny-net network access restrictions in its http::* functions. An authentic…

Remote | Misconfiguration
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2024-58370 — SurrealDB before 1.1.0 Uncontrolled Recursion Denial of Service

SurrealDB versions before 1.1.0 fail to enforce recursion depth limits when parsing nested SurrealQL statements including IF, RELATE, and attribute access idioms. Authorized attackers can submit quer…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2024-58369 — SurrealDB before 1.1.1 Denial of Service via Global Parameters

SurrealDB versions before 1.1.1 fail to properly validate invocation of custom parameters and functions at root or namespace levels, causing server panic. Authorized clients can invoke these entities…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
8.7 HIGH
CVE-2024-58368 — SurrealDB before 1.1.0 Denial of Service via HTTP Headers

SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests containing special characters. Unauthenticated attackers can send crafted HTTP requests wit…

Remote | Denial of Service
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
7.1 HIGH
CVE-2024-58367 — SurrealDB before 2.0.4 Improper Authorization via SELECT Permissions

SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations, allowing authorized users to access unauthorized field values through various …

Remote | Authorization
Jul 18, 2026 Jul 18, 2026
Jul 18, 2026
Jul 18, 2026
Showing 20 of 7835 Results