Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-44251 — Wazuh : size_t underflow in msgs.c ReadSecMSG causes wazuh-remoted DoS and potential heap…

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 3.0.0 and above, prior to 4.14.5, a size_t integer underflow in os_crypto/shared/msgs.c:389 a…

Remote | Memory Corruption
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.7 MEDIUM
CVE-2026-40106 — Wazuh: Heap-based Buffer Overflow in syscheck Registry Wildcard Expansion (LPE / DoS)

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.6.0 and above prior to 4.14.5 contain a heap-based buffer overflow vulnerability in the sysche…

| Memory Corruption
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.4 MEDIUM
CVE-2026-2594 — Smart Custom Fields <= 5.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via At…

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping o…

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.8 CRITICAL
CVE-2026-14956 — Bricksforge <= 3.1.8.6 - Unauthenticated Privilege Escalation via Pro Forms fieldIds Para…

The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms…

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-54340 — h2o has HTTP/2 state amplification

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowlori…

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-39359 — Wazuh: Unauthenticated Path Traversal in authd via Agent Group Name

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 4.0.0 through 4.10.3 and 4.11.0 through 4.14.4, a logic flaw affects the Wazuh Manager's enro…

Remote | Path Traversal
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-34150 — Wazuh: Heap buffer overflow in wazuh-analysisd via rootcheck event parsing

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 1.0.0 and above, prior to 4.14.5, a heap buffer overflow in wazuh-analysisd allows an unauthe…

Remote | Memory Corruption
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.5 MEDIUM
CVE-2026-33754 — Wazuh: Unauthenticated cluster packet length leads to uncontrolled memory allocation (rem…

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 3.9.0 and above, prior to 4.14.5, a remote attacker can trigger memory exhaustion in the clus…

| Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.3 MEDIUM
CVE-2026-33434 — Wazuh: Rate Limit Bypass via /events Endpoint

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 4.6.0 and above, prior to 4.14.5, a logic error in CheckRateLimitsMiddleware.dispatch() cause…

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.5 HIGH
CVE-2026-44453 — h2o is vulnerable to musl libc stack overflow

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 6b5370d, h2o is vulnerable to a Denial of Service attack when calling alloca under certain conditions. When serving…

Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.9 MEDIUM
CVE-2026-44452 — h2o is vulnerable to heap overrun

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 8dc37cb, when h2o receives a ClientHello message over TLS or QUIC and it contains a zero-length SNI extension, the …

Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.5 HIGH
CVE-2026-44436 — Quicly is vulnerable to connection state corruption

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, Quicly is vulnerable to a Denial of Service attack through connection st…

quicly | Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.5 HIGH
CVE-2026-44435 — Quicly: Remote Denial of Service via assertion failure when CRYPTO stream handshake data …

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 937d0e9, an assertion failure is raised when the total number of valid handshake …

quicly | Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.3 MEDIUM
CVE-2026-44434 — Quicly is vulnerable to stateless reset injection

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit dccf5d4, Quicly was vulnerable to stateless reset injection through lack of packe…

quicly | Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.3 MEDIUM
CVE-2026-44433 — Quicly is vulnerable to memory exhaustion

Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit 8b178e6, an adversarial peer could send a STREAM frame carrying just one byte at …

quicly | Remote | Denial of Service
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
10.0 CRITICAL
CVE-2026-44182 — Jupyter Enterprise Gateway Has Kubernetes Manifest Injection via Jinja2 Template Rendering

Jupyter Enterprise Gateway launches remote Jupyter Notebook kernels across distributed clusters like Apache Spark, Kubernetes, and Docker Swarm. In versions prior to 3.3.0, the server interpolates un…

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
10.0 CRITICAL
CVE-2026-44181 — Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection results in Rem…

Jupyter Enterprise Gateway launches remote Jupyter Notebook kernels across distributed clusters like Apache Spark, Kubernetes, and Docker Swarm. In versions 2.0.0rc2 and above, prior to 3.3.0, the en…

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.1 HIGH
CVE-2026-43978 — wger: Privilege escalation via trainer-login session chaining allows gym trainers to impe…

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining…

wger | Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.5 HIGH
CVE-2026-43977 — wger IDOR: Authenticated Users Can Read Others' Private Workout Session Data via Template…

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statist…

wger | Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
1.7 LOW
CVE-2026-15997 — Native ARM SHA3 / SHAKE `restoreFullState` fails to detect size_t underflow in a crafted…

Out-of-bounds write vulnerability in Legion of the Bouncy Castle Inc. BC-LTS bcprov-lts8on on ARM allows Overflow Buffers. This vulnerability is associated with program files https://github.Com/bcg…

| Memory Corruption
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
Showing 20 of 8332 Results