Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.8 MEDIUM
CVE-2026-48312 — CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security meas…

| Authorization
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
6.2 MEDIUM
CVE-2026-48302 — CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the appl…

| Denial of Service
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
6.2 MEDIUM
CVE-2026-48298 — CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191)

CAI Content Credentials is affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to c…

| Denial of Service
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
6.2 MEDIUM
CVE-2026-48296 — CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191)

CAI Content Credentials is affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to c…

| Denial of Service
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
7.5 HIGH
CVE-2026-48295 — CAI Content Credentials | Insufficiently Protected Credentials (CWE-522)

CAI Content Credentials is affected by an Insufficiently Protected Credentials vulnerability that could result in disclosure of sensitive information. An attacker could leverage this vulnerability to…

Remote | Authentication
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
8.2 HIGH
CVE-2026-48290 — CAI Content Credentials | Server-Side Request Forgery (SSRF) (CWE-918)

CAI Content Credentials is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit t…

| Server-Side Request Forgery
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
7.4 HIGH
CVE-2026-48287 — CAI Content Credentials | Untrusted Search Path (CWE-426)

CAI Content Credentials is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond th…

| Path Traversal
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
8.6 HIGH
CVE-2026-48275 — Illustrator | Untrusted Search Path (CWE-426)

Illustrator is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interactio…

| Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.1 HIGH
CVE-2026-47732 — Twig Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points

Twig is a template language for PHP. Prior to 3.26.0, several Twig language constructs trigger PHP string coercion on a Stringable operand without consulting SecurityPolicy::checkMethodAllowed(), all…

twig | Remote | Injection
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.1 MEDIUM
CVE-2026-47730 — Twig: XSS in profiler HtmlDumper via unescaped template and profile names

Twig is a template language for PHP. From 3.0.0 until 3.26.0, Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate() and Profile::getName() into HTML output without escaping, allowing attacker…

twig | Remote | Cross-Site Scripting
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
8.7 HIGH
CVE-2026-46640 — Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation

Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.(<string>) and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression…

twig | Remote | Injection
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.1 HIGH
CVE-2026-46639 — Twig: Sandbox property and method bypass via object-destructuring assignment

Twig is a template language for PHP. From 3.24.0 until 3.26.0, object-destructuring assignment compiles CoreExtension::getAttribute() with the sandbox argument hardcoded to false, disabling property …

twig | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.0 MEDIUM
CVE-2026-46638 — Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete …

Twig is a template language for PHP. Prior to 3.26.0, {% sandbox %}{% include %} can include a template that was previously loaded outside the sandbox without re-invoking checkSecurity(), allowing th…

twig | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.1 MEDIUM
CVE-2026-46637 — Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`

Twig is a template language for PHP. Prior to 3.26.0, several filters in twig/markdown-extra and twig/cssinliner-extra are registered with is_safe => [all], causing Twig to treat plain text or HTML o…

twig | Remote | Cross-Site Scripting
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.3 MEDIUM
CVE-2026-46635 — Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)

Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribut…

twig | Remote | Information Disclosure
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.7 HIGH
CVE-2026-46634 — Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized temp…

Twig is a template language for PHP. From 3.9.0 until 3.26.0, template_from_string() compiles an inner template under a synthesized __string_template__<hash> name that can fall outside a SourcePolicy…

twig | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
8.7 HIGH
CVE-2026-46633 — Twig: PHP code injection via `{% use %}` template name

Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, a…

twig | Remote | Injection
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.3 MEDIUM
CVE-2026-46629 — Twig: Unbounded formatter memoisation in twig/intl-extra keyed on template-controlled arg…

Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, …

twig | Remote | Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.1 MEDIUM
CVE-2026-46628 — Twig: The `spaceless` filter implicitly marks its output as safe

Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when space…

twig | Remote | Cross-Site Scripting
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.1 HIGH
CVE-2026-46627 — Twig: Sandbox resource exhaustion via unbounded `for` / `range()`

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrus…

Remote | Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
Showing 20 of 8373 Results