Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.9 MEDIUM
CVE-2026-48951 — Joomla! Core - [20260705] - XSS in various modalreturn layouts

Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.9 MEDIUM
CVE-2026-48950 — Joomla! Core - [20260704] - XSS in com_templates

Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.9 MEDIUM
CVE-2026-48949 — Joomla! Core - [20260703] - XSS in MFA method management

Lack of validation leads to an XSS vulnerability in the MFA management views.

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.4 MEDIUM
CVE-2026-48948 — Joomla! Core - [20260702] - Incorrect Access Control in com_contact vcf download

An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.4 MEDIUM
CVE-2026-48947 — Joomla! Core - [20260701] - Incorrect Access Control in com_media webservice endpoints

An improper access check allows privileged users to overwrite media files without editing permissions.

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.5 HIGH
CVE-2026-57851 — MSI KernCoreLib64.sys Privilege Escalation via IOCTL Handlers

MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write a…

| Memory Corruption
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.6 HIGH
CVE-2026-23698 — Vtiger CRM 8.4.0 Authenticated RCE via Module Import File Upload

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by su…

crm | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-23697 — Vtiger CRM < 8.4.0 Authenticated File Upload RCE via Documents Module

Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code t…

crm | Remote | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.1 HIGH
CVE-2026-14904 — RES Auth.GetUserPrivateKey Arbitrary File Read

AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS. Improper li…

Remote | Path Traversal
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.1 HIGH
CVE-2026-13020 — Weak Password Recovery Mechanism in Portal for ArcGIS

A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume owner…

portal_for_arcgis | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.8 CRITICAL
CVE-2026-13019 — Missing Authentication

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access…

portal_for_arcgis | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.5 MEDIUM
CVE-2025-12799 — Jastow: jastow cross-site scripting attack due to unsanitized uri

A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow,…

jboss_enterprise_application_platform single_sign-on | Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.3 MEDIUM
CVE-2026-56812 — Phoenix JavaScript presence client crashes on presence keys colliding with Object.prototy…

Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent clien…

phoenix | Remote | Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.7 HIGH
CVE-2026-56811 — Phoenix transports do not limit channel joins per connection, enabling process-exhaustion…

Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket module) allows an unauthenticated attacker to cause a denial of service against any endp…

phoenix | Remote | Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
4.4 MEDIUM
CVE-2026-14969 — 389-ds-base: 389-ds-base: static initialization vector in aes-cbc/3des-cbc attribute encr…

A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged fil…

Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.7 LOW
CVE-2026-14935 — Gstreamer: gstreamer: webrtcbin accepts remote sdp without a=fingerprint due to inverted …

A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that …

enterprise_linux enterprise_linux | Remote | Cryptography
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-59709 — Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees t…

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.1 MEDIUM
CVE-2026-53878 — Header injection possibility since DomainNameValidator accepted newlines in input

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newl…

django | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.3 MEDIUM
CVE-2026-53877 — Heap buffer over-read in GDALRaster

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose…

django | Remote | Memory Corruption
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.1 LOW
CVE-2026-48588 — Potential exposure of private data via cached Set-Cookie response

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carri…

django | Remote | Information Disclosure
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
Showing 20 of 7650 Results