Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.5 MEDIUM
CVE-2026-44918 — OpenStack Ironic Improper Authorization Vulnerability

OpenStack Ironic through before 37.0.1 allows creation or modification of nodes cross-project without authorization.

ironic | Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.3 MEDIUM
CVE-2026-15329 — zhayujie CowAgent Browser Tool browser_tool.py BrowserTool._do_navigate information discl…

A vulnerability was found in zhayujie CowAgent up to 2.1.0. This issue affects the function BrowserTool._do_navigate of the file agent/tools/browser/browser_tool.py of the component Browser Tool. Per…

Remote | Information Disclosure
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.7 MEDIUM
CVE-2026-15326 — halo-dev halo Theme Installation ThemeUtils.java ThemeUtils.unzipThemeTo path traversal

A vulnerability was identified in halo-dev halo up to 2.24.2. This affects the function ThemeUtils.unzipThemeTo of the file ThemeUtils.java of the component Theme Installation. Such manipulation of t…

Remote | Path Traversal
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
3.3 LOW
CVE-2026-15321 — MyEMS Admin Backend svg.py on_post cross site scripting

A vulnerability was found in MyEMS up to 6.4.0. The affected element is the function on_post of the file myems-api/core/svg.py of the component Admin Backend. The manipulation of the argument new_val…

Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.8 HIGH
CVE-2026-15070 — Salon Booking System <= 10.30.32 - Cross-Site Request Forgery to Remote Code Execution vi…

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce vali…

Remote | Cross-Site Request Forgery
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
9.8 CRITICAL
CVE-2026-14894 — Super Forms <= 6.3.313 - Unauthenticated Arbitrary File Upload via 'data' Parameter (data…

The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missi…

Remote | Authentication
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
7.2 HIGH
CVE-2026-13430 — Post Export Import with Media <= 1.13.1 - Authenticated (Administrator+) Arbitrary File U…

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the import_media_file_secure function. This is due to in…

Remote | Misconfiguration
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
5.4 MEDIUM
CVE-2026-11818 — WPCafe <= 3.0.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modific…

The WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.0.14. This is due to the p…

Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.1 MEDIUM
CVE-2026-11392 — WP Hotel Booking <= 2.3.1 - Reflected Cross-Site Scripting via 'check_in_date' and 'check…

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'check_in_date' and 'check_out_date' parameters in all versions up to, and including, 2.3.1 due to in…

wp_hotel_booking | Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-15331 — zhayujie CowAgent Skill Installation service.py _add_package path traversal

A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function _add_url/_add_package of the file agent/skills/service.py of the component Skill Installation Han…

| Path Traversal
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
0.0 NA
CVE-2026-15330 — zhayujie CowAgent Vision Tool vision.py _download_to_data_url server-side request forgery

A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function _build_image_content/_download_to_data_url of the file agent/tools/vision/vision.py of the component Vision T…

| Server-Side Request Forgery
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
5.5 MEDIUM
CVE-2026-15320 — Sipeed PicoClaw pico.go rt.ReloadConfig authorization

A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument m…

picoclaw | Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
7.5 HIGH
CVE-2026-15319 — Sipeed PicoClaw Launcher access_control.go IPAllowlist access control

A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such m…

picoclaw | Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.5 MEDIUM
CVE-2026-15318 — Sipeed PicoClaw MQTT Channel mqtt.go authorization

A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This m…

picoclaw | Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
9.2 CRITICAL
CVE-2026-55615 — Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cyph…

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.5, Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no valida…

langroid | Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.1 HIGH
CVE-2026-54771 — Langroid: handle_message() executes user-supplied tool JSON without sender verification

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.3, a Langroid application exposing a chat interface to untrusted users may allow direct tool invo…

langroid | Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
10.0 CRITICAL
CVE-2026-54769 — Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in T…

Langroid is a framework for building large-language-model-powered applications. Versions prior to 0.65.2 are vulnerable to a critical Sandbox Escape leading to Remote Code Execution (RCE) in its `Tab…

langroid | Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
9.3 CRITICAL
CVE-2026-54760 — Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema…

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.1, the `SQLChatAgent` SQL-injection mitigation, with default `allow_dangerous_operations=False`, …

langroid | Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
7.1 HIGH
CVE-2026-50181 — Langroid: Path traversal in the file tools allows read/write outside configured current d…

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, Langroid's `ReadFileTool` and `WriteFileTool` appear to treat `curr_dir` as the intended worki…

langroid | Path Traversal
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.7 HIGH
CVE-2026-50180 — Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbi…

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, `SQLChatAgent` in `langroid` ships a `_validate_query` defense-in-depth layer whose `_DANGEROU…

langroid | Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
Showing 20 of 7343 Results