Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.8 MEDIUM
CVE-2026-62314 — Anubis: Policy bypass via client controlled X-Original-URI header

Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. From 1.22.0 until 1.26.0-pre1, lib/policy/checker.go PathChecker.Check…

Remote | Path Traversal
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.8 CRITICAL
CVE-2026-55652 — Wekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unau…

Wekan is open source kanban built with Meteor. Prior to 9.46, header-login with HEADER_LOGIN_TRUSTED_IPS uses getRequestIp() in server/lib/headerLoginAuth.js to trust the client-supplied X-Forwarded-…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.8 HIGH
CVE-2026-55576 — MaaAssistantArknights: PR-title expression injection in release-preparation.yml

MaaAssistantArknights is a one-click tool for daily Arknights tasks. In the current dev-v2 workflow, .github/workflows/release-preparation.yml inlined attacker-controlled github.event.pull_request.ti…

Remote | Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.3 CRITICAL
CVE-2026-55445 — Qinglong: Incomplete fix for CVE-2026-3965: Improper Authentication

Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.5 HIGH
CVE-2026-55234 — Wekan: Broken access control: any authenticated user can move their Cards/Lists/Swimlanes…

Wekan is open source kanban built with Meteor. Prior to 9.37, Wekan DDP update allow rules in server/permissions/cards.js, server/permissions/lists.js, and server/permissions/swimlanes.js authorize a…

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.6 CRITICAL
CVE-2026-54458 — AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast…

WWBN AVideo is an open source video platform. Versions prior to 29.0 contain a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin. Any unauthenticated remote attacker can execute a…

avideo | Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.5 MEDIUM
CVE-2026-53447 — Wekan: `cloneBoard` Meteor method has no authorization check — any user can clone (read) …

Wekan is open source kanban built with Meteor. Prior to 9.35, the Wekan cloneBoard Meteor method in models/import.js uses caller-supplied sourceBoardId to build a board export through models/exporter…

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.2 MEDIUM
CVE-2026-53446 — Wekan: Server-Side Request Forgery (SSRF) via webhook integration URLs

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan webhook integration URLs in models/integrations.js are stored from user input and later fetched by server/notifications/outgoing.js…

Remote | Server-Side Request Forgery
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.1 HIGH
CVE-2026-53445 — Wekan: Authorization bypass in copyBoard DDP method allows any user to copy private boards

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.u…

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.6 HIGH
CVE-2026-53444 — Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc_server.js, server/models/org.js, and server/models/team.js are globally cal…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.2 CRITICAL
CVE-2026-52893 — Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser …

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan Accounts.onCreateUser hook in server/models/users.js merges OIDC logins into existing accounts when the OIDC email or username …

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.5 MEDIUM
CVE-2026-52892 — Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalati…

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.9 CRITICAL
CVE-2026-52891 — Wekan: Shell Injection via Avatar Upload

Wekan is open source kanban built with Meteor. Prior to 9.07, Wekan avatar upload functionality embeds user-supplied filenames into paths later passed to child_process.exec() for MIME-type detection.…

Remote | Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.1 HIGH
CVE-2026-52890 — Wekan: Arbitrary file read and server DoS via attachment versions.original.path

Wekan is open source kanban built with Meteor. Prior to 9.31, Wekan allows a logged-in board member to insert an attachment document through the /attachments/insert DDP method with attacker-controlle…

Remote | Path Traversal
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
4.7 MEDIUM
CVE-2026-50183 — WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Sect…

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a stored Cross-Site Scripting vulnerability in the YouTubeAPI plugin. The plugin renders the snippet.title field returned…

avideo | Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.1 MEDIUM
CVE-2026-50182 — AVideo Has Unauthenticated Reflected XSS via $_GET['search'] in YouTubeAPI Gallery Pagina…

WWBN AVideo is an open source video platform. Versions prior to 29.0 contain an unauthenticated Reflected XSS vulnerability through AVideo YouTubeAPI Gallery Pagination. The $_GET['search'] query par…

avideo | Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.7 HIGH
CVE-2026-49279 — WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler …

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a Stored XSS vulnerability through the autoEvalCodeOnHTML parameter in the MessageSQLite WebSocket Handler. The MessageSQ…

avideo | Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.6 HIGH
CVE-2026-48795 — Incomplete fix for CVE-2026-25754 in @adonisjs/bodyparser

AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user…

core | Remote | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.7 HIGH
CVE-2026-45313 — Sandboxie-Plus: Sandboxie APC Injection Sandbox Escape

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. Prior to 1.17.6, GuiServer::WndHookRegisterSlave in Sandboxie/core/svc/GuiServer.cpp stores attacker-supplied hthread an…

sandboxie | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-38974 — Dulwich Missing SSH Host Key Verification

Dulwich through 1.1.0 was found to be missing SSH host key verification in contrib/paramiko_vendor.py.

| Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
Showing 20 of 8268 Results