Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-49352 — 9Router: Hardcoded Default fallback JWT Secret Allows Authentication Bypass

9Router is an AI router & token saver. From 0.2.21 until 0.4.44, 9Router used the hardcoded fallback JWT secret 9router-default-secret-change-me in src/app/api/auth/login/route.js, src/middleware.js,…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
10.0 CRITICAL
CVE-2026-46339 — 9Router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes

9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/* and /api/mcp/*, allowing unauthenticated registration of customPlug…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
0.0 NA
CVE-2026-38753 — BusyBox awk_sub Use-After-Free Vulnerability

A use-after-free in the awk_sub() function (editors/awk.c) of Busybox v1.38.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AWK script.

| Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
5.3 MEDIUM
CVE-2026-33684 — AVideo's Privilege AVideo: Escalation via Unguarded Permission Parameters in signUp API A…

WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPT…

avideo | Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.7 HIGH
CVE-2026-33445 — Memory management vulnerability in Secure Access servers

CVE-2026-33445 is a memory management vulnerability in Secure Access servers prior to 14.55. Attackers with an intimate knowledge of and total control over the tunnel protocol can create a persistent…

secure_access | Remote | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.9 MEDIUM
CVE-2026-33444 — Memory management vulnerability in Secure Access servers

CVE-2026-33444 is a memory management vulnerability in Secure Access servers prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persisten…

Remote | Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
5.4 MEDIUM
CVE-2026-56743 — Cilium may unexpectedly allow ingress traffic from the local namespace when a Kubernetes …

Cilium is a networking, observability, and security solution. From 1.19.0 to 1.19.4, standard Kubernetes NetworkPolicy specifications using CIDR-based ipBlock rules without pod or namespace selectors…

| Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
5.9 MEDIUM
CVE-2026-56742 — Cilium: Namespaced HTTPRoutes can redirect traffic to other namespaces

Cilium is a networking, observability, and security solution. Prior to 1.17.17, 1.18.11, and 1.19.5, Cilium clusters using Gateway API allow users with permissions to create or update namespaced HTTP…

| Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.6 HIGH
CVE-2026-52870 — MCP Python SDK: Experimental task handlers allow any client to access and cancel other cl…

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). From 1.23.0 until 1.27.2, default handlers installed by server.experimental.enable_tasks() for …

Remote | Authorization
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.1 HIGH
CVE-2026-52869 — MCP Python SDK: HTTP transports serve session requests without verifying the authenticate…

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to 1.27.2, the SSE and stateful Streamable HTTP transports mcp.server.sse.SseServerTransp…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.1 HIGH
CVE-2026-50144 — ncnn: Out-of-bounds heap write in ParamDict::load_param via unchecked negative parameter …

ncnn is a high-performance neural network inference framework optimized for the mobile platform. In commit e54f7b1f88434e1d844ea0551b880a1cfb079ce1 and earlier, ncnn allows an out-of-bounds heap writ…

| Memory Corruption
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.1 HIGH
CVE-2026-50124 — DataEase: Remote Code Execution (RCE) via Zip Protocol & File Dropper

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase can be exploited by uploading payload.zip through the Excel upload API /datasource/upload, creating an H2 d…

Remote | Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.1 HIGH
CVE-2026-50030 — DataEase: Arbitrary SQL execution in preview path (direct data disclosure)

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL preview exposes DatasetDataApi.previewSql/previewSqlCheck through /de2api/datasetData/previewSql, accep…

Remote | Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.3 MEDIUM
CVE-2026-49867 — DataEase: Authenticated Stored XSS in DataEase Template Static Resources

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase template static resources let authenticated users submit TemplateManageRequest.staticResource through POST …

Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.2 CRITICAL
CVE-2026-49445 — Cilium: Sensitive information disclosure and cluster disruption via local Envoy admin soc…

Cilium is a networking, observability, and security solution. Prior to 1.17.14, 1.18.8, and 1.19.2, when Cilium L7 functionality is enabled, the embedded or standalone Envoy instance creates a world-…

cilium | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.5 CRITICAL
CVE-2026-46684 — DataEase: Unauthorized Command Execution Vulnerability

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase enterprise token handling can let TokenFilter#doFilter() pass X-DE-TOKEN values to TokenUtils.validate(), w…

Remote | Authentication
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
7.3 HIGH
CVE-2026-45738 — Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege …

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to 3.2.12, 3.3.10, and 3.4.2, Argo CD users with application write access can set link.argocd.argoproj.io/* annotations…

argo-cd | Remote | Cross-Site Scripting
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
6.3 MEDIUM
CVE-2026-45737 — Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From 3.2.0 until 3.2.12, 3.3.10, and 3.4.2, Argo CD ServerSideDiff can expose Kubernetes Secret values embedded in the kubect…

argo-cd | Remote | Information Disclosure
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
8.7 HIGH
CVE-2026-45535 — DataEase: Stored SQL Injection Vulnerability

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL-type datasets store attacker-controlled SQL variable defaultValue entries such as ${var} and SqlparserU…

Remote | Injection
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
9.0 CRITICAL
CVE-2026-45534 — DataEase: RCE Vulnerability

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase Redshift datasource connections can load attacker-controlled rsjdbc.ini configuration from System.getProper…

Remote | Misconfiguration
Jul 15, 2026 Jul 15, 2026
Jul 15, 2026
Jul 15, 2026
Showing 20 of 8258 Results