Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-52101 — andreimarcu linux-server Information Disclosure Vulnerability

An issue in andreimarcu linux-server v.1.0 through v.2.3.8 allows a remote attacker to obtain sensitive information via the function uploadRemote function in upload.go

| Information Disclosure
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
0.0 NA
CVE-2026-52100 — linux-server Cross-Site Request Forgery to Remote Code Execution

Cross Site Request Forgery vulnerability in andreimarcu linux-server v.1.0 through v.2.3.8 allows a remote attacker to execute arbitrary code via the uploadPutHandler function

| Cross-Site Request Forgery
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.3 MEDIUM
CVE-2026-49978 — DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify IN_PLACE sanitization could skip shadow contents attached to an element inside <template>.c…

dompurify | Remote | Cross-Site Scripting
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-49855 — tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumu…

tornado | Remote | Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.3 MEDIUM
CVE-2026-49854 — Tornado: Out-of-bounds memory access in C extension

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argum…

tornado | Remote | Memory Corruption
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.7 HIGH
CVE-2026-49853 — Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPC…

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, SimpleAsyncHTTPClient shallow-copied redirected requests and removed only the Host header, leaving Authorization…

tornado | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-49477 — Soup Sieve: Regular Expression Denial of Service (ReDoS) in soupsieve Selector Parser

Soup Sieve is a CSS selector library designed to be used with Beautiful Soup 4. Prior to 2.8.4, the CSS selector parser in soupsieve contains a regular expression vulnerable to catastrophic backtrack…

Remote | Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-49476 — Soup Sieve: Memory Exhaustion via Large Comma-Separated Selector Lists in soupsieve

Soup Sieve is a CSS selector library designed to be used with Beautiful Soup 4. Prior to 2.8.4, the CSS selector parser in soupsieve allocates unbounded memory when compiling large comma-separated se…

Remote | Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.1 MEDIUM
CVE-2026-49459 — DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS v…

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitize(root, { IN_PLACE: true }) could preserve event-handler attributes on an attacker-c…

dompurify | Remote | Cross-Site Scripting
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.1 MEDIUM
CVE-2026-49458 — DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bo…

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitize(node, { IN_PLACE: true }) accepted same-origin foreign-realm DOM nodes while follo…

dompurify | Remote | Cross-Site Scripting
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.5 MEDIUM
CVE-2026-48816 — sigstore-js: Insufficient Verification of Data Authenticity

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0…

Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.5 HIGH
CVE-2026-48815 — sigstore-js: `certificateOIDs` verification constraints are silently dropped and never en…

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarde…

sigstore | Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
8.7 HIGH
CVE-2026-48801 — linkify-it: Quadratic algorithmic complexity in LinkifyIt#match scan loop

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.1, LinkifyIt.prototype.match, the package's primary public API, has O(N²) algorithmic complexity for inputs containin…

Remote | Denial of Service
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
5.4 MEDIUM
CVE-2026-48758 — sigstore-js: DSSE payloadType type-binding failure

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE st…

Remote | Cryptography
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
7.8 HIGH
CVE-2026-48370 — Media Encoder | Out-of-bounds Write (CWE-787)

Media Encoder is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interactio…

media_encoder | Memory Corruption
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
7.8 HIGH
CVE-2026-48369 — Premiere Pro | Out-of-bounds Write (CWE-787)

Premiere Pro is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction…

premiere | Memory Corruption
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
7.8 HIGH
CVE-2026-48367 — After Effects | Out-of-bounds Write (CWE-787)

After Effects is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interactio…

after_effects | Memory Corruption
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
7.8 HIGH
CVE-2026-48366 — Media Encoder | Out-of-bounds Write (CWE-787)

Media Encoder is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interactio…

media_encoder | Memory Corruption
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
7.8 HIGH
CVE-2026-48344 — GoCart | Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

Creative Cloud Desktop is affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depen…

| Race Condition
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
7.8 HIGH
CVE-2026-48343 — Bridge | Out-of-bounds Write (CWE-787)

Bridge is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in th…

bridge | Memory Corruption
Jul 14, 2026 Jul 15, 2026
Jul 14, 2026
Jul 15, 2026
Showing 20 of 8373 Results