Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
10.0 CRITICAL
CVE-2026-45631 — Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret

Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker …

Remote | Authentication
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
9.0 CRITICAL
CVE-2026-45630 — Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig…

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users …

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
9.9 CRITICAL
CVE-2026-45629 — Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment …

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
9.6 CRITICAL
CVE-2026-45628 — Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
8.2 HIGH
CVE-2026-45627 — Arcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo ena…

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query param…

arcane | Remote | Cross-Site Scripting
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
6.3 MEDIUM
CVE-2026-45626 — Arcane: OS Command Injection in Volume Browser ListDirectory via path query parameter

Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is …

arcane | Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
9.9 CRITICAL
CVE-2026-45625 — Arcane: Missing admin authorization on git repository endpoints allows non-admin users to…

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /a…

arcane | Remote | Authentication
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
6.9 MEDIUM
CVE-2026-45577 — Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback s…

Remote | Authentication
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
8.6 HIGH
CVE-2026-44697 — Klever-Go MultiDataInterceptor: remote OOM via crafted compressed P2P payload

Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any p…

Remote | Denial of Service
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
5.3 MEDIUM
CVE-2026-43917 — Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints missing activeOrganizationId v…

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scop…

Remote | Authorization
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
8.7 HIGH
CVE-2026-10108 — xiaomusic 0.5.7 Path Traversal via GET /music endpoint

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intende…

Remote | Path Traversal
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
7.7 HIGH
CVE-2026-10107 — MoviePilot v2 SSRF via /api/v1/system/img/{proxy} Endpoint

MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a…

Remote | Server-Side Request Forgery
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
8.7 HIGH
CVE-2026-10105 — agno 2.6.5 SQL Injection via ClickHouse delete_by_metadata()

agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values t…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
5.8 MEDIUM
CVE-2026-10070 — macrozheng mall Super Admin Password update improper authorization

A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results …

Remote | Authorization
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
7.4 HIGH
CVE-2026-48501 — GitHub CLI tokens leak via `gh attestation` commands

GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release …

cli | Remote | Authentication
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
9.9 CRITICAL
CVE-2026-45663 — Dokploy: Remote Code Execution via destinationPath in Container File Upload

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uplo…

dokploy | Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
8.8 HIGH
CVE-2026-45662 — Dokploy: Command Injection via incomplete shell escaping in docker logout (registry delet…

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${respon…

dokploy | Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
9.9 CRITICAL
CVE-2026-44962 — Plesk XPath Injection Vulnerability

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This all…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
7.2 HIGH
CVE-2026-39276 — Emlog Pro PHP Remote Code Execution (RCE)

The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containin…

Remote | Path Traversal
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
6.5 MEDIUM
CVE-2026-39229 — Bolt CMS SQL Injection

Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective comp…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
Showing 20 of 7019 Results