Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20470
Total
1466
Critical
6212
High
6509
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-58176 | MEDIUM | 6.5 | RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task (FlwTaskController) without any permission check: the controller declares no class-level or … | Jun 30, 2026 |
| CVE-2026-58174 | MEDIUM | 6.5 | Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile … | Jun 30, 2026 |
| CVE-2026-58173 | MEDIUM | 6.5 | Vibe-Trading before 0.1.10 contains a path traversal vulnerability that allows attackers to write files outside the intended memory root directory by supplying a malicious memory_type … | Jun 30, 2026 |
| CVE-2026-58172 | CRITICAL | 9.1 | Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket … | Jun 30, 2026 |
| CVE-2026-58171 | MEDIUM | 4.2 | Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A … | Jun 30, 2026 |
| CVE-2026-58170 | HIGH | 8.3 | Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitization (agent/src/live/mandate/commit.py). A proposal identifier … | Jun 30, 2026 |
| CVE-2026-58169 | HIGH | 7.5 | Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP … | Jun 30, 2026 |
| CVE-2026-58168 | HIGH | 8.8 | DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed_mcp_tools function returning None … | Jun 30, 2026 |
| CVE-2026-58167 | MEDIUM | 6.5 | Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated … | Jun 30, 2026 |
| CVE-2026-58166 | CRITICAL | 9.1 | OpenBMB ChatDev through 2.2.0, fixed in commit 4fd4da6, contains a path traversal vulnerability that allows unauthenticated remote attackers to write or delete arbitrary files by … | Jun 30, 2026 |
| CVE-2026-58165 | HIGH | 8.8 | OpenZiti through 2.0.0, fixed in commit 3027fdf, contains a privilege escalation vulnerability that allows authenticated non-admin identities with fine-grained enrollment management permissions to create enrollments … | Jun 30, 2026 |
| CVE-2026-49451 | HIGH | 7.5 | The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents … | Jun 30, 2026 |
| CVE-2026-10655 | MEDIUM | 6.5 | The asynchronous SNTP client in Zephyr (subsys/net/lib/sntp/sntp.c, sntp_close_async) closed the UDP socket file descriptor directly from the calling thread immediately after detaching it from the … | Jun 30, 2026 |
| CVE-2026-10654 | LOW | 3.1 | A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c) mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a … | Jun 30, 2026 |
| CVE-2026-10653 | MEDIUM | 6.4 | The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block ref_count at the start of each variable/heap … | Jun 30, 2026 |
| CVE-2026-10652 | MEDIUM | 4.8 | Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted … | Jun 30, 2026 |
| CVE-2026-48315 | CRITICAL | 9.3 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of … | Jun 30, 2026 |
| CVE-2026-48314 | MEDIUM | 6.5 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result … | Jun 30, 2026 |
| CVE-2026-48313 | CRITICAL | 9.3 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead … | Jun 30, 2026 |
| CVE-2026-48307 | HIGH | 8.8 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts … | Jun 30, 2026 |
| CVE-2026-48286 | CRITICAL | 10.0 | Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in … | Jun 30, 2026 |
| CVE-2026-48285 | HIGH | 8.6 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker … | Jun 30, 2026 |
| CVE-2026-48283 | CRITICAL | 10.0 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution … | Jun 30, 2026 |
| CVE-2026-48282 | CRITICAL | 10.0 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead … | Jun 30, 2026 |
| CVE-2026-48281 | CRITICAL | 10.0 | ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of … | Jun 30, 2026 |