Recent
Account Takeover via Predictable SSO Ticket Generation
Published 2026-06-23 by Zohocorp
Authenticated unintended access to critical program parameters
Published 2026-06-23 by CERTVDE
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter
Published 2026-06-23 by CPANSec
Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download
Published 2026-06-23 by WPScan
Frontend File Manager Plugin <= 23.6 - Subscriber+ Stored Cross-Site Scripting via File Rename
Published 2026-06-23 by WPScan
Simple Basic Contact Form <= 20250114 - Reflected XSS
Published 2026-06-23 by WPScan
Infility Global < 2.15.19 - Subscriber+ SQL Injection via order Parameter
Published 2026-06-23 by WPScan
Infility Global < 2.15.20 - Editor+ SQL Injection via orderby Parameter
Published 2026-06-23 by WPScan
Published 2026-06-23 by snyk
Openssh: heap out-of-bounds read in red hat enterprise linux versions of openssh gssapi indicator cleanup due to missing null sentinel termination
Published 2026-06-23 by redhat
Openssh: local mitm of x11 forwarding via abstract unix socket pre-binding in red hat enterprise linux openssh client versions
Published 2026-06-23 by redhat
Openssh: double free in red hat enterprise linux versions of openssh dh-gex client path during fips known-group validation leads to client-side denial of service
Published 2026-06-23 by redhat
Published 2026-06-23 by YokogawaGroup
Bluetooth Host ISO RX Missing SDU Header Length Validation in bt_iso_recv() Leads to DoS
Published 2026-06-22 by zephyr
Bluetooth Classic SDP parser truncation bug in bt_sdp_parse_attribute() leads to reachable assertion and possible out-of-bounds read
Published 2026-06-22 by zephyr
fs: ext2: Missing structural validation of directory entries can cause out-of-bounds read and zero-progress directory traversal
Published 2026-06-22 by zephyr
vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors
Published 2026-06-22 by GitHub_M
vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
Published 2026-06-22 by GitHub_M
vLLM: Dependency Confusion Vulnerability in vLLM Dockerfile
Published 2026-06-22 by GitHub_M
vLLM: OOM Denial of Service via Audio Decompression Bomb
Published 2026-06-22 by GitHub_M
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
Published 2026-06-22 by GitHub_M
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
Published 2026-06-22 by GitHub_M
vLLM: OpenAI auth bypass
Published 2026-06-22 by GitHub_M
vLLM GGUF Kernels: int64_t to int truncation of tensor dimensions causes GPU buffer overflow
Published 2026-06-22 by GitHub_M
Filament: Disabled RichEditor field state can be used for XSS
Published 2026-06-22 by GitHub_M
Filament: Inconsistent scope enforcement for AttachAction and AssociateAction Select fields
Published 2026-06-22 by GitHub_M
Filament: Unvalidated ImageColumn and ImageEntry values can be used for XSS
Published 2026-06-22 by GitHub_M
Filament: Unauthenticated temporary file upload on auth pages
Published 2026-06-22 by GitHub_M
Filament: Timing-based user enumeration on login page
Published 2026-06-22 by GitHub_M
Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission
Published 2026-06-22 by GitHub_M
WebOb: Location header normalization during redirect leads to open redirect
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: MessagePackReader.Skip can recurse without enforcing maximum object graph depth
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HTTP request bodies
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: LZ4 decompression allocates from unbounded declared output lengths
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: JSON conversion APIs can recurse without consistent depth enforcement
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: DynamicUnionResolver generated deserializers miss depth enforcement
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions
Published 2026-06-22 by GitHub_M
MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings
Published 2026-06-22 by GitHub_M
Nuxt - Cross-Site Scripting via navigateTo open Option
Published 2026-06-22 by VulnCheck
Nuxt - Open Redirect via Protocol-Relative Paths in reloadNuxtApp
Published 2026-06-22 by VulnCheck
n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger
Published 2026-06-22 by VulnCheck
n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint
Published 2026-06-22 by VulnCheck
Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo
Published 2026-06-22 by VulnCheck
Capgo - Rate Limit Bypass via User-Controlled device_id Parameter
Published 2026-06-22 by VulnCheck
Capgo - Unauthenticated Channel Enumeration and App Oracle via GET /channel_self
Published 2026-06-22 by VulnCheck
Capgo - Missing Authentication Middleware on GET /private/role_bindings Endpoint
Published 2026-06-22 by VulnCheck
Capgo - Deleted Bundle Selection via Missing Deletion Filter in /updates Endpoint
Published 2026-06-22 by VulnCheck
Capgo - Unauthenticated Cross-Tenant Disclosure via get_current_plan_max_org RPC
Published 2026-06-22 by VulnCheck
Capgo - Subkey Enforcement Bypass via x-limited-key-id Header Parsing
Published 2026-06-22 by VulnCheck
Cap-go - Privilege Inversion in Build Log Stream via SSE Disconnect
Published 2026-06-22 by VulnCheck
Flowise - Cross-Workspace Information Disclosure via chatflows/apikey Endpoint
Published 2026-06-22 by VulnCheck
Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints
Published 2026-06-22 by VulnCheck
Capgo - Denial of Service via Unlimited Demo App Creation
Published 2026-06-22 by VulnCheck
Cap-go - SQL Injection in Cloudflare Analytics Engine Queries via cloudflare.ts
Published 2026-06-22 by VulnCheck
picklescan - Remote Code Execution via idlelib.autocomplete.AutoComplete.get_entity
Published 2026-06-22 by VulnCheck
picklescan - Arbitrary Code Execution via Undetected ensurepip._run_pip Function
Published 2026-06-22 by VulnCheck
Picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran._eval_length Gadget
Published 2026-06-22 by VulnCheck
MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays or generic arguments
Published 2026-06-22 by GitHub_M
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
Published 2026-06-22 by GitHub_M
Fabric.js: Improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
Published 2026-06-22 by GitHub_M
Nest: Middleware Bypass on Fastify via Trailing Slash
Published 2026-06-22 by GitHub_M
LiteLLM: Authentication Bypass via Host Header Injection
Published 2026-06-22 by GitHub_M
Authlib OAuth 2.0 authorization endpoint open redirects to attacker-controlled redirect_uri on unsupported response_type
Published 2026-06-22 by GitHub_M
PhpSpreadsheet: File::prohibitWrappers bypass
Published 2026-06-22 by GitHub_M
pypdf: Possible infinite loop when processing threads/articles in writer
Published 2026-06-22 by GitHub_M
pypdf: Inefficient decoding of FlateDecode PNG predictor streams
Published 2026-06-22 by GitHub_M
pypdf: Possible large memory usage for form XObjects during text extraction
Published 2026-06-22 by GitHub_M
pypdf: Possible infinite loop when processing outlines/bookmarks in writer
Published 2026-06-22 by GitHub_M
pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction
Published 2026-06-22 by GitHub_M
Net::IMAP: Command Injection via ID command argument
Published 2026-06-22 by GitHub_M
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Published 2026-06-22 by GitHub_M
Gophish 0.12.1 Denial of Service via Office Document Upload
Published 2026-06-22 by VulnCheck
Net::IMAP: Denial of Service via incomplete raw argument validation
Published 2026-06-22 by GitHub_M
http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
Published 2026-06-22 by GitHub_M
phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access
Published 2026-06-22 by GitHub_M
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP
Published 2026-06-22 by GitHub_M
IBM i is Affected By a Denial of Service in IBM WebSphere Application Server Liberty
Published 2026-06-22 by ibm
Published 2026-06-22 by dell
Published 2026-06-22 by hackerone
Published 2026-06-22 by dell
Published 2026-06-22 by dell
Published 2026-06-22 by dell
WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows
Published 2026-06-22 by VulnCheck
Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers
Published 2026-06-22 by TPLink
React Router: `handleDocumentRequest` CSRF check covers `POST` only; PUT/PATCH/DELETE bypass
Published 2026-06-22 by GitHub_M
Astro: Host-header full-read SSRF in core prerendered error-page fetch (prerenderedErrorPageFetch default + unvalidated createRequestFromNodeRequest URL)
Published 2026-06-22 by GitHub_M
Astro: XSS via Unescaped Attribute Names in Spread Props
Published 2026-06-22 by GitHub_M
Astro: Reflected XSS via unescaped slot name
Published 2026-06-22 by GitHub_M
@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config
Published 2026-06-22 by GitHub_M
NLTK: URL-Encoded Path Traversal in nltk.data.load() Allows Arbitrary Local File Read
Published 2026-06-22 by GitHub_M
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders
Published 2026-06-22 by GitHub_M
Hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`
Published 2026-06-22 by GitHub_M
Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Published 2026-06-22 by GitHub_M
Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
Published 2026-06-22 by GitHub_M
MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop
Published 2026-06-22 by autodesk
Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
Published 2026-06-22 by GitHub_M
Hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
Published 2026-06-22 by GitHub_M
Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory
Published 2026-06-22 by GitHub_M
Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Published 2026-06-22 by GitHub_M
Python-Multipart: Semicolon treated as querystring field separator enables parameter smuggling
Published 2026-06-22 by GitHub_M
Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service
Published 2026-06-22 by GitHub_M
opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation
Published 2026-06-22 by GitHub_M
piscina: Prototype Pollution Gadget → RCE via inherited options.filename
Published 2026-06-22 by GitHub_M
Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS
Published 2026-06-22 by GitHub_M
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
Published 2026-06-22 by GitHub_M
AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit
Published 2026-06-22 by GitHub_M
AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect
Published 2026-06-22 by GitHub_M
AIOHTTP: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
Published 2026-06-22 by GitHub_M
AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines
Published 2026-06-22 by GitHub_M
AIOHTTP: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
Published 2026-06-22 by GitHub_M
AIOHTTP: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
Published 2026-06-22 by GitHub_M
AIOHTTP: Incomplete websocket frame payloads bypass memory limits
Published 2026-06-22 by GitHub_M
AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
Published 2026-06-22 by GitHub_M
Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler
Published 2026-06-22 by GRAFANA
AIOHTTP: CRLF injection in multipart headers
Published 2026-06-22 by GitHub_M
protobufjs: Schema-derived names can shadow runtime-significant properties
Published 2026-06-22 by GitHub_M
Load more ↓