Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Common Vulnerability Scoring System24266
0
10
CVE-2026-50185
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-2||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 18:35
Updated-17 Jul, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RustCrypto Cmov/CmovEq on aarch64 can produce wrong results if high-bits of registers are set

RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. From 0.1.1 until 0.5.4, the aarch64 implementations of Cmov and CmovEq in cmov/src/backends/aarch64.rs assume high bits are zero-extended when loading values smaller than a register, so set high bits such as [8..] in a Cmov selector or [16..] of self or other in the u16 and i16 CmovEq implementations can cause left.cmovz(&right, condition) to produce incorrect output. This issue is fixed in version 0.5.4.

Action-Not Available
Vendor-RustCrypto
Product-utils
CWE ID-CWE-758
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
CVE-2026-16073
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-Not Assigned
Published-17 Jul, 2026 | 18:15
Updated-17 Jul, 2026 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AstrBotDevs AstrBot T2I Feature base.py NetworkRenderStrategy.render cross site scripting

A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function Star.text_to_image/NetworkRenderStrategy.render of the file astrbot/core/star/base.py of the component T2I Feature. The manipulation leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-AstrBotDevs
Product-AstrBot
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-59866
Assigner-HCL Software
ShareView Details
Assigner-HCL Software
CVSS Score-3.3||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 17:22
Updated-17 Jul, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The HCL DFMPro, DFXAnalytics and DFXServer installers are affected by ‘Insecure file permissions Leading to Privilege Escalation’ vulnerability, which enables any logged-in non-administrative user to overwrite or replace the executable file with a malicious binary.

Action-Not Available
Vendor-HCLSoftware
Product-DFXAnalyticsDFXServerDFMPro for CATIA
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2026-21764
Assigner-HCL Software
ShareView Details
Assigner-HCL Software
CVSS Score-3.1||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 17:11
Updated-17 Jul, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Input Validation in DevOps Loop

HCL DevOps Loop is affected by insufficient input validation that allows special characters where they should be restricted. This may result in unintended application behavior under certain conditions.

Action-Not Available
Vendor-HCLSoftware
Product-DevOps Loop
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2026-21762
Assigner-HCL Software
ShareView Details
Assigner-HCL Software
CVSS Score-3.7||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 17:10
Updated-17 Jul, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing HTTP Security Headers in DevOps Loop

HCL DevOps Loop is affected by missing HTTP security headers. Missing security headers may reduce browser protections against common web-based attacks such as clickjacking, MIME-type sniffing, and cross-site scripting.

Action-Not Available
Vendor-HCLSoftware
Product-DevOps Loop
CWE ID-CWE-644
Improper Neutralization of HTTP Headers for Scripting Syntax
CVE-2026-49215
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-2.1||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 16:16
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Symfony UX: CSRF Protection Bypass in symfony/ux-live-component — Accept Header is CORS-Safelisted

Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest() gates #[LiveAction] invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and cross-origin fetch() can set it without preflight, allowing forged cross-origin #[LiveAction] requests against a victim session when applications use SameSite=None, credentials: 'include', a permissive cookie policy, or a same-origin pivot. This issue is fixed in versions 2.36.0 and 3.1.0.

Action-Not Available
Vendor-symfony
Product-ux
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-49210
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-2.3||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 16:09
Updated-17 Jul, 2026 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Symfony UX: XSS in symfony/ux-live-component via attacker-controlled child component tag

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the client-controlled children[id].tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly into HTML as a tag name without escaping or validation, allowing arbitrary HTML, including <script> tags, on any Live Component re-render that contains at least one child component. This issue is fixed in versions 2.36.0 and 3.1.0.

Action-Not Available
Vendor-symfony
Product-ux
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-16017
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-17 Jul, 2026 | 14:15
Updated-17 Jul, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mosaxiv clawlet cron Chat Tool tool_cron.go remove authorization

A security flaw has been discovered in mosaxiv clawlet up to 0.2.10. Impacted is the function list/remove of the file tools/tool_cron.go of the component cron Chat Tool. The manipulation results in missing authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed with the label "not planned".

Action-Not Available
Vendor-mosaxiv
Product-clawlet
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-23573
Assigner-HCL Software
ShareView Details
Assigner-HCL Software
CVSS Score-3.7||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 13:42
Updated-17 Jul, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HCL Aftermarket EPC is vulnerable to attack since the Application is vulnerable to Lucky 13. that makes the SS LLUCKY13 possible affects the TLS1.1and 1.2 and DTLS1.0 or 1.2 implementations . It also affects previous versions such as SSL3.0 and TLS1.0. This can also be considered a type of man-in-the-middle attack.

Action-Not Available
Vendor-HCLSoftware
Product-Aftermarket EPC
CWE ID-CWE-425
Direct Request ('Forced Browsing')
CVE-2026-16015
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-17 Jul, 2026 | 13:15
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
poco-ai poco-claw executor_manager API tasks.py create_task missing authentication

A vulnerability was determined in poco-ai poco-claw up to 0.5.4. This vulnerability affects the function create_task of the file executor_manager/app/api/v1/tasks.py of the component executor_manager API. Executing a manipulation can lead to missing authentication. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.5.7 is able to resolve this issue. This patch is called 67fcc88505c57f77d3fcf04eb5b89425b10cbf48. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-poco-ai
Product-poco-claw
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-16009
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-17 Jul, 2026 | 11:15
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Hospital Management System prescriptionorderdetail.php sql injection

A vulnerability was detected in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /prescriptionorderdetail.php. The manipulation of the argument delid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.

Action-Not Available
Vendor-ITSourceCode
Product-Hospital Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-16008
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-17 Jul, 2026 | 10:30
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
sagold json-schema-library propertyDependencies.ts parsePropertyDependencies prototype pollution

A security vulnerability has been detected in sagold json-schema-library 11.5.0/11.5.1. This impacts the function parsePropertyDependencies of the file src/keywords/propertyDependencies.ts. The manipulation leads to improperly controlled modification of object prototype attributes. The attack can be initiated remotely. Upgrading to version 11.6.0 will fix this issue. The identifier of the patch is 432287ee6f68a02ce6f015354618486ec427a32d. It is advisable to upgrade the affected component.

Action-Not Available
Vendor-sagold
Product-json-schema-library
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-62236
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.3||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 00:07
Updated-17 Jul, 2026 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
grav-plugin-login < 3.8.11 CSRF via regenerate2FASecret

grav-plugin-login before 3.8.11 contains a cross-site request forgery (CSRF) vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core dispatches the task from the GET 'task:' URI parameter and the default session cookie is SameSite=Lax, an attacker can lure a logged-in victim to an off-site page that performs a top-level GET navigation, rotating the victim's TOTP secret so their enrolled authenticator no longer matches the server, effectively forcing 2FA re-enrollment. Sites configured with session.samesite: Strict are not affected.

Action-Not Available
Vendor-getgrav
Product-grav
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-62235
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.3||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 00:07
Updated-17 Jul, 2026 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Grav Flex-Objects < 1.4.3 Authorization Bypass via API

Grav Flex-Objects before version 1.4.3 contains a broken access control vulnerability in the admin-next REST API that allows authenticated users with only api.access permission to perform unauthorized CRUD operations on permission-less directories. Attackers with api.access credentials can create, read, update, delete, and export objects from any directory lacking an explicit permissions configuration, bypassing intended authorization controls.

Action-Not Available
Vendor-getgrav
Product-grav
CWE ID-CWE-636
Not Failing Securely ('Failing Open')
CWE ID-CWE-862
Missing Authorization
CVE-2026-62225
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.3||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 00:07
Updated-17 Jul, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.5.18 Authorization Bypass via Skill Command Dispatch

OpenClaw versions before 2026.5.18 contain an authorization bypass vulnerability in skill command dispatch that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can bypass tool policy restrictions through configured input paths to perform unauthorized actions when the affected feature is enabled and reachable.

Action-Not Available
Vendor-OpenClaw
Product-OpenClaw
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-62224
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.3||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 00:07
Updated-17 Jul, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw MS Teams < 2026.5.12 Authorization Bypass

OpenClaw MS Teams before 2026.5.12 contain an authorization bypass vulnerability where the allowFrom feature binds to mutable display names. Attackers with lower-trust access can perform actions requiring stronger authorization by exploiting the mutable display name binding in the affected feature.

Action-Not Available
Vendor-OpenClaw
Product-msteams
CWE ID-CWE-290
Authentication Bypass by Spoofing
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-62221
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.3||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 00:07
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw 2026.5.12 < 2026.5.26 Authorization Bypass via allowFrom

OpenClaw 2026.5.12 before 2026.5.26 contain an incorrect authorization vulnerability in the ClickClack allowFrom feature. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization, including running non-allowlisted commands.

Action-Not Available
Vendor-OpenClaw
Product-OpenClaw
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-62216
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.3||LOW
EPSS-Not Assigned
Published-17 Jul, 2026 | 00:06
Updated-17 Jul, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw 2026.4.20 < 2026.5.28 Policy Bypass via Media Upload

OpenClaw 2026.4.20 before 2026.5.28 contain a policy bypass in the QQBot media upload feature. A lower-trust caller or configured input path could cause the media upload to reach network destinations that should have been blocked by OpenClaw policy (server-side request forgery). The practical impact depends on the operator's configuration and whether lower-trust input can reach that path.

Action-Not Available
Vendor-OpenClaw
Product-OpenClaw
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-15997
Assigner-91579145-5d7b-4cc5-b925-a0262ff19630
ShareView Details
Assigner-91579145-5d7b-4cc5-b925-a0262ff19630
CVSS Score-1.7||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 22:17
Updated-17 Jul, 2026 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Native ARM SHA3 / SHAKE `restoreFullState` fails to detect size_t underflow in a crafted encoded state

Out-of-bounds write vulnerability in Legion of the Bouncy Castle Inc. BC-LTS bcprov-lts8on on ARM allows Overflow Buffers. This vulnerability is associated with program files https://github.Com/bcgit/bc-lts-java/blob/main/native_c/arm/sha/shake.C, https://github.Com/bcgit/bc-lts-java/blob/main/native_c/arm/sha/sha3.C. This issue affects BC-LTS: from 2.73.0 before 2.73.12.1. Issue is only applicable if application involved is accepting memoable SHA3 / SHAKE states from potentially untrusted sources.

Action-Not Available
Vendor-Legion of the Bouncy Castle Inc.
Product-BC-LTS
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-62994
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-3.7||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 19:39
Updated-17 Jul, 2026 | 12:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CoreDNS `k8s_external` headless AXFR can emit an empty transfer batch that panics the `transfer` plugin

CoreDNS is a DNS server written in Go. From 1.9.4 until 1.14.5, a network DNS client allowed to request AXFR for a CoreDNS zone can trigger a panic when CoreDNS is configured with k8s_external headless-service zone transfers and Kubernetes contains a headless service endpoint with no declared ports; plugin/kubernetes/object/endpoint.go creates Port: -1, plugin/k8s_external/msg_to_dns.go skips that service, plugin/k8s_external/transfer.go sends an empty []dns.RR batch, and plugin/transfer/transfer.go indexes records[0] without checking the batch is non-empty. This issue is fixed in version 1.14.5.

Action-Not Available
Vendor-coredns
Product-coredns
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CVE-2026-44969
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-2.5||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 17:49
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
dbt-mcp: Tool Arguments Including SQL Queries and Credentials Logged in Plaintext Without Redaction When File Logging Is Enabled

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DbtMCP.call_tool() in src/dbt_mcp/mcp/server.py logged the raw arguments dictionary at INFO level before each tool call and at ERROR level on exceptions, and configure_file_logging() wrote those records to dbt-mcp.log when DBT_MCP_SERVER_FILE_LOGGING=true, preserving sensitive sql_query, vars, and node_selection values in plaintext without automatic rotation or deletion. This issue is fixed in version 1.17.1.

Action-Not Available
Vendor-dbt-labs
Product-dbt-mcp
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2026-44970
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-3.1||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 17:49
Updated-17 Jul, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
dbt-mcp: All MCP Tool Arguments Including Raw SQL and --vars Credentials Transmitted to dbt Labs Telemetry by Default Without Redaction

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DefaultUsageTracker.emit_tool_called_event() in src/dbt_mcp/tracking/tracking.py serialized every MCP tool call's complete arguments dictionary and sent it through dbtlabs_vortex.producer.log_proto without redaction, including sql_query from show, vars from run, build, and test, and node_selection from compile, while usage_tracking_enabled in settings.py enabled telemetry by default unless DBT_SEND_ANONYMOUS_USAGE_STATS=false or DO_NOT_TRACK=1 was set. This issue is fixed in version 1.17.1.

Action-Not Available
Vendor-dbt-labs
Product-dbt-mcp
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-35145
Assigner-HCL Software
ShareView Details
Assigner-HCL Software
CVSS Score-3.1||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 13:05
Updated-17 Jul, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability.

HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability. The application fails to implement the HTTP Strict Transport Security (HSTS) policy within its responses, which could allow a remote attacker to downgrade the communication channel to an unencrypted connection (HTTP) and conduct man-in-the-middle (MitM) attacks. To remediate this, the application must include the "Strict-Transport-Security" header in all web application responses.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dfxanalyticsDFXAnalytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-35143
Assigner-HCL Software
ShareView Details
Assigner-HCL Software
CVSS Score-3||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 13:04
Updated-17 Jul, 2026 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXAnalytics is affected by a Missing SameSite Attribute vulnerability.

HCL DFXAnalytics is affected by a Missing SameSite Attribute vulnerability. The application fails to set the "SameSite" attribute on session cookies generated during authentication, which could allow a remote attacker to execute Cross-Site Request Forgery (CSRF) attacks if additional mitigations, such as Anti-CSRF tokens, are not implemented.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dfxanalyticsDFXAnalytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-35142
Assigner-HCL Software
ShareView Details
Assigner-HCL Software
CVSS Score-2.6||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 13:02
Updated-17 Jul, 2026 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability.

HCL DFXAnalytics is affected by an Internal IP Address Disclosure vulnerability. The application includes internal IP address details within its generated server responses, which could allow a remote attacker to gather sensitive network topology information and use it to map the internal infrastructure for further targeted attacks.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dfxanalyticsDFXAnalytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-35141
Assigner-HCL Software
ShareView Details
Assigner-HCL Software
CVSS Score-2.6||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 12:59
Updated-17 Jul, 2026 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXAnalytics is affected by a Login Replay Attack vulnerability

HCL DFXAnalytics is affected by a Login Replay Attack vulnerability. The application allows a remote attacker to intercept, delay, or fraudulently retransmit valid authentication data to achieve unauthorized access. To mitigate this risk, the application must implement a mechanism to include timestamps with every message, ensuring that messages exceeding a specific age threshold are automatically rejected by the recipient system.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dfxanalyticsDFXAnalytics
CWE ID-CWE-294
Authentication Bypass by Capture-replay
CVE-2026-35140
Assigner-HCL Software
ShareView Details
Assigner-HCL Software
CVSS Score-3||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 12:48
Updated-17 Jul, 2026 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DFXAnalytics is affected by a Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability

HCL DFXAnalytics is affected by a Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability. The application fails to set the "secure" attribute on session cookies generated during authentication, which could allow a remote attacker to intercept network traffic and capture sensitive cookies, session tokens, or credentials sent in cleartext over unencrypted channels.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dfxanalyticsDFXAnalytics
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-12907
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-2.7||LOW
EPSS-0.13% / 3.13%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 06:00
Updated-16 Jul, 2026 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RTMKit Addons for Elementor < 2.0.9 - Author+ Site-Wide Theme Builder Template Creation and Activation

The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, which is normally restricted to administrators.

Action-Not Available
Vendor-Unknown
Product-RTMKit
CWE ID-CWE-862
Missing Authorization
CVE-2026-12906
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-2.7||LOW
EPSS-0.13% / 3.13%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 06:00
Updated-16 Jul, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RTMKit Addons for Elementor < 2.0.9 - Contributor+ Private Post Title Disclosure

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.

Action-Not Available
Vendor-Unknown
Product-RTMKit
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-47088
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-3.1||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 00:00
Updated-17 Jul, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is heap exposure in nested MIME comment parsing. An authenticated IMAP user could craft an email message containing an RFC 822 comment ending with a backslash. When parsing the message, the server would read past the message's end in memory, and read into the heap, returning the read content to the user.

Action-Not Available
Vendor-cyrusimap
Product-Cyrus IMAP
CWE ID-CWE-126
Buffer Over-read
CVE-2026-47087
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 00:00
Updated-17 Jul, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH does not honor revoked authorizer access. A URLAUTH URL minted while the authorizer had access continued to work after that access was revoked.

Action-Not Available
Vendor-cyrusimap
Product-Cyrus IMAP
CWE ID-CWE-672
Operation on a Resource after Expiration or Release
CVE-2026-47086
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 00:00
Updated-17 Jul, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. GENURLAUTH-issued tokens can bypass ACLs. Any authenticated user could mint a URLAUTH token (via the GENURLAUTH command) for any mailbox they could name, even without read access on it. This would allow reading mail from mailboxes despite having no granted permissions.

Action-Not Available
Vendor-cyrusimap
Product-Cyrus IMAP
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-47081
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-3.1||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 00:00
Updated-17 Jul, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an XAPPLEPUSHSERVICE folder existence oracle and push hijack. An authenticated IMAP user could probe for the existence of arbitrary mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and then create Apple Push Notification Service notifications for new mail in those mailboxes to their own APNS device. This did not leak any data about the content of mailboxes. Instead, a "mailbox has changed" notice would be pushed when the mailbox modseq changed.

Action-Not Available
Vendor-cyrusimap
Product-Cyrus IMAP
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-32389
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-Not Assigned
Published-16 Jul, 2026 | 00:00
Updated-17 Jul, 2026 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer Overflow vulnerability in Kerlink Kerlink Wirnet iStation 868 KerOS v.4.3.3_20200803132042 allows a remote attacker to obtain sensitive information via the update URLs component.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2026-15921
Assigner-7ffcee3d-2c14-4c3e-b844-86c6a321a158
ShareView Details
Assigner-7ffcee3d-2c14-4c3e-b844-86c6a321a158
CVSS Score-2.1||LOW
EPSS-0.22% / 13.09%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 21:16
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nvm path traversal via a malicious mirror's LTS codename writes outside the alias directory

Node Version Manager (nvm) is a POSIX-compliant shell function for managing multiple node.js versions. In versions 0.32.1 through 0.40.5, `nvm ls-remote` (and other commands that refresh remote LTS aliases, such as `nvm install --lts`) parse the node.js mirror's `index.tab` and use each release's LTS codename field as an alias filename without validating it. A malicious, compromised, or man-in-the-middled mirror can return an LTS codename containing path-traversal sequences such as `../../../.bashrc`, causing nvm to write the associated version string to a path outside `$NVM_DIR/alias`. With the default layout (`$NVM_DIR` is `~/.nvm`), this can create or overwrite files in the user's home directory, including shell startup files, which can lead to code execution in a later shell session. Exploitation requires the victim to use a hostile mirror -- via a compromised mirror or CDN, a network man-in-the-middle, or a maliciously configured `NVM_NODEJS_ORG_MIRROR`/`NVM_IOJS_ORG_MIRROR` -- and to run an affected command. Version 0.40.6 validates remote LTS codenames as safe alias filenames and rejects `..` path components when writing alias files.

Action-Not Available
Vendor-nvm-sh
Product-nvm
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-73
External Control of File Name or Path
CVE-2026-55398
Assigner-Absolute Software
ShareView Details
Assigner-Absolute Software
CVSS Score-6.9||MEDIUM
EPSS-0.25% / 16.63%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 20:17
Updated-16 Jul, 2026 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory management vulnerability in Secure Access clients

CVE-2026-55398 is a memory management vulnerability in Secure Access clients and servers prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against the server.

Action-Not Available
Vendor-Absolute Software Corporation
Product-secure_accessSecure Access
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-33444
Assigner-Absolute Software
ShareView Details
Assigner-Absolute Software
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 23.17%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 20:10
Updated-16 Jul, 2026 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory management vulnerability in Secure Access servers

CVE-2026-33444 is a memory management vulnerability in Secure Access servers prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against the server.

Action-Not Available
Vendor-Absolute SecutityAbsolute Software Corporation
Product-secure_accessSecure Access
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-40958
Assigner-Absolute Software
ShareView Details
Assigner-Absolute Software
CVSS Score-2.3||LOW
EPSS-0.21% / 11.10%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 20:02
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Input validation error in Secure Access clients prior to 14.55

CVE-2026-40958 is a input validation error in Secure Access clients prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against their client.

Action-Not Available
Vendor-Absolute Software Corporation
Product-secure_accessSecure Access
CWE ID-CWE-20
Improper Input Validation
CVE-2026-40956
Assigner-Absolute Software
ShareView Details
Assigner-Absolute Software
CVSS Score-2.1||LOW
EPSS-0.17% / 6.73%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 19:55
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory disclosure in Secure Access Clients

CVE-2026-40956 is a memory disclosure vulnerability in Secure Access client versions prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can cause a small amount of random memory to leak.

Action-Not Available
Vendor-Absolute Software Corporation
Product-secure_accessSecure Access
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-40955
Assigner-Absolute Software
ShareView Details
Assigner-Absolute Software
CVSS Score-2.1||LOW
EPSS-0.20% / 10.09%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 19:50
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Integer underflow vulnerability in Secure Access clients

CVE-2026-40955 is an integer underflow vulnerability in the traffic parsing function of Secure Access clients prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against their client.

Action-Not Available
Vendor-Absolute Software Corporation
Product-secure_accessSecure Access
CWE ID-CWE-191
Integer Underflow (Wrap or Wraparound)
CVE-2026-40954
Assigner-Absolute Software
ShareView Details
Assigner-Absolute Software
CVSS Score-2.1||LOW
EPSS-0.20% / 10.09%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 19:44
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Integer underflow in Secure Access clients prior to 14.55

CVE-2026-40954 is an integer underflow vulnerability in the traffic parsing function of Secure Access clients prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against their client

Action-Not Available
Vendor-Absolute Software Corporation
Product-secure_accessSecure Access
CWE ID-CWE-191
Integer Underflow (Wrap or Wraparound)
CVE-2026-62683
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-3.1||LOW
EPSS-0.20% / 9.75%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 15:40
Updated-15 Jul, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Browser: Trailing-slash delete leaves a stale public share behind

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the share cleanup path calls DeleteWithPathPrefix(file.Path, userID) and the Bolt backend performs the database prefix query with the unnormalized path before trimming the slash for boundary checks, so deleting /a/ does not delete the stored /a share and the stale public share exposes future content if the same path is recreated. This issue is fixed in version 2.63.17.

Action-Not Available
Vendor-filebrowser
Product-filebrowser
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-60065
Assigner-F5, Inc.
ShareView Details
Assigner-F5, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.27% / 18.03%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 14:33
Updated-15 Jul, 2026 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NGINX Plus ngx_stream_mqtt_filter_module vulnerability

When NGINX Plus is configured to use the Message Queuing Telemetry Transport (MQTT) filter module (ngx_stream_mqtt_filter_module), unauthenticated attackers can send requests with conditions beyond the attacker's control to cause a heap buffer over-read in the NGINX worker process, leading to a restart. Impact: This vulnerability may allow remote unauthenticated attackers to have limited control to restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-F5, Inc.
Product-NGINX Plus
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-61872
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2||LOW
EPSS-0.10% / 0.86%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 11:25
Updated-15 Jul, 2026 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageMagick before 7.1.2-26 Memory Leak via TIFF Encoder

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the TIFF encoder when an invalid tiff:tile-geometry is specified. Supplying malformed tile geometry parameters causes allocated memory not to be released, which can lead to increased memory consumption.

Action-Not Available
Vendor-ImageMagick Studio LLC
Product-ImageMagick
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-61871
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-6.3||MEDIUM
EPSS-0.23% / 13.97%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 11:25
Updated-15 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageMagick before 7.1.2-26 Memory Leak in ICON decoder

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the ICON decoder that occurs when a memory allocation fails. Processing a crafted ICON file that triggers an allocation failure leaks memory, which may lead to a denial of service.

Action-Not Available
Vendor-ImageMagick Studio LLC
Product-ImageMagick
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-61869
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.1||LOW
EPSS-0.10% / 1.13%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 11:25
Updated-15 Jul, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageMagick before 7.1.2-26 Memory Leak in MIFF Encoder

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the MIFF encoder that occurs when a memory allocation fails during MIFF image processing, which can lead to denial of service.

Action-Not Available
Vendor-ImageMagick Studio LLC
Product-ImageMagick
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-61868
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-6.3||MEDIUM
EPSS-0.22% / 12.68%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 11:25
Updated-15 Jul, 2026 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageMagick before 7.1.2-26 Memory Leak in YUV Decoder

ImageMagick before 7.1.2-26 and 6.9.x before 6.9.13-51 contains a memory leak in the YUV decoder that occurs when opening of the blob fails. Repeated triggering can lead to resource exhaustion (denial of service).

Action-Not Available
Vendor-ImageMagick Studio LLC
Product-ImageMagick
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-61867
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.1||LOW
EPSS-0.10% / 1.13%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 11:25
Updated-15 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageMagick before 7.1.2-26 Memory Leak in TIFF Encoder

ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the TIFF encoder when memory allocation fails. Attackers can trigger allocation failures during TIFF image processing to cause memory exhaustion and denial of service.

Action-Not Available
Vendor-ImageMagick Studio LLC
Product-ImageMagick
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-61866
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.1||LOW
EPSS-0.19% / 8.53%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 11:25
Updated-16 Jul, 2026 | 03:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageMagick before 7.1.2-26 Memory Leak in JNG encoder

ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the JNG encoder when a blob cannot be opened. Attackers can trigger the memory leak by providing malformed JNG files that fail blob operations, causing resource exhaustion.

Action-Not Available
Vendor-ImageMagick Studio LLC
Product-imagemagickImageMagick
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-61865
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.1||LOW
EPSS-0.10% / 1.13%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 11:25
Updated-15 Jul, 2026 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageMagick before 7.1.2-26 Memory Leak in Hough Lines

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the hough lines operation: when a specific operation fails, a small memory leak occurs.

Action-Not Available
Vendor-ImageMagick Studio LLC
Product-ImageMagick
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 485
  • 486
  • Next