Security Intelligence
Feed

Real-time CVE tracking, exploit analysis, and vulnerability intelligence curated for security professionals.

61 New today
64,207 Total advisories
Live Monitoring

Daily Security Trends (Last 14 Days)

32
Jun 7
255
Jun 8
658
Jun 9
351
Jun 10
245
Jun 11
336
Jun 12
60
Jun 13
68
Jun 14
443
Jun 15
630
Jun 16
464
Jun 17
3
Jun 18
352
Jun 19
46
Jun 20
Critical
High
Medium
Low
Latest
CVE CVSS 8.1

PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)_CVE-2026-49286

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, s...

CVE-2026-49286 pontedilana php-weasyprint < 2.6.0
Read analysis

Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 6.5 CVE-2026-49271

libheif: Wrapped icef compressed-unit range check causes out-of-bounds read in uncompressed HEIF decoder_CVE-2026-49271

libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compress...

strukturag libheif < 1.22.1 CVE
HIGH 7.1 CVE-2026-49339

Path traversal in getPlaylist/deletePlaylist bypasses ownership check: any authenticated user can read or delete any other user’s playlist_CVE-2026-49339

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a...

sentriz gonic < 0.21.0 CVE
MEDIUM 5.5 CVE-2026-49336

@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter_CVE-2026-49336

@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-previe...

microsoft kiota-typescript >= 1.0.0-preview.97, < 1.0.0-preview.102 CVE
HIGH 7.5 CVE-2026-49293

CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals_CVE-2026-49293

js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / b...

sunnyadn js-toml < 1.1.1 CVE
HIGH 8.1 CVE-2026-49291

mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call_CVE-2026-49291

mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at `/mcp` requires only...

doobidoo mcp-memory-service < 10.65.3 CVE
MEDIUM 4.3 CVE-2026-49288

Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources_CVE-2026-49288

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view ...

statamic cms < 5.73.23 CVE
MEDIUM 5.3 CVE-2026-12238

WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation_CVE-2026-12238

The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. ...

wpgmaps WP Go Maps – Google Map, OpenStreetMap, Leaflet Map CVE
HIGH 7.5 CVE-2026-9375

Decompression Bomb Bypass via Negative max_length in Streaming API in urllib3_CVE-2026-9375

urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The is...

urllib3 urllib3/urllib3 unspecified CVE
HIGH 8.1 CVE-2026-49340

gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host_CVE-2026-49340

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdat...

sentriz gonic < 0.21.0 CVE