Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20714
Total
1493
Critical
6288
High
6559
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-49839 | HIGH | 7.1 | jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds … | Jun 25, 2026 |
| CVE-2026-48995 | UNKNOWN | — | pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it … | Jun 25, 2026 |
| CVE-2026-47770 | UNKNOWN | — | jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's … | Jun 25, 2026 |
| CVE-2026-11999 | HIGH | 7.5 | X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cert() with caller-supplied untrusted … | Jun 25, 2026 |
| CVE-2026-9800 | HIGH | 8.1 | A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access … | Jun 25, 2026 |
| CVE-2026-9799 | MEDIUM | 4.6 | A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using … | Jun 25, 2026 |
| CVE-2026-9705 | MEDIUM | 6.5 | A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to … | Jun 25, 2026 |
| CVE-2026-9099 | HIGH | 7.7 | A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited … | Jun 25, 2026 |
| CVE-2026-9086 | HIGH | 7.3 | A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass … | Jun 25, 2026 |
| CVE-2026-9083 | MEDIUM | 4.9 | A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a … | Jun 25, 2026 |
| CVE-2026-56123 | HIGH | 8.1 | socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory by exploiting … | Jun 25, 2026 |
| CVE-2026-55439 | MEDIUM | 5.5 | Halo is an open source website building tool. Prior to 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read … | Jun 25, 2026 |
| CVE-2026-55413 | UNKNOWN | — | ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with … | Jun 25, 2026 |
| CVE-2026-55412 | HIGH | 8.3 | ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in … | Jun 25, 2026 |
| CVE-2026-55411 | MEDIUM | 6.8 | ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.1780-lts, the authenticated endpoint POST … | Jun 25, 2026 |
| CVE-2026-55092 | UNKNOWN | — | Trivy is a security scanner. Prior to 0.71.1, when Trivy downloads an OCI artifact, it uses the org.opencontainers.image.title annotation from the artifact manifest as the … | Jun 25, 2026 |
| CVE-2026-54573 | UNKNOWN | — | Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth … | Jun 25, 2026 |
| CVE-2026-54448 | UNKNOWN | — | Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) … | Jun 25, 2026 |
| CVE-2026-54040 | MEDIUM | 5.9 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring … | Jun 25, 2026 |
| CVE-2026-54037 | MEDIUM | 6.5 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to … | Jun 25, 2026 |
| CVE-2026-54033 | HIGH | 7.7 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting … | Jun 25, 2026 |
| CVE-2026-54030 | HIGH | 8.0 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter … | Jun 25, 2026 |
| CVE-2026-54029 | MEDIUM | 5.3 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete any … | Jun 25, 2026 |
| CVE-2026-54027 | MEDIUM | 6.5 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/files/images endpoint allows any authenticated user to upload files … | Jun 25, 2026 |
| CVE-2026-54025 | MEDIUM | 5.4 | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The … | Jun 25, 2026 |