Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

20714
Total
1493
Critical
6288
High
6559
Medium
CVE ID Severity Score Description Published
CVE-2026-49839 HIGH 7.1 jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds … Jun 25, 2026
CVE-2026-48995 UNKNOWN pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it … Jun 25, 2026
CVE-2026-47770 UNKNOWN jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's … Jun 25, 2026
CVE-2026-11999 HIGH 7.5 X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cert() with caller-supplied untrusted … Jun 25, 2026
CVE-2026-9800 HIGH 8.1 A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access … Jun 25, 2026
CVE-2026-9799 MEDIUM 4.6 A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using … Jun 25, 2026
CVE-2026-9705 MEDIUM 6.5 A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to … Jun 25, 2026
CVE-2026-9099 HIGH 7.7 A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited … Jun 25, 2026
CVE-2026-9086 HIGH 7.3 A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass … Jun 25, 2026
CVE-2026-9083 MEDIUM 4.9 A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a … Jun 25, 2026
CVE-2026-56123 HIGH 8.1 socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory by exploiting … Jun 25, 2026
CVE-2026-55439 MEDIUM 5.5 Halo is an open source website building tool. Prior to 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read … Jun 25, 2026
CVE-2026-55413 UNKNOWN ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with … Jun 25, 2026
CVE-2026-55412 HIGH 8.3 ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in … Jun 25, 2026
CVE-2026-55411 MEDIUM 6.8 ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.1780-lts, the authenticated endpoint POST … Jun 25, 2026
CVE-2026-55092 UNKNOWN Trivy is a security scanner. Prior to 0.71.1, when Trivy downloads an OCI artifact, it uses the org.opencontainers.image.title annotation from the artifact manifest as the … Jun 25, 2026
CVE-2026-54573 UNKNOWN Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth … Jun 25, 2026
CVE-2026-54448 UNKNOWN Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) … Jun 25, 2026
CVE-2026-54040 MEDIUM 5.9 LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring … Jun 25, 2026
CVE-2026-54037 MEDIUM 6.5 LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to … Jun 25, 2026
CVE-2026-54033 HIGH 7.7 LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting … Jun 25, 2026
CVE-2026-54030 HIGH 8.0 LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter … Jun 25, 2026
CVE-2026-54029 MEDIUM 5.3 LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete any … Jun 25, 2026
CVE-2026-54027 MEDIUM 6.5 LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/files/images endpoint allows any authenticated user to upload files … Jun 25, 2026
CVE-2026-54025 MEDIUM 5.4 LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The … Jun 25, 2026