Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

21003
Total
1519
Critical
6392
High
6662
Medium
CVE ID Severity Score Description Published
CVE-2026-57281 HIGH 7.5 Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy … Jun 24, 2026
CVE-2026-57280 HIGH 8.8 Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy … Jun 24, 2026
CVE-2026-42450 UNKNOWN OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses `sscanf` with `%s` into 64-byte stack buffers when … Jun 24, 2026
CVE-2026-35025 HIGH 8.1 ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with … Jun 24, 2026
CVE-2026-29034 UNKNOWN Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Jun 24, 2026
CVE-2026-12537 UNKNOWN Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior … Jun 24, 2026
CVE-2026-56761 MEDIUM 4.3 hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers … Jun 24, 2026
CVE-2026-56370 LOW 3.3 ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed … Jun 24, 2026
CVE-2026-56368 LOW 3.7 ImageMagick before 7.1.2-15 contains a memory leak vulnerability in multiple coders that write raw pixel data where allocated objects are not properly freed. Attackers can … Jun 24, 2026
CVE-2026-56358 MEDIUM 5.4 n8n before 1.123.25 (1.x) and before 2.11.2 (2.x), with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger … Jun 24, 2026
CVE-2026-56351 HIGH 8.2 n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through … Jun 24, 2026
CVE-2026-56338 MEDIUM 5.3 Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. … Jun 24, 2026
CVE-2026-56337 MEDIUM 5.3 Capgo before 12.128.2 contains an information disclosure vulnerability in the public.exist_app_v2 RPC function that allows unauthenticated attackers to enumerate app_ids by calling POST /rest/v1/rpc/exist_app_v2 with … Jun 24, 2026
CVE-2026-56310 MEDIUM 4.3 Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with org-limited … Jun 24, 2026
CVE-2026-56302 MEDIUM 6.5 Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. … Jun 24, 2026
CVE-2026-56272 MEDIUM 4.1 Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can … Jun 24, 2026
CVE-2026-56270 HIGH 7.5 Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete … Jun 24, 2026
CVE-2026-56269 MEDIUM 4.6 Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when … Jun 24, 2026
CVE-2026-56262 MEDIUM 6.5 Crawl4AI before 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invoke … Jun 24, 2026
CVE-2026-56257 HIGH 7.1 Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving … Jun 24, 2026
CVE-2026-56256 HIGH 7.1 Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do … Jun 24, 2026
CVE-2026-56245 HIGH 8.2 Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. … Jun 24, 2026
CVE-2026-56244 HIGH 7.1 Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. … Jun 24, 2026
CVE-2026-56237 CRITICAL 9.1 Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails … Jun 24, 2026
CVE-2026-56232 HIGH 8.8 Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions … Jun 24, 2026