Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21148
Total
1520
Critical
6441
High
6722
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-5818 | UNKNOWN | — | Incorrect check of function return value in Caliptra Core Runtime Firmware (ActivateFirmwareCmd::activate_fw modules) allows bypass of Caliptra Core's verification of the MCU FW during a … | Jun 24, 2026 |
| CVE-2026-56785 | HIGH | 8.2 | FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in … | Jun 23, 2026 |
| CVE-2026-54588 | CRITICAL | 9.6 | Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative … | Jun 23, 2026 |
| CVE-2026-48493 | MEDIUM | 5.5 | Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant … | Jun 23, 2026 |
| CVE-2026-47693 | MEDIUM | 6.9 | Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula Injection) in its … | Jun 23, 2026 |
| CVE-2026-12164 | MEDIUM | 4.4 | Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool … | Jun 23, 2026 |
| CVE-2026-12163 | MEDIUM | 5.5 | Fortra File Integrity Monitoring (FIM), formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting (XSS) vulnerability in the Asset View UI component. … | Jun 23, 2026 |
| CVE-2026-11972 | UNKNOWN | — | When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take … | Jun 23, 2026 |
| CVE-2026-54518 | MEDIUM | 6.5 | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters … | Jun 23, 2026 |
| CVE-2026-9073 | MEDIUM | 6.2 | A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session … | Jun 23, 2026 |
| CVE-2026-56120 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it's a duplicate of CVE-2026-56784. | Jun 23, 2026 |
| CVE-2026-54517 | MEDIUM | 5.3 | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was … | Jun 23, 2026 |
| CVE-2026-54516 | MEDIUM | 5.3 | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on … | Jun 23, 2026 |
| CVE-2026-54515 | MEDIUM | 5.3 | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are … | Jun 23, 2026 |
| CVE-2026-54514 | MEDIUM | 5.3 | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, … | Jun 23, 2026 |
| CVE-2026-54513 | HIGH | 8.1 | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based … | Jun 23, 2026 |
| CVE-2026-54512 | HIGH | 8.1 | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary … | Jun 23, 2026 |
| CVE-2026-53931 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the … | Jun 23, 2026 |
| CVE-2026-53930 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing … | Jun 23, 2026 |
| CVE-2026-53929 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser … | Jun 23, 2026 |
| CVE-2026-53928 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint … | Jun 23, 2026 |
| CVE-2026-53927 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in … | Jun 23, 2026 |
| CVE-2026-53926 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, … | Jun 23, 2026 |
| CVE-2026-50193 | UNKNOWN | — | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested … | Jun 23, 2026 |
| CVE-2026-47388 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any … | Jun 23, 2026 |